feat(filestore): use service account for s3 api calls

[Hunter-Thompson]

Summary

Makes using a secret for S3 optional. Instead, gives an option to UseServiceAccount instead.
This feature is quite important to ensure security standards.

Ticket Link

Fixes #315

Release Note

Makes using a secret for S3 calls optional, gives an option to UseServiceAccount with IAM role instead.

[mattermod]

Hello @Hunter-Thompson,

Thanks for your pull request! A Core Committer will review your pull request soon. For code contributions, you can learn more about the review process here.

[mirshahriar]

How is ServiceAccount used? Not seeing that ServiceAccount has been mounted in deployment. Can you point out?

[Hunter-Thompson]

How is ServiceAccount used? Not seeing that ServiceAccount has been mounted in deployment. Can you point out?

mattermost-operator/pkg/mattermost/mattermost_v1beta.go

Line 376 in ce3d25d

ServiceAccountName: serviceAccountName,

[mirshahriar]

How is ServiceAccount used? Not seeing that ServiceAccount has been mounted in deployment. Can you point out?

mattermost-operator/pkg/mattermost/mattermost_v1beta.go

Line 376 in ce3d25d

ServiceAccountName: serviceAccountName,

This is for the Kubernetes Native ServiceAccount. I'm not sure if it serves our needs. As far I know, this ServiceAccount is used to access Kubernetes API server (provides RBAC permissions) and related stuffs.

[Hunter-Thompson]

How is ServiceAccount used? Not seeing that ServiceAccount has been mounted in deployment. Can you point out?

mattermost-operator/pkg/mattermost/mattermost_v1beta.go

Line 376 in ce3d25d

ServiceAccountName: serviceAccountName,

This is for the Kubernetes Native ServiceAccount. I'm not sure if it serves our needs. As far I know, this ServiceAccount is used to access Kubernetes API server (provides RBAC permissions) and related stuffs.

@mirshahriar, AWS provides a way to attach an IAM role to a Kubernetes native ServiceAccount. Allowing a deployment to access AWS services like S3, without a secret.

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

[Hunter-Thompson]

The user will have to:

1. Create SA manually
2. Add annotation with IAM role
3. Deploy MM operator

MM operator wont create the SA, since it already exists.

[mirshahriar]

@mirshahriar, AWS provides a way to attach an IAM role to a Kubernetes native ServiceAccount. Allowing a deployment to access AWS services like S3, without a secret.

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

Thank you very much. I was unaware of that.

[mirshahriar]

LGTM. Thank you for your work.

[mirshahriar]

@Hunter-Thompson, One more thing. Can we add a check to verify whether the ServiceAccount has a certain annotation required for AWS IAM?

[Hunter-Thompson]

@mirshahriar I added a check.

Another thing to note is that - Im skipping creating the ServiceAccount if UseServiceAccount is true.
I did this because the user has to create the ServiceAccount manually, and if the ServiceAccount exists, the function will overwrite the ServiceAccount annotations if the operator creates the ServiceAccount, so I don't create the ServiceAccount if UseServiceAccount is true.

We can give the user an option to add an Annotation through the spec, but most of the time, the ServiceAccount with IAM role is created using IaaC(Infra as code), and it would cause the operator to fight with IaaC.

Thoughts?

[mirshahriar]

Im skipping creating the ServiceAccount if UseServiceAccount is true.

I agree. Added a comment here.

[mirshahriar]

We can give the user an option to add an Annotation through the spec

For the time being, we can leave it up to the user to manually put this in annotation.

[Hunter-Thompson]

@mirshahriar changed the layout like you requested.

[fmartingr]

Hey @Hunter-Thompson, this LGTM overall, I only have one nit comment below regarding the use service account flow control. Apart from that 👍

[gabrieljackson]

LGTM!