Enable IRSA Mode for Kubernetes Deployments

[michaelbauerinc]

This PR adds support for IAM Roles for Service Accounts (IRSA) in the Percona RDS Exporter, allowing it to run in Kubernetes environments with improved security and reduced management overhead.

Context

IRSA is a feature in AWS EKS that allows Kubernetes pods to assume IAM roles directly using service accounts, eliminating the need to manage and store static credentials (e.g., access key/secret key pairs) within the pods. By enabling IRSA, Kubernetes workloads can leverage temporary security credentials obtained directly from the service account role, simplifying credential management and improving security posture. Previously, an aws secret was required by the exporter to assume the role arn and the exporter would fail is this was missing.

Changes

• If IRSA is enabled (irsa_enabled: true in the config), the exporter will utilize the default credential provider chain of the AWS SDK.
• The AWS SDK will automatically use the credentials mounted by IRSA in the pod, bypassing the need for explicit credential handling.
• In scenarios where IRSA is not enabled, the exporter retains its existing behavior of using a specified IAM role with access key/secret key, ensuring backward compatibility.

[it-percona-cla]

All committers have signed the CLA.

[michaelbauerinc]

Hey @BupycHuk thanks for the approval. Would you be able to point me in the right direction as to why the CI seems to be stuck here?

It looks like its failing because the tests require an AWS access key, but we have not configured the testing environment on our fork. Is it considered a requirement for us to fully configure/run the tests in our own aws env before merging or am I missing something here?

[BupycHuk]

Hi, yes, we have not proper environment for rds_exporter tests, we need to fix it.

[michaelbauerinc]

Gotcha, thanks for the quick feedback 😄

[michaelbauerinc]

Do you have an estimate when you might have a time to prioritize this?