-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns/route53: change accessKey to be a secret ref #197
Conversation
Hi @euank. Thanks for your PR. I'm waiting for a jetstack member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
I've deployed this change to my cluster and insured that the route53 provider config, using the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I've had a review of this sitting in my GitHub but not submitted for almost a week now!
Thanks for this change - as we do not yet provide a stable API, I think we're best to remove the old field for this and instead require the accessKeyIDSecretRef is specified on issuers. wdyt?
docs/api-types/issuer/spec.md
Outdated
@@ -126,12 +126,17 @@ clouddns: | |||
```yaml | |||
route53: | |||
accessKeyID: AKIAIOSFODNN7EXAMPLE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should remove the accessKeyID
field altogether. I'd rather have a smaller API surface than provide countless options that aren't that useful 😄
docs/api-types/issuer/spec.md
Outdated
@@ -126,12 +126,17 @@ clouddns: | |||
```yaml | |||
route53: | |||
accessKeyID: AKIAIOSFODNN7EXAMPLE | |||
accessKeyIDRef: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be accessKeyIDSecretRef
(from types.go below)
docs/examples/acme-issuer.yaml
Outdated
@@ -36,6 +36,7 @@ spec: | |||
- name: route53 | |||
route53: | |||
# The Route53 access key ID | |||
# optionally, 'accessKeyIDRef' may be used instead to reference a secret |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
accessKeyIDSecretRef
docs/api-types/issuer/spec.md
Outdated
region: eu-west-1 | ||
secretAccessKeySecretRef: | ||
name: prod-route53-credentials-secret | ||
key: secret-access-key | ||
``` | ||
|
||
*Note*: Only one of `accessKeyID` and `accessKeyIDRef` should be specified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be removed
docs/examples/cluster-issuer.yaml
Outdated
@@ -36,6 +36,7 @@ spec: | |||
- name: route53 | |||
route53: | |||
# The Route53 access key ID | |||
# optionally, 'accessKeyIDRef' may be used instead to reference a secret | |||
accessKeyID: AKIADKOU3GLWAQM8WQKJ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace with accessKeyIDSecretRef
specification
HostedZoneID string `json:"hostedZoneID"` | ||
Region string `json:"region"` | ||
AccessKeyID string `json:"accessKeyID,omitempty"` | ||
AccessKeyIDRef SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we want to remove omitempty
here
1f1a09e
to
84107a9
Compare
Apologies for being slow to get back to this; I've addressed your comments. I agree it makes sense to require the secret ref if we're okay with the API breakage. |
/hold This change will merge conflict with #243. Let's land that one first. I'll remove the hold and do the rebase/merging once that one lands. |
/hold (last time I had trailing stuff after /hold, I don't know if that breaks it or not) |
docs/examples/acme-issuer.yaml
Outdated
# The Route53 access key ID | ||
accessKeyID: AKIADKOU3GLWAQM8WQKJ | ||
# A secretKeyRef to a the route53 secret access key | ||
# A secretKeyRef to a the AWS IAM credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to a the -> to the
(driveby, hi euank!)
Thanks for the reminder @Capitrium; I'll pick this back up |
/hold cancel |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I've updated the code, but haven't updated my deployment to gain as much confidence as before. I'll be away for the next two weeks; feel free to make changes or take it over if that's preferable to waiting. |
/retest prow appears to be wedged |
@euank: you can't request testing unless you are a jetstack member. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
It's not unusual to store the aws access and secret keys together in the same secret under different keys. This allows conveniently using that same secret for both.
This introduces better error handling for the case where the value was not present since the helper checks the `, ok` value for the map accesses, but the existing code didn't.
It is preferable to use the 'accessKeyIDSecretRef' instead of the 'accessKeyID' field. This is primarily because in real-world deployments those two items are typically stored as two keys in a secret. This change matches host most users store aws secrets in K8s now.
Rebased again, seems to be working fine on my cluster... ping @munnerz for review since you did the last round several months ago :) |
@euank: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the massive delay on this - it's just been buried in my list of assigned PRs/issues 😬
I've added a couple of extra thoughts - I think we should probably introduce this in a backwards compatible way, as it won't be too difficult to do.
We also now have API validations defined in pkg/apis/certmanager/validations
. Could you update these accordingly for the new field?
You may also need to make some changes to the new resolveSecretKeyRef
function since there have been some recently changes to how DNS providers detect the 's.resourceNamespace` field.
Again, very sorry for the delay here! I think if we can make this backwards compatible, we can get this merged straight away :)
SecretAccessKey SecretKeySelector `json:"secretAccessKeySecretRef"` | ||
HostedZoneID string `json:"hostedZoneID"` | ||
Region string `json:"region"` | ||
AccessKeyIDRef SecretKeySelector `json:"accessKeyIDSecretRef"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we update this PR to not be a breaking change? i.e. if a user specifies accessKeyID
, it is still used. But if a user specifies accessKeyIDSecretRef
, it takes precedence?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In a later release we can then add validation to prevent both being set, before removing the old field altogether for 1.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I can revert it back to what I originally had.
I think at this point, this is blocked on making sure this is a step in the right direction via discussion in #687 though
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Rotten issues close after 30d of inactivity. |
@retest-bot: Closing this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hey, sorry to revive the comment thread on such an old PR, but I recently ran into a situation where I wanted to do this (read the I figure the ship has long since sailed on replacing I ended up using ambient credentials, but that does mean using one AWS user for the whole cert-manager installation. Not a problem for now, but could be a limiting factor in future as our setup evolves. |
What this PR does / why we need it:
It's not unusual to store the aws access and secret keys together in the
same secret under different keys. This allows conveniently using that
same secret for both.
I have not yet deployed and manually tested this change, but I plan to fairly soon. Feel free to wait on that.
Note, this incidentally improves error handling for the other dns providers by refactoring secret-key-data-has-that-key checking into its own function