Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge back to stsci - IGNORE THIS #1

Open
wants to merge 19 commits into
base: master
Choose a base branch
from
Open

Merge back to stsci - IGNORE THIS #1

wants to merge 19 commits into from

Conversation

mgough-970
Copy link

No description provided.

jmatuskey and others added 19 commits April 6, 2020 13:39
modify IAM role to be prefixed with your cluster name
03b6891
@super-cob @yuvipanda
more elegant use of variables in cluster-autoscaler name
d9e7940 
Co-Authored-By: Yuvi Panda <[email protected]>
@yuvipanda
Merge pull request pangeo-data#24 from super-cob/master
420176a
@yuvipanda
Use AWS roles instead of service users
1c09c92 
We were creating AWS service users, giving them keys
and then checking those keys in with git-crypt. This isn't
good security practice. We should be creating roles with
minimal permissions instead. These roles can then be 'assumed'
by different entities - an EC2 instance running GitHub actions,
a local user on a computer, etc. This also removes need to
managed EC2 access credentials in a repo - dangerous, and bothersome
to rotate.

This needs corresponding changes in hubploy to use assumed
roles before it can work.
@yuvipanda
Permit hubploy-eks access to kube cluster by default
afe2b86 
Currently, only the user who created the cluster can
access the cluster. We need to explicitly set role in
[aws-auth](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html)
to let roles access the cluster.

We set this up, so the hubploy role can actually talk to the
kubernetes cluster
@yuvipanda
Let hubploy deployers group assume ECR role too
085b0b7
@yuvipanda
Create a role for use by ec2 instances
85f69f5 
We create a role that can assume only the two roles
necessary for hubploy. This role can only be attached
to ec2 instances
@jmatuskey
up size to t3.medium so hubploy has enough space
f664f96
@jmatuskey
Merge branch 'fix/no-users' of github.com:super-cob/terraform-deploy …
16df14f 
…into fix/no-users
@jmatuskey
automate creation of role that can do initial cluster setup
6ea018d
@yuvipanda
Restrict hubploy deploy role
164bc90 
Only needs to run describe-cluster on the one we just
created
@jmatuskey
fully working with no-users role based terraform
dfb6cd8
@jmatuskey
up size to t3.medium so hubploy has enough space
7dcb43e
@jmatuskey
automate creation of role that can do initial cluster setup
d18b2a4
@jmatuskey
fully working with no-users role based terraform
b2a19fe
@jmatuskey
move trust policy to data block
45b1167
@jmatuskey
Merge branch 'fix/no-users' of github.com:super-cob/terraform-deploy …
a1e313c 
…into fix/no-users

# Conflicts:
#	aws-creds/iam.tf
@jmatuskey
use variables to prefix roles
31f841d
Added submodule
c397388
@mgough-970 mgough-970 changed the title Merge back to stsci Merge back to stsci - IGNORE THIS Aug 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mgough-970 @super-cob @yuvipanda @jmatuskey