Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dominodatalab/irsa_installation_old
Full IRSA and Domsed Installation
https://github.com/dominodatalab/irsa_installation_old
Last synced: 29 days ago
JSON representation
Full IRSA and Domsed Installation
- Host: GitHub
- URL: https://github.com/dominodatalab/irsa_installation_old
- Owner: dominodatalab
- Created: 2023-08-28T17:51:01.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-10-16T18:09:36.000Z (about 1 year ago)
- Last Synced: 2023-10-17T08:12:18.678Z (about 1 year ago)
- Language: Jupyter Notebook
- Size: 84 KB
- Stars: 0
- Watchers: 3
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
Domsed/IRSA Installation
## Domsed
If domsed is already installed, skip to the "IRSA for Domino" section
### Install Domsed
```shell
cd domsed
export platform_namespace=domino-platform
export compute_namespace=domino-compute
helm install -f values.yaml domsed helm/domsed -n ${platform_namespace}
kubectl label namespace ${compute_namespace} operator-enabled=true
```### Delete Domsed
```shell
export platform_namespace=domino-platform
export compute_namespace=domino-compute
helm delete domsed -n ${platform_namespace}
kubectl label namespace ${compute_namespace} "operator-enabled"-
```### Test Domsed
### Tail the logs
```
kubectl -n ${platform_namespace} get pods | grep operator
## Example output
operator-webhook-767cfcfddc-rh685 1/1 Running
kubectl -n ${platform_namespace} logs operator-webhook-767cfcfddc-rh685 -f
```
### Smoke Test- Create this mutation object
```shell
cat < ***Attention***: **After reinstalling IRSA you will need to recreate the mappings**### Install IRSA
a. First create organizations in domino matching the role names
b. Update the `values.yaml` with the proper values
```shell
#Update the values.yaml with the above values
cd irsa
``````shell
export platform_namespace=domino-platform
export compute_namespace=domino-compute
export field_namespace=domino-fieldhelm install -f ./values.yaml -n ${field_namespace} irsa helm/irsa
```d. Copy the `irsa-certs` secret from the `domino-field` namespace to the `domino-compute` namespace
```shell
kubectl get secret irsa-certs --namespace=domino-field -o yaml | sed 's/namespace: .*/namespace: domino-compute/' | kubectl apply -f -
```
This allows the IRSA service to become SSL enabled and invokable from the workloads in the `domino-compute` namespace## Create Mappings
Open the notebook [enablement.ipynb](./enablement.ipynb). There is a section called `## Add/Update Role Mapping (Only Domino Administrators can make this call)`
This section is used to map Domino Organizations to AWS Roles (and AWS proxy roles)
```python
EKS_ACCOUNT_NO=""
ASSETS_ACCOUNT_NO=""
#Fetch my mappings (Any user can do this)
import requests
import os
access_token_endpoint='http://localhost:8899/access-token'
resp = requests.get(access_token_endpoint)token = resp.text
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer " + token,
}endpoint='https://irsa-svc.domino-field/update_role_mapping'
body={
"domino_org":"irsa-iamrole-list-bucket",
"iam_role_arn":f"arn:aws:iam::{ASSETS_ACCOUNT_NO}:role/acme-list-bucket-role",
"proxy_iam_role_arn":f"arn:aws:iam::{EKS_ACCOUNT_NO}:role/acme-list-bucket-role"
}
resp = requests.post(endpoint,headers=headers,json=body,verify=False)
body={
"domino_org":"irsa-iamrole-read-bucket",
"iam_role_arn":f"arn:aws:iam::{ASSETS_ACCOUNT_NO}:role/acme-read-bucket-role",
"proxy_iam_role_arn":f"arn:aws:iam::{EKS_ACCOUNT_NO}:role/acme-read-bucket-role"
}
resp = requests.post(endpoint,headers=headers,json=body,verify=False)
body={
"domino_org":"irsa-iamrole-update-bucket",
"iam_role_arn":f"arn:aws:iam::{ASSETS_ACCOUNT_NO}:role/acme-update-bucket-role",
"proxy_iam_role_arn":f"arn:aws:iam::{EKS_ACCOUNT_NO}:role/acme-update-bucket-role"
}
resp = requests.post(endpoint,headers=headers,json=body,verify=False)```
Walk through this notebook to get an end to end walkthrough on how to use IRSA for Domino.
An example mapping in the configmap `domino-org-iamrole-mapping` in `domino-field` namespace is shown below:
The AWS Account number is `111111111111` and the actual roles `list-bucket-role`, `read-bucket-role` and
`update-bucket-role` are mapped via proxy roles `acme-list-bucket-role`, `acme-read-bucket-role` and
`acme-update-bucket-role` in the same account. Note that the actual roles and proxy roles can be in separate accounts```yaml
apiVersion: v1
data:
irsa-iamrole-list-bucket: '{"iam_role_arn": "arn:aws:iam::111111111111:role/list-bucket-role",
"proxy_iam_role_arn": "arn:aws:iam::111111111111:role/acme-list-bucket-role"}'
irsa-iamrole-read-bucket: '{"iam_role_arn": "arn:aws:iam::111111111111:role/read-bucket-role",
"proxy_iam_role_arn": "arn:aws:iam::111111111111:role/acme-read-bucket-role"}'
irsa-iamrole-update-bucket: '{"iam_role_arn": "arn:aws:iam::111111111111:role/update-bucket-role",
"proxy_iam_role_arn": "arn:aws:iam::946429944765:role/acme-update-bucket-role"}'
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: irsa
meta.helm.sh/release-namespace: domino-field
name: domino-org-iamrole-mapping
namespace: domino-field
```## Scaling
Each time a workload starts up the proxy role trust relationship is updated with the service account for the workload.
The maximum size of a trust policy document is 4096 characters (after requesting AWS to increase it. Default is 2048).If you need more you will need to create additional domino-orgs and map the same role to a new proxy role. For example
the above configmap would like the following:```yaml
apiVersion: v1
data:
irsa-iamrole-list-bucket: '{"iam_role_arn": "arn:aws:iam::111111111111:role/list-bucket-role",
"proxy_iam_role_arn": "arn:aws:iam::111111111111:role/acme-list-bucket-role"}'
irsa-iamrole-list-bucket-2: '{"iam_role_arn": "arn:aws:iam::111111111111:role/list-bucket-role",
"proxy_iam_role_arn": "arn:aws:iam::111111111111:role/acme-list-bucket-role-2"}'
irsa-iamrole-read-bucket: '{"iam_role_arn": "arn:aws:iam::111111111111:role/read-bucket-role",
"proxy_iam_role_arn": "arn:aws:iam::111111111111:role/acme-read-bucket-role"}'
irsa-iamrole-update-bucket: '{"iam_role_arn": "arn:aws:iam::111111111111:role/update-bucket-role",
"proxy_iam_role_arn": "arn:aws:iam::946429944765:role/acme-update-bucket-role"}'
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: irsa
meta.helm.sh/release-namespace: domino-field
name: domino-org-iamrole-mapping
namespace: domino-field
```We have added a new domino org `irsa-iamrole-list-bucket-2` and created a new proxy role `arn:aws:iam::111111111111:role/acme-list-bucket-role-2`
for the aws role `iam_role_arn": "arn:aws:iam::111111111111:role/list-bucket-role`.Next redistribute the users added to domino org `irsa-iamrole-list-bucket` between the two orgs-
- `irsa-iamrole-list-bucket`
- `irsa-iamrole-list-bucket-2`You scale with multiple mappings for the same role in this fashion. This allows the Domino-IRSA solution to scale to
a large number of simultaneous domino workloads despite each workload having a unique k8s service account.The mappings are deleted when the workload ends.