Skip to content

Latest commit

 

History

History
97 lines (72 loc) · 3.23 KB

selfhosted-setup.md

File metadata and controls

97 lines (72 loc) · 3.23 KB
Raw

Setup for Self-Hosted

Define and apply an IRSASetup custom resource according to your needs.

apiVersion: irsa-manager.kkb0318.github.io/v1alpha1
kind: IRSASetup
metadata:
  name: irsa-init
  namespace: irsa-manager-system
spec:
  cleanup: false
  mode: selfhosted
  discovery:
    s3:
      region: <region>
      bucketName: <S3 bucket name>

Check the IRSASetup custom resource status to verify whether it is set to true.

Note

Please ensure that only one IRSASetup resource is created.

Modify kube-apiserver Settings

If the IRSASetup status is true, a key file (Name: irsa-manager-key , Namespace: kube-system ) will be created. This is used for signing tokens in the kubernetes API. Execute the following commands on the control plane server to save the public and private keys locally for Kubernetes signatures:

kubectl get secret -n kube-system irsa-manager-key -o jsonpath="{.data.ssh-privatekey}" | base64 --decode | sudo tee /path/to/file.key > /dev/null
kubectl get secret -n kube-system irsa-manager-key -o jsonpath="{.data.ssh-publickey}" | base64 --decode | sudo tee /path/to/file.pub > /dev/null

Note

Path: /path/to/file can be any path you choose. If you use kubeadm, it is recommended to set /etc/kubernetes/pki/irsa-manager.(key|pub)

Then, modify the kube-apiserver settings to include the following parameters:

  • API Audiences
--api-audiences=sts.amazonaws.com,https://kubernetes.default.svc.cluster.local
  • Service Account Issuer
--service-account-issuer=https://s3-<region>.amazonaws.com/<S3 bucket name>

Note

Add this setting as the first element. When this flag is specified multiple times, the first is used to generate tokens and all are used to determine which issuers are accepted.

  • Service Account Key File

The public key generated previously can be read by the API server. Add the path for this parameter flag:

--service-account-key-file=/path/to/file.pub

Note

If you do not mount /path/to directory, you need to add the volumes field to this path.

  • Service Account Signing Key File

The private key (oidc-issuer.key) generated previously can be read by the API server. Add the path for this parameter flag:

--service-account-signing-key-file=/path/to/file.key

Note

Overwrite the existing settings. If you do not mount /path/to directory, you need to add the volumes field to this path.

For more details, refer to the Kubernetes documentation.

Example configuration:

...
    - --service-account-issuer=https://s3-<region>.amazonaws.com/<bucket>
    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
    - --service-account-key-file=/etc/kubernetes/pki/irsa-manager.pub
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-account-signing-key-file=/etc/kubernetes/pki/irsa-manager.key
    - --service-cluster-ip-range=10.96.0.0/16
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    - --api-audiences=sts.amazonaws.com,https://kubernetes.default.svc.cluster.local
...