Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add required S3 PutObjectTagging permission to Velero IRSA policy #517

Merged
merged 4 commits into from
Oct 1, 2024
Merged

fix: Add required S3 PutObjectTagging permission to Velero IRSA policy #517

merged 4 commits into from
Oct 1, 2024

Conversation

chrisRedwine
Copy link
Contributor

@chrisRedwine chrisRedwine commented Sep 16, 2024
edited
Loading

Description

Adds required s3:PutObjectTagging permission to Velero IRSA policy

Motivation and Context

Resolves #518

Breaking Changes

No

How Has This Been Tested?

Probably a bit overkill, but the following steps show not only how to reproduce the behavior, but also how this PR resolves the issue:

  • Clone https://github.com/chrisRedwine/velero-mre, which contains the minimal reproducible example for the issue.

  • Run tofu init and tofu apply to create and configure the required resources (VPC, EKS, EBS CSI driver, Snapshot Controller, Velero, Pod w/ PVC and data, etc.).

  • Wait until everything is set up and the ebs-pvc-pod has run and saved data to the volume.

  • Run velero backup create ebs-test-broken --include-namespaces=default --snapshot-move-data.

  • See the error in the logs described below, and note that velero backup describe ebs-test-broken shows the backup failed.

  • Switch the use_fixed_velero_policy variable in terraform.tfvars to true in the chrisRedwine/velero-mre repo.

  • Run tofu apply

  • Wait for the 3 velero pods to restart so that they use the fixed IRSA.

  • Run velero backup create ebs-test-fixed --include-namespaces=default --snapshot-move-data.

  • Notice no errors in the logs, and that velero backup describe ebs-test-fixed shows the backup succeeded.

  • (Make sure to clean up with tofu destroy afterwards)

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)

  • I have tested and validated these changes using one or more of the provided examples/* projects

  • I have executed pre-commit run -a on my pull request

This was referenced Sep 16, 2024
Closed
Closed
Merged
@chrisRedwine chrisRedwine changed the title fix(eks): Add required S3 PutObjectTagging permission to Velero IRSA … fix(eks): Add required S3 PutObjectTagging permission to Velero IRSA policy Sep 17, 2024
@bryantbiggs bryantbiggs changed the title fix(eks): Add required S3 PutObjectTagging permission to Velero IRSA policy fix: Add required S3 PutObjectTagging permission to Velero IRSA policy Oct 1, 2024
bryantbiggs
bryantbiggs approved these changes Oct 1, 2024
View reviewed changes
Copy link
Member

@bryantbiggs bryantbiggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you! If you want to add the same change here https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity that would be greatly appreciated!

@bryantbiggs bryantbiggs merged commit f0e65a7 into terraform-aws-modules:master Oct 1, 2024
34 checks passed
antonbabenko pushed a commit that referenced this pull request Oct 1, 2024
@semantic-release-bot
chore(release): version 5.44.2 [skip ci]
12c4177 
## [5.44.2](v5.44.1...v5.44.2) (2024-10-01)

### Bug Fixes

* Add required S3 PutObjectTagging permission to Velero IRSA policy ([#517](#517)) ([f0e65a7](f0e65a7))
@antonbabenko
Copy link
Member

This PR is included in version 5.44.2 🎉

@chrisRedwine chrisRedwine mentioned this pull request Oct 1, 2024
Merged
3 tasks
@chrisRedwine
Copy link
Contributor Author

thank you! If you want to add the same change here https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity that would be greatly appreciated!

@bryantbiggs Here's the PR forterraform-aws-eks-pod-identity. I also updated and re-ran the pre-commit hooks.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 1, 2024

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
upstream blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Velero policy does not contain necessary S3 PutObjectTagging permissions
3 participants
@chrisRedwine @antonbabenko @bryantbiggs