dns/route53: change accessKey to be a secret ref #197
Conversation
jetstack-bot
added
release-note
|
Hi @euank. Thanks for your PR. I'm waiting for a jetstack member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
jetstack-bot
added
the
needs-ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
I've deployed this change to my cluster and insured that the route53 provider config, using the |
There was a problem hiding this comment.
Sorry, I've had a review of this sitting in my GitHub but not submitted for almost a week now!
Thanks for this change - as we do not yet provide a stable API, I think we're best to remove the old field for this and instead require the accessKeyIDSecretRef is specified on issuers. wdyt?
docs/api-types/issuer/spec.md
Outdated
| @@ -126,12 +126,17 @@ clouddns: | |||
| ```yaml | |||
| route53: | |||
| accessKeyID: AKIAIOSFODNN7EXAMPLE | |||
There was a problem hiding this comment.
I think we should remove the accessKeyID field altogether. I'd rather have a smaller API surface than provide countless options that aren't that useful 😄
docs/api-types/issuer/spec.md
Outdated
| @@ -126,12 +126,17 @@ clouddns: | |||
| ```yaml | |||
| route53: | |||
| accessKeyID: AKIAIOSFODNN7EXAMPLE | |||
| accessKeyIDRef: | |||
There was a problem hiding this comment.
This should be accessKeyIDSecretRef (from types.go below)
docs/examples/acme-issuer.yaml
Outdated
| @@ -36,6 +36,7 @@ spec: | |||
| - name: route53 | |||
| route53: | |||
| # The Route53 access key ID | |||
| # optionally, 'accessKeyIDRef' may be used instead to reference a secret | |||
docs/api-types/issuer/spec.md
Outdated
| region: eu-west-1 | ||
| secretAccessKeySecretRef: | ||
| name: prod-route53-credentials-secret | ||
| key: secret-access-key | ||
| ``` | ||
|
|
||
| *Note*: Only one of `accessKeyID` and `accessKeyIDRef` should be specified. |
docs/examples/cluster-issuer.yaml
Outdated
| @@ -36,6 +36,7 @@ spec: | |||
| - name: route53 | |||
| route53: | |||
| # The Route53 access key ID | |||
| # optionally, 'accessKeyIDRef' may be used instead to reference a secret | |||
| accessKeyID: AKIADKOU3GLWAQM8WQKJ | |||
There was a problem hiding this comment.
Replace with accessKeyIDSecretRef specification
| HostedZoneID string `json:"hostedZoneID"` | ||
| Region string `json:"region"` | ||
| AccessKeyID string `json:"accessKeyID,omitempty"` | ||
| AccessKeyIDRef SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"` |
There was a problem hiding this comment.
I think we want to remove omitempty here
euank
force-pushed
the
akid-ref
branch
2 times, most recently
from
1f1a09e
to
84107a9
Compare
euank
changed the title
|
Apologies for being slow to get back to this; I've addressed your comments. I agree it makes sense to require the secret ref if we're okay with the API breakage. |
|
/hold This change will merge conflict with #243. Let's land that one first. I'll remove the hold and do the rebase/merging once that one lands. |
|
/hold (last time I had trailing stuff after /hold, I don't know if that breaks it or not) |
jetstack-bot
added
the
do-not-merge/hold
munnerz
removed
the
needs-ok-to-test
docs/examples/acme-issuer.yaml
Outdated
| # The Route53 access key ID | ||
| accessKeyID: AKIADKOU3GLWAQM8WQKJ | ||
| # A secretKeyRef to a the route53 secret access key | ||
| # A secretKeyRef to a the AWS IAM credentials |
There was a problem hiding this comment.
to a the -> to the
(driveby, hi euank!)
jetstack-bot
added
the
needs-rebase
|
Thanks for the reminder @Capitrium; I'll pick this back up |
|
/hold cancel |
jetstack-bot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
removed
the
needs-rebase
|
I've updated the code, but haven't updated my deployment to gain as much confidence as before. I'll be away for the next two weeks; feel free to make changes or take it over if that's preferable to waiting. |
munnerz
added
area/acme
|
/retest prow appears to be wedged |
|
@euank: you can't request testing unless you are a jetstack member. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
It's not unusual to store the aws access and secret keys together in the same secret under different keys. This allows conveniently using that same secret for both.
This introduces better error handling for the case where the value was not present since the helper checks the `, ok` value for the map accesses, but the existing code didn't.
It is preferable to use the 'accessKeyIDSecretRef' instead of the 'accessKeyID' field. This is primarily because in real-world deployments those two items are typically stored as two keys in a secret. This change matches host most users store aws secrets in K8s now.
|
Rebased again, seems to be working fine on my cluster... ping @munnerz for review since you did the last round several months ago :) |
jetstack-bot
added
the
needs-rebase
|
@euank: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Sorry for the massive delay on this - it's just been buried in my list of assigned PRs/issues 😬
I've added a couple of extra thoughts - I think we should probably introduce this in a backwards compatible way, as it won't be too difficult to do.
We also now have API validations defined in pkg/apis/certmanager/validations. Could you update these accordingly for the new field?
You may also need to make some changes to the new resolveSecretKeyRef function since there have been some recently changes to how DNS providers detect the 's.resourceNamespace` field.
Again, very sorry for the delay here! I think if we can make this backwards compatible, we can get this merged straight away :)
| SecretAccessKey SecretKeySelector `json:"secretAccessKeySecretRef"` | ||
| HostedZoneID string `json:"hostedZoneID"` | ||
| Region string `json:"region"` | ||
| AccessKeyIDRef SecretKeySelector `json:"accessKeyIDSecretRef"` |
There was a problem hiding this comment.
Can we update this PR to not be a breaking change? i.e. if a user specifies accessKeyID, it is still used. But if a user specifies accessKeyIDSecretRef, it takes precedence?
There was a problem hiding this comment.
In a later release we can then add validation to prevent both being set, before removing the old field altogether for 1.0.
There was a problem hiding this comment.
Sure, I can revert it back to what I originally had.
I think at this point, this is blocked on making sure this is a step in the right direction via discussion in #687 though
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
lifecycle/stale
|
Stale issues rot after 30d of inactivity. |
jetstack-bot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. |
|
@retest-bot: Closing this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hey, sorry to revive the comment thread on such an old PR, but I recently ran into a situation where I wanted to do this (read the I figure the ship has long since sailed on replacing I ended up using ambient credentials, but that does mean using one AWS user for the whole cert-manager installation. Not a problem for now, but could be a limiting factor in future as our setup evolves. |
What this PR does / why we need it:
It's not unusual to store the aws access and secret keys together in the
same secret under different keys. This allows conveniently using that
same secret for both.
I have not yet deployed and manually tested this change, but I plan to fairly soon. Feel free to wait on that.
Note, this incidentally improves error handling for the other dns providers by refactoring secret-key-data-has-that-key checking into its own function