From 1089f40e4fa56713742fc4e9c2456c59fa6e8f1b Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 19 Apr 2024 17:22:07 -0700 Subject: [PATCH 1/3] Expand docstring for `hub_cloud_permissions` --- terraform/aws/variables.tf | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 0e9c65a86b..c85e007701 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -55,17 +55,27 @@ variable "hub_cloud_permissions" { ) default = {} description = <<-EOT - Map of cloud permissions given to a particular hub (k8s namespace) and - its associated IAM Role's that are 1:1 with k8s ServiceAccounts. - - Currently supported are: - - 1. bucket_admin_access: List of S3 storage buckets that the associated aws-iam-role/k8s-service-account should have read - and write permissions for. - 2. bucket_readonly_access: List of S3 storage buckets that users on this hub should have read - permissions for. - 3. extra_iam_policy: An AWS IAM Policy document that grants additional rights to the users - on this hub when talking to AWS services. + Cloud permissions attached to Kubernetes Service Accounts in a particular + hub in this cluster. + + The key is a Kubernetes namespace, which by convention in 2i2c clusters + is also the name of the hub. + + The value is itself a map, as each hub can have multiple Kubernetes Service + Accounts attached to it, for different kinds of users. The key is the name + of the Kubernetes Service Account. By convention, the currently supported keys + are are `user-sa` (for non-admin users on the hub) and `admin-sa` (for admin + users on the hub). The value can be one of: + + 1. bucket_admin_access: List of S3 storage buckets to grant full read & write + permissions to. + 2. bucket_readonly_access: List of S3 storage buckets to grant full read + permissions to. + 3. extra_iam_policy: An AWS IAM Policy document that grants additional rights + to this Kubernetes Service Account. + + Note that these are independent of each other - so if you want both admins + and non-admins to have a set of permissions, you may need to repeat them. EOT } From 2d15c17ee0b4361bc9110fa52aaf3654acefec11 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 20 Apr 2024 10:03:00 +0200 Subject: [PATCH 2/3] docs: minor clarification regarding k8s namespace and hub --- terraform/aws/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index c85e007701..01e0668753 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -56,7 +56,7 @@ variable "hub_cloud_permissions" { default = {} description = <<-EOT Cloud permissions attached to Kubernetes Service Accounts in a particular - hub in this cluster. + k8s namespace (hub) in this cluster. The key is a Kubernetes namespace, which by convention in 2i2c clusters is also the name of the hub. From 664c7f0e2814ca6d25c535290ccf8b9ba1c1ca93 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 20 Apr 2024 12:53:38 +0200 Subject: [PATCH 3/3] Add clarity to where constraints are, basehub as compared to terraform --- terraform/aws/variables.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 01e0668753..f7272c32f9 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -63,9 +63,10 @@ variable "hub_cloud_permissions" { The value is itself a map, as each hub can have multiple Kubernetes Service Accounts attached to it, for different kinds of users. The key is the name - of the Kubernetes Service Account. By convention, the currently supported keys - are are `user-sa` (for non-admin users on the hub) and `admin-sa` (for admin - users on the hub). The value can be one of: + of the Kubernetes Service Account. By convention, basehub currently only + supports creation of Kubernetes Service Accounts `user-sa` (for non-admin + users on the hub) and `admin-sa` (for admin users on the hub). The value + can be one of: 1. bucket_admin_access: List of S3 storage buckets to grant full read & write permissions to.