diff --git a/docs/aws-config.md b/docs/aws-config.md index fad99fbc7..035eda1b7 100644 --- a/docs/aws-config.md +++ b/docs/aws-config.md @@ -141,10 +141,6 @@ Specify the following values in the example files: * Replace `` and ``. See the [Config definition][6] for details. -* In `examples/common/10-deployment.yaml`: - - * Make sure that `spec.template.spec.containers[*].env.name` is "AWS_SHARED_CREDENTIALS_FILE". - * (Optional) If you run the nginx example, in file `examples/nginx-app/with-pv.yaml`: * Replace `` with `gp2`. This is AWS's default `StorageClass` name. @@ -155,9 +151,123 @@ In the root of your Ark directory, run: ```bash kubectl apply -f examples/aws/00-ark-config.yaml - kubectl apply -f examples/common/10-deployment.yaml + kubectl apply -f examples/aws/10-deployment.yaml ``` +## ALTERNATIVE: Setup permissions using kube2iam + +[Kube2iam](https://github.com/jtblin/kube2iam) is a Kubernetes application that allows managing AWS IAM permissions for pod via annotations rather than operating on API keys. + +> This path assumes you have `kube2iam` already running in your Kubernetes cluster. If that is not the case, please install it first, following the docs here: https://github.com/jtblin/kube2iam + +It can be set up for Ark by creating a role that will have required permissions, and later by adding the permissions annotation on the ark deployment to define which role it should use internally. + +1. Create a Trust Policy document to allow the role being used for EC2 management & assume kube2iam role: + + ```bash + cat > heptio-ark-trust-policy.json <:role/" + }, + "Action": "sts:AssumeRole" + } + ] + } + EOF + ``` + +2. Create the IAM role: + + ```bash + aws iam create-role --role-name heptio-ark --assume-role-policy-document file://./heptio-ark-trust-policy.json + ``` + +3. Attach policies to give `heptio-ark` the necessary permissions: + + ```bash + BUCKET= + cat > heptio-ark-policy.json <:role/heptio-ark + ... + ``` + +5. Run Ark deployment using the file `examples/aws/10-deployment-kube2iam.yaml`. + [0]: namespace.md [6]: config-definition.md#aws [14]: http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html + diff --git a/docs/gcp-config.md b/docs/gcp-config.md index 2ccb72885..faa12d8b8 100644 --- a/docs/gcp-config.md +++ b/docs/gcp-config.md @@ -84,10 +84,6 @@ Specify the following values in the example files: * Replace ``. See the [Config definition][7] for details. -* In file `examples/common/10-deployment.yaml`: - - * Change `spec.template.spec.containers[*].env.name` to "GOOGLE_APPLICATION_CREDENTIALS". - * (Optional) If you run the nginx example, in file `examples/nginx-app/with-pv.yaml`: * Replace `` with `standard`. This is GCP's default `StorageClass` name. @@ -98,7 +94,7 @@ In the root of your Ark directory, run: ```bash kubectl apply -f examples/gcp/00-ark-config.yaml - kubectl apply -f examples/common/10-deployment.yaml + kubectl apply -f examples/gcp/10-deployment.yaml ``` [0]: namespace.md diff --git a/docs/ibm-config.md b/docs/ibm-config.md index 884b621be..97766d940 100644 --- a/docs/ibm-config.md +++ b/docs/ibm-config.md @@ -69,7 +69,7 @@ In the root of your Ark directory, run: ```bash kubectl apply -f examples/ibm/00-ark-config.yaml - kubectl apply -f examples/common/10-deployment.yaml + kubectl apply -f examples/ibm/10-deployment.yaml ``` [0]: namespace.md diff --git a/examples/aws/10-deployment-kube2iam.yaml b/examples/aws/10-deployment-kube2iam.yaml new file mode 100644 index 000000000..7d16fe823 --- /dev/null +++ b/examples/aws/10-deployment-kube2iam.yaml @@ -0,0 +1,44 @@ +# Copyright 2018 the Heptio Ark contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + namespace: heptio-ark-server + name: ark +spec: + replicas: 1 + template: + metadata: + labels: + component: ark + annotations: + iam.amazonaws.com/role: arn:aws:iam:::role/ + spec: + restartPolicy: Always + serviceAccountName: ark + containers: + - name: ark + image: gcr.io/heptio-images/ark:latest + command: + - /ark + args: + - server + volumeMounts: + - name: plugins + mountPath: /plugins + volumes: + - name: plugins + emptyDir: {} diff --git a/examples/common/10-deployment.yaml b/examples/aws/10-deployment.yaml similarity index 100% rename from examples/common/10-deployment.yaml rename to examples/aws/10-deployment.yaml diff --git a/examples/gcp/10-deployment.yaml b/examples/gcp/10-deployment.yaml new file mode 100644 index 000000000..473f27dd7 --- /dev/null +++ b/examples/gcp/10-deployment.yaml @@ -0,0 +1,50 @@ +# Copyright 2018 the Heptio Ark contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + namespace: heptio-ark-server + name: ark +spec: + replicas: 1 + template: + metadata: + labels: + component: ark + spec: + restartPolicy: Always + serviceAccountName: ark + containers: + - name: ark + image: gcr.io/heptio-images/ark:latest + command: + - /ark + args: + - server + volumeMounts: + - name: cloud-credentials + mountPath: /credentials + - name: plugins + mountPath: /plugins + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /credentials/cloud + volumes: + - name: cloud-credentials + secret: + secretName: cloud-credentials + - name: plugins + emptyDir: {} diff --git a/examples/ibm/10-deployment.yaml b/examples/ibm/10-deployment.yaml new file mode 100644 index 000000000..93732959d --- /dev/null +++ b/examples/ibm/10-deployment.yaml @@ -0,0 +1,50 @@ +# Copyright 2018 the Heptio Ark contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + namespace: heptio-ark-server + name: ark +spec: + replicas: 1 + template: + metadata: + labels: + component: ark + spec: + restartPolicy: Always + serviceAccountName: ark + containers: + - name: ark + image: gcr.io/heptio-images/ark:latest + command: + - /ark + args: + - server + volumeMounts: + - name: cloud-credentials + mountPath: /credentials + - name: plugins + mountPath: /plugins + env: + - name: AWS_SHARED_CREDENTIALS_FILE + value: /credentials/cloud + volumes: + - name: cloud-credentials + secret: + secretName: cloud-credentials + - name: plugins + emptyDir: {}