Masters already have assume-role (presumably), so we just need to create the roles. Module found here works quite well: uswitch/kiam#25 (comment)
For some reason kiam-server expects the certs to be valid for IP 127.0.0.1 as well as for the name of the service. I generated the certs using the instructions in the kiam repo, and it worked. Cert-manager doesn’t do IPs as well as DNS names yet, but it’s on the way in v0.7: https://github.com/jetstack/cert-manager/pull/1128/files
The manually generated certs have this SAN block:
X509v3 Subject Alternative Name: DNS:kiam-server, DNS:127.0.0.1:443, DNS:127.0.0.1:9610, IP Address:127.0.0.1, URI:kiam-server:443
and the cert-manager generated ones the best I can get is this:
X509v3 Subject Alternative Name: DNS:kiam-server, DNS:kiam-server.kiam, DNS:kiam-server:443, DNS:localhost, DNS:localhost:443, DNS:localhost:9610, DNS:127.0.0.1, DNS:127.0.0.1:443, DNS:127.0.0.1:9610
I tried using localhost instead and setting the healthchecks to use localhost, but it doesn't seem to help.
This all seems to be caused by the findings in this issue where they reached the same conclusion I did. uswitch/kiam#162
KIAM doesn't add ca-certificates package to the container, so you have to mount the host /etc/ssl/certs. The chart has a flag to deal with this:
server:
extraHostPathMounts:
- name: cacerts
mountPath: /etc/ssl/certs
hostPath: /etc/ssl/certs
readOnly: trueAccording to the readme, the agent needs to set an iptables rule to intercept metadata traffic. I believe this means that we need to configure the helm chart like so:
agent:
host:
iptables: true
interface: flannel+- The server must run on masters, the agent only on the nodes.
- Versions seem to be moving quickly. Keep an eye on them (v3.0 just dropped, but chart doesn't necessarily keep up)