Automatic IRSA configuration for provider installed from package

[vilkovtato]

Issue link: #5598

Hi, I'd like to kindly ask for help.

I'm have crossplane package with following content:

• composition
• compositionresourcedefinition
• (dependson) provider iam
• (dependson) provider s3
  The configuration file looks like this:

apiVersion: meta.pkg.crossplane.io/v1
kind: Configuration
metadata:
  name: myconfiguration
spec:
  crossplane:
    version: ">=v1.13.1"
  dependsOn:
  - provider: xpkg.upbound.io/upbound/provider-aws-s3
    version: ">=v1.3.1"
  - provider: xpkg.upbound.io/upbound/provider-aws-iam
    version: ">=v1.3.1"

Now in the cluster, there is already installed default ProviderConfig:

apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: aws-creds
      key: creds

After installing my crossplane package into the cluster, the providers (s3,iam) are automatically using the aws credentials from the ProviderConfig.

But this should be now reworked to use IRSA. After I changed the ProviderConfig to IRSA and install the crossplane package, the new created providers pods (for s3, iam) does not use IRSA, meaning the created service accounts for the providers pods does not have annotation with that IAM role.

When I will be installing the crossplane package to different eks clusters in different AWS accounts, the IAM role will be always different. This is why I need that after the package installation, the newly created providers will AUTOMATICALY use IRSA.

I didnt find (or did not figure it out) documentation, how to do it.

Could anybody please help?

[bobh66]

https://github.com/crossplane-contrib/provider-upjet-aws/blob/main/AUTHENTICATION.md#authentication-using-irsa

[vilkovtato]

@bobh66 - thank you for help

But there is a problem. You are pointing to docu, where you are manually creating providers and there you can configure ControllerConfig, Provider and ProviderConfig:

apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: irsa-controllerconfig
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/iam-role-name
spec:
  podSecurityContext:
    fsGroup: 2000
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws
spec:
  package: xpkg.upbound.io/upbound/provider-aws:v0.4.0
  packagePullSecrets:
    - name: package-pull-secret
  controllerConfigRef:
    name: irsa-controllerconfig
---
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: irsa
spec:
  credentials:
    source: IRSA

But when you install providers via OCI image, there is no place to configure the controllerConfigRef:

[bobh66]

When you say "OCI image" I assume you mean the Providers that are installed by the package manager as a dependency from the Configuration.

There isn't currently a way to configure these Providers with DeploymentRuntimeConfigs to allow for IRSA. It does seem like all of the providers for a given family could share the same DeploymentRuntimeConfig and maybe use label selection to determine a default instance to use if none is specified. There was a similar question about this on Slack - https://crossplane.slack.com/archives/CEG3T90A1/p1713391580418069 so it's probably something we should look into.