-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using workload identity instead of exporting service account keys on GKE #3009
Comments
The pod issuing the API request to interact with clouddns (gcp) just need to be deploy with the serviceaccount named dns01_ksa. When you do that, GCP api library should been able to use the provided token. You can start a pod and check with gcloud / gsutil that it's working properly :
You should see the GCP service account (gsa) |
Hi @akhamar ,
Leaving out the |
Hi @bergemalm I'll have a go at your solution though, to try it out ^^
|
I didn't dig in too deep, just saw this Sounds like a plan! :) |
Yea cool. Indeed if you already have a service account available the next checks won't be done, so it should work properly. Would be great though to have a nice solution by including either the json file or the serviceaccount name in the issuer configuration. Way more cleaner than doing it in multiple steps. |
@bergemalm I just saw that I don't have any pods named |
So to confirm what @bergemalm said, the solution of patching the service account for cert-manager pods works great. I've patched the serviceaccount by doing so : Thanks @bergemalm for the tips and the good direction. @meyskens maybe you could add a temporary explanation/solution (as provided here) on the main DNS01 google page (https://cert-manager.io/docs/configuration/acme/dns01/google/) for supporting workload identity. Set up a Service Account (supporting workload identity)
Patching cert-manager service account (enabling workload identity)
Create a Service Account Secret Create an Issuer That Uses CloudDNS
|
@akhamar looking good, PRs welcome at https://github.com/cert-manager/website/edit/master/content/en/docs/configuration/acme/dns01/google.md (gets you some credit for it in the Git history 😉) |
/help |
@meyskens: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I'm trying to use workload identities with the helm chart (by overwriting the This error message seems to be caused by the Is there anything I'm doing obviously wrong? Do I somehow need to set the ambient flag? |
I have come across this recently too 🤔 I was looking at some of the other solvers:
- dns01:
clouddns:
project: my-project
ambient: true but if you do that you get the following error:
I tried with Could this be as simple as updating the schema for the issuer type for clouddns? I ask if this is "simple" but I have no idea where the schema that the request is being validated against is actually created 😂 🙈 |
Here are detailed instructions for setting up cert-manager with Google Cloud DNS on GKE using workload identity: https://blog.atomist.com/kubernetes-ingress-nginx-cert-manager-external-dns/ |
yikes @ddgenome that seems very complex 🙈 I was trying to get a simpler solution using "ambient permissions" because I happen to be using this cluster to do other things in my gcloud account so the permissions are setup correctly already, but I would say that following the cert-manager docs to create a new service account and save that json in a secret is much simpler than setting up a whole new subsystem to side-step this small missing feature |
I'm about to create a PR updating the cert-manager docs with workload identity details. |
Add documentation and link to blog post for using GKE workload identity to authenticate against Google Cloud DNS. Per request in cert-manager/cert-manager#3009 Signed-off-by: David Dooling <dooling@gmail.com>
@mansona I'm not sure what you mean by "setting up a whole new subsystem". To use "ambient" permissions, i.e., the default credentials, just do not put a |
Not sure why this isn't mentioned anywhere else, but in 1.0.4 at least, cert-manager needs to be started with https://github.com/jetstack/cert-manager/blob/v1.0.4/pkg/issuer/acme/dns/clouddns/clouddns.go#L48-L50 <= Ambient flag needs to be enabled |
@txomon did you manage to figure out how to enable issuer-ambient-credentials with the helm chart? |
@ekimia yes, although redundant, I found it difficult to undertand how exactly things are connected, so I will write here just all the steps to get it working. You need:
I use the default ksa of the namespace to set up the permissions. The regular steps to use Workload Identity:
And now, the stuff specific to cert-manager:
Config looks like this (using default service account):
|
I also got issue when using workloadIdentity on GKE, with DNS-01
version
but worked fine with @txomon 's step change all serviceAccount to default
add extraArgs
And binding GoogleServiceAccount & default (kubernetes serviceaccount), add annotation
|
For those using helm, just adding |
This should help reduce the amount of time people might waste trying to figure out how to resolve the following error: ``` error instantiating route53 challenge solver: unable to construct route53 provider: empty credentials; perhaps you meant to enable ambient credentials? ``` A couple of related bug reports: * cert-manager/cert-manager#3009 * cert-manager/cert-manager#3079
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Rotten issues close after 30d of inactivity. |
@jetstack-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This should help reduce the amount of time people might waste trying to figure out how to resolve the following error: ``` error instantiating route53 challenge solver: unable to construct route53 provider: empty credentials; perhaps you meant to enable ambient credentials? ``` A couple of related bug reports: * cert-manager/cert-manager#3009 * cert-manager/cert-manager#3079
Is your feature request related to a problem? Please describe.
For security and ease of use, it would be greatly preferable to allow us to use workload identity.
It link a kubernetes serviceaccount (ksa) to a GCP serviceaccount (gsa).
Describe the solution you'd like
Instead of creating an Issuer or ClusterIssuer by giving the content of the gcp service account as a json (key.json) it would be greatly appreciate to either give a serviceAccountSecretRef or simply a serviceaccount (ksa). Since gcp serviceaccount are limited to 10 keys, for convenience and for security reason it would be preferable to not use a json file containing the credentials.
Currently that's how you you create an Issuer (ClusterIssuer)
cf. https://cert-manager.io/docs/configuration/acme/dns01/google/
With a kubernetes serviceaccount (ksa) it could be
Describe alternatives you've considered
N/A so far
Additional context
N/A
Environment details (if applicable):
/kind feature
The text was updated successfully, but these errors were encountered: