Add CRDs and permissions for SQS (#84)

Co-authored-by: Dmitry Dodzin <[email protected]>
metalbear-co · Aug 17, 2024 · b24d621 · b24d621
1 parent f053417
commit b24d621
Show file tree

Hide file tree

Showing 8 changed files with 443 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+license.pem
+
diff --git a/mirrord-operator/Chart.yaml b/mirrord-operator/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.6.5
+version: 1.6.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.91.0"
+appVersion: "3.92.0"
diff --git a/mirrord-operator/README.md b/mirrord-operator/README.md
@@ -8,15 +8,39 @@ If you have a license key (usually obtained from https://app.metalbear.co) you c
 * Or you can create a secret with key `OPERATOR_LICENSE_KEY` and set the given key as value, then use `license.keyRef` to reference that secret.
 
 If you have a certificate license (usually part of Enterprise offering) you can:
-* Add license file to `license.file.secret.data.license.pem` in `values.yaml`
+* Add the contents of your license file to `license.file.secret.data.license.pem` in `values.yaml`
 * Or you can create a secret with the following format:
     ```yaml
     apiVersion: v1
     kind: Secret
     metadata:
-    name: secret
-    namespace: mirrord
+        name: mirrord-operator-license-pem
+        namespace: mirrord
     stringData:
         license.pem: LICENSE_CONTENT
     ```
     then reference it using `license.pemRef` in `values.yaml`
+
+
+### SQS queue splitting
+
+#### IAM Role for the operator's service account
+
+For mirrord's SQS queue splitting feature, the operator has to be able to create, read from, write to, and delete SQS queues.
+If the queue messages are encrypted, the operator also needs the `kms:Encrypt`, `kms:Decrypt` and `kms:GenerateDataKey` permissions.
+
+For that, an IAM role with an appropriate policy has to be assigned to the operator's service acount.
+Follow AWS's documentation on how to do that:
+
+https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
+
+Pass the ARN of the role in `sa.roleArn` in `values.yaml` or via `--set sa.roleArn=arn:aws:iam::$account_id:role/mirrord-operator-role`.
+
+#### Permissions for target workloads
+
+In order to be targeted with SQS queue splitting, a workload has to be able to read from queues that are created by mirrord.
+Any temporary queues created by mirrord are created with the same policy as the orignal queues they are splitting (with the single change of the queue name in the policy), so if a queue has a policy that allows the target workload to call `ReceiveMessage` on it, that is enough.
+However, if the wokrload gets its access to the queue by an IAM policy (and not an SQS policy, see [SQS docs](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html#sqs-using-sqs-and-iam-policies)) that grants access to that specific queue by its exact name, you would have to add a policy that would allow that workload to also read from new temporary queues created by mirrord on the run.
+
+
+> **Note:** the names of all queues created and deleted by mirrord begin with "mirrord-".
diff --git a/mirrord-operator/templates/cluster-role.yaml b/mirrord-operator/templates/cluster-role.yaml
@@ -27,6 +27,21 @@ rules:
   - get
   - list
   - watch
+{{- if .Values.operator.sqsSplitting }}
+# For patching target workloads to use different queue.
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - patch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - rollouts
+  verbs:
+  - patch
+{{- end }}
 - apiGroups:
   - ""
   - batch
@@ -76,6 +91,38 @@ rules:
   verbs:
   - list
   - get
+{{- if .Values.operator.sqsSplitting }}
+- apiGroups:
+  - queues.mirrord.metalbear.co
+  resources:
+  - mirrordworkloadqueueregistries
+  verbs:
+  - list
+- apiGroups:
+  - queues.mirrord.metalbear.co
+  resources:
+  - mirrordworkloadqueueregistries/status
+  verbs:
+  - update
+- apiGroups:
+  - queues.mirrord.metalbear.co
+  resources:
+  - mirrordsqssessions
+  verbs:
+  - create
+  - watch
+  - list
+  - get
+  - delete
+  - deletecollection
+  - patch
+- apiGroups:
+  - queues.mirrord.metalbear.co
+  resources:
+  - mirrordsqssessions/status
+  verbs:
+  - update
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole