How do we add an AWS IRSA annotation to the backups to grant S3 access

Using the Percona XtraDB Helm Operator, running on AWS EKS with IRSA enabled.
How would we specify the Service Account used by the backup process so that the AWS credentials can be injected into the pod when the backup gets run?

Access to the S3 bucket is restricted, and to safely and securely grant access to the S3 bucket without injecting credentials into a Kubernetes secret (or granting the underlying worker node access to the S3 bucket) we want to use the IAM Roles for Service Accounts (IRSA) functionality of EKS.

This means that the backup process needs to be provided a ServiceAccount to use which has an annotation on it for an AWS role using:

eks.amazonaws.com/role-arn: <arn>

Having gone through the source of the Operator we’ve found a fair few undocumented features and being able to specify the service account for backups is one of these as well as the annotations on the actual storage defined.

Which is the correct approach to specify the service account to use for the backups.

1 Like

Hello @Gerwin_van_de_Steeg ,

to specify service account for backups you can use spec.backup.serviceAccountName variable in main CR.

It should be it. Please let me know if it helps.

1 Like

That “should” be it if you create the entire CRD yourself, which we’re not. We are using the Helm chart for the database to create the CRD for us. This helm chart does not expose:

spec.backup.serviceAccountName
nor any indication of the default for spec.automountServiceAccountToken for the Pods created
as well as the chart not functioning if you don’t specify spec.backup.storages..s3.credentials* (either the cred pair, or a secret containing them, neither option of which applies with IRSA).

So no, the Helm chart for the DB does not support IRSA.

1 Like

I missed that you used helm. I saw you created these two tickets:
https://jira.percona.com/browse/K8SPXC-770
https://jira.percona.com/browse/K8SPXC-771

We’ll see what can be done. Would you be able to push the PR?

1 Like

HI,

I’ve not created any PR’s for this, don’t have the available time at the moment (nor will likely in the forsee-able few months). I’ve lodged those tickets so that someone else in a similar situation can find it without having to dig through C++ and Go code or Helm charts. Might circle around back to this when I can.

Cheers,
Gerwin

1 Like