6

We are currently in the process of deploying a new spring data flow stream application in our aws EKS cluster. As part of this, the pods launched by the skipper should have the IAM roles defined in the annotation so that they can access the required AWS services. I have created the required iam role in AWS account and trying to pass the role using the pod-annotations property in the deploy stream for the application,

sample deployment property:

deployer.datastreamdemosource.kubernetes.pod-annotations=iam.amazonaws.com/role: arn:aws:iam::XXXXXXXX:role/spring-dataflow-test-role

The skipper is able to launch pods in the cluster but I can see the requested annotation is not assigned to the pod template,

The annotation value assigned to the pod is

Am i using the correct property to assign the required iam role? or how to assign IAM roles to the pods launched by the skipper as part of the stream?. We do not want to use a global IAM role for the streams since some pods will have additional permissions that they do not need. has anyone successfully deployed dataflow streaming applications in AWS EKS with iam roles for each pods ?

SimbuStar
  • 623
  • 1
  • 7
  • 18

2 Answers2

1

After reading documents for hours I found the required configurations in the below link

https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/#_annotations

So you need to use the below property definitions under the deployment Platform in your Streams which will allow the skipper to launch the pods with required annotations. 

 deployer.data-stream-demo-source.kubernetes.podAnnotations=iam.amazonaws.com/role: arn:aws:iam::XXXXXXX:role/spring-dataflow-test-role
 deployer.data-stream-demo-sink.kubernetes.podAnnotations=iam.amazonaws.com/role: arn:aws:iam::XXXXXX:role/spring-dataflow-test-role

The default pod-annotation property in the deploy stream definition is not working as expected and not sure it's because of a typo in pod-annotations.

its the same case with other annotations as well (job-annotations,service-annotations).

For now, you can define the required annotation definition in the freetext tab or you can define in the application property level when registering apps to the dataflow server. By the way, I am using spring-cloud-dataflow-server Version: 2.2.1.RELEASE

SimbuStar
  • 623
  • 1
  • 7
  • 18
0

What you tried as deployment property has a typo in it indeed. To override the podAnnotations at each stream-app level, you should be using it as deployer.<app-name>.kubernetes.podAnnotations for each of the desired apps in the stream definition.

SCDF's K8s-deployer specifically expects the property in that format, and that's why it is not parsed and annotated correctly on the deployed apps. If you're using the UI, however, we attempt to list all the deployer properties in a dialog-window for you automatically, so the value is all is expected from you.

There was a recent discussion around volumeMounts along the same lines in SCDF's Gitter channel. The background discussed in the channel might be useful.

Sabby Anandan
  • 5,636
  • 2
  • 12
  • 21
  • Thanks sabby, In the UI I have noticed the value is listed as pod-annotations instead of podAnnotations. is there any specific reason why the UI is returning an incorrect value? , Also each time when i try to deploy the stream I need to enter the pod level deployment assignments, Can we deployment value assignment when registering the apps to datafow or registring streams? how can we do this value as a one-time assignment so that the deploy stream action will automatically pick the required deployment values ? – SimbuStar Oct 24 '19 at 15:27
  • This is related to the bug https://github.com/spring-cloud/spring-cloud-dataflow/issues/3580. From the UI, you can correct the value of the deployment properties (to change from the kebab-case) by clicking on the `text` tab on the stream deploy page – Ilayaperumal Gopinathan Oct 25 '19 at 09:03