# KIAM Implementation Notes

## Roles and IAM

Masters already have assume-role (presumably), so we just need to create the roles.  Module found here works quite well: https://github.com/uswitch/kiam/issues/25#issuecomment-412547359

## Certs

 For some reason kiam-server expects the certs to be valid for IP 127.0.0.1 as well as for the name of the service.  I generated the certs using the instructions in the kiam repo, and it worked.  Cert-manager doesn’t do IPs as well as DNS names yet, but it’s on the way in v0.7: https://github.com/jetstack/cert-manager/pull/1128/files

The manually generated certs have this SAN block:
           ```X509v3 Subject Alternative Name:
                DNS:kiam-server, DNS:127.0.0.1:443, DNS:127.0.0.1:9610, IP Address:127.0.0.1, URI:kiam-server:443```

and the cert-manager generated ones the best I can get is this:
         ```X509v3 Subject Alternative Name:
                DNS:kiam-server, DNS:kiam-server.kiam, DNS:kiam-server:443, DNS:localhost, DNS:localhost:443, DNS:localhost:9610, DNS:127.0.0.1, DNS:127.0.0.1:443, DNS:127.0.0.1:9610```


I tried using `localhost` instead and setting the healthchecks to use `localhost`, but it doesn't seem to help.

This all seems to be caused by the findings in this issue where they reached the same conclusion I did. https://github.com/uswitch/kiam/issues/162

## Host CA Certs

KIAM doesn't add ca-certificates package to the container, so you have to mount the host `/etc/ssl/certs`.  The chart has a flag to deal with this:

```yaml
server:
  extraHostPathMounts:
    - name: cacerts
      mountPath: /etc/ssl/certs
      hostPath: /etc/ssl/certs
      readOnly: true
```

## Flannel

According to the [readme](https://github.com/uswitch/kiam#agent), the agent needs to set an iptables rule to intercept metadata traffic.  I _believe_ this means that we need to configure the helm chart like so:

```yaml
agent:
  host:
    iptables: true
    interface: flannel+
```

## Other Notes

* The server must run on masters, the agent *only* on the nodes.
* Versions seem to be moving quickly.  Keep an eye on them (v3.0 just dropped, but chart doesn't necessarily keep up)