Allow non-static AWS credentials for Route 53, gated by "ambient credentials" flags #363
Conversation
jetstack-bot
added
the
release-note
jetstack-bot
added
size/L
|
/ok-to-test
…On Wed, 28 Feb 2018 at 08:05, jetstack-bot ***@***.***> wrote:
Hi @euank <https://github.com/euank>. Thanks for your PR.
I'm waiting for a jetstack <https://github.com/orgs/jetstack/people>
member to verify that this patch is reasonable to test. If it is, they
should reply with /ok-to-test on its own line. Until that is done, I will
not automatically test new commits in this PR, but the usual testing
commands by org members will still work. Regular contributors should join
the org <https://github.com/orgs/jetstack/people> to skip this step.
I understand the commands that are listed here
<https://go.k8s.io/bot-commands>.
Instructions for interacting with me using PR comments are available here
<https://git.k8s.io/community/contributors/devel/pull-requests.md>. If
you have questions or suggestions related to my behavior, please file an
issue against the kubernetes/test-infra
<https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:>
repository.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#363 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMbP06ckWG5GV0GO5IaWPlYY2nMgtRLks5tZQjBgaJpZM4SWOsX>
.
|
jetstack-bot
removed
the
needs-ok-to-test
There was a problem hiding this comment.
Thanks very much for this PR, and thanks to @mattmoyer for the original work on the AWS provider too.
I share your concerns around ensuring we test this properly - this is in effect a security option, and so we need to ensure it does properly secure what it says. I think explicit 'ambient' variants of the dns provider constructor functions (like you've done here) and then unit tests to ensure they are not called with ambient credentials are disabled works well (at least, for now).
I think we also need to update our documentation to explain how ClusterIssuer and Issuer now differ - up until this point, they have behaved identically out of the box. This could definitely be a surprise to users and without proper documentation, might lead them to think "cert-manager just works some of the time /shrug".
pkg/issuer/acme/dns/dns.go
Outdated
| secretAccessKey, | ||
| providerConfig.Route53.HostedZoneID, | ||
| providerConfig.Route53.Region, | ||
| ) |
There was a problem hiding this comment.
So I'm thinking in order to test this, we could probably just add a unit test that ensures the correct function is called (i.e. ambient or not). We will struggle otherwise to run these tests, as we currently don't mock the entire provider environment (and thus, we have no way to properly e2e test DNS providers at the moment either).
euank
force-pushed
the
nonstatic-aws-creds
branch
from
6c978bf
to
ba47a49
Compare
|
I pushed some additional fixups. I'm hitting some hangups testing this still, so it's still not ready for merge, but a bit closer. |
|
I added some infrastructure to the dns package to make it easier to unit test this sort of change in #391; unfortunately this and that PR will merge conflict. |
jetstack-bot
added
the
needs-rebase
euank
force-pushed
the
nonstatic-aws-creds
branch
from
ba47a49
to
22d6088
Compare
jetstack-bot
removed
the
needs-rebase
|
Rebased and added a unit test, I'm still not happy with the test coverage of this and still don't consider it quite ready for merge. I do think review of what's here is reasonable though |
| // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials | ||
| } else { | ||
| glog.V(5).Infof("not using ambient credentials") | ||
| config.WithCredentials(credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")) |
There was a problem hiding this comment.
If these credentials are invalid, will the default chain still be used? (i.e. does WithCredentials append to the chain, or replace?)
There was a problem hiding this comment.
It replaces the default credential chain. Even if they're an empty string, it will error out that they're invalid without trying anything else.
| } | ||
| } | ||
| return m, nil | ||
| } |
There was a problem hiding this comment.
Not sure whether this test file was meant to be removed? Can it be reworked for the new constructors?
There was a problem hiding this comment.
This was intentional.
My understanding was this isn't being run in CI, and even if it were, these tests are really just testing the aws sdk, not testing any of the code here as far as I could tell
| args: []interface{}{"", "", "", "us-west-2", true}, | ||
| }, | ||
| }, | ||
| }, |
There was a problem hiding this comment.
Can we get a corresponding fixture where ambient is set to false?
This change maintains backwards compatibility, but makes the `accessKeyID` and `secretAccessKeySecretRef` fields of the `route53` DNS provider optional. If not provided, AWS credentials will be loaded from `AWS_*` environment variables or the EC2 metadata service. This should also work for things that impersonate the EC2 metadata service, such as [kube2iam](https://github.com/jtblin/kube2iam) and [kail](https://github.com/uswitch/kiam). Signed-off-by: Matt Moyer <moyer@heptio.com>
Signed-off-by: Matt Moyer <moyer@heptio.com>
The zone id is never read from the environment; this test tests functionality which doesn't exist in the actual software, so there's no point in having it.
This implements ambient credential support for AWS, gated behind flags for issuers and cluster issuers. This adds the pair of flags discussed in cert-manager#308. It provides an implementation for those flag's effects for the route53 solver.
I'm convinced this test was never run and also did not provide any significant value in this project.
euank
force-pushed
the
nonstatic-aws-creds
branch
3 times, most recently
from
48099de
to
e6884f1
Compare
|
@munnerz I'm happy with this now. You should definitely do a pass on the docs I added since I'm sure there's a better way to explain some of that, but I've manually tested the code and think this is an okay to merge from my end. I do wish there was a better way to deal with e2e testing this, but that seems like quite a rabbit hole to go down right now. I may do so later if my time allows. |
| @@ -35,6 +35,9 @@ spec: | |||
| key: api-key.txt | |||
| - name: route53 | |||
| route53: | |||
| # Credentials may optionally be omitted to use ambient credentials if | |||
| # --issuer-ambient-credentials is enabled and | |||
| # ambient credentials are available to cert-manager. | |||
There was a problem hiding this comment.
Just wondering - would this be specified with something like:
- name: route53
route53: {}
?
There was a problem hiding this comment.
Ah - I should read the docs 😄
- name: route53
route53:
region: us-east1-a
|
|
||
| They will only be used if no credentials are supplied, even if the supplied credentials are incorrect. | ||
|
|
||
| By default, they may be used by cluster-issuers, but not regular issuers. The |
There was a problem hiding this comment.
s/cluster-issuers/ClusterIssuers
| `--cluster-issuer-ambient-credentials=false` flags on the cert-manager may be | ||
| used to override this behavior. | ||
|
|
||
| Note that ambient credentials are disabled for regular 'Issuer's by default to |
There was a problem hiding this comment.
'Issuer's? I think this should just be Issuers?
docs/user-guides/cluster-issuers.md
Outdated
|
|
||
| ## Ambient Credentials | ||
|
|
||
| By default, a Cluster Issuer will be able to use 'ambient credentials' of the 'cert-manager' deployment for supported challenges. Currently, only the 'route53' challenge makes use of ambient credentials. To learn more about this behavior, see the [ambient credentials][ambient-creds] document. |
There was a problem hiding this comment.
Currently, only the 'route53' ACME DNS challenge validation makes...
| const testZoneID = "testzoneid" | ||
|
|
||
| func TestAmbientRegionFromEnv(t *testing.T) { | ||
| os.Setenv("AWS_REGION", "us-east-1") |
There was a problem hiding this comment.
So it seems like if the 'region' field is not set in the Issuer resource, we use the environment to determine which to use (this var).
I guess this happens as part of credential loading in the default chain? & additionally, if AWS_REGION is set, but ambient credentials are disabled, will the region still be used? It's not such a big security concern, but it could cause strange behaviour for users and mask the fact they've not set the region explicitly in the YAML.
There was a problem hiding this comment.
Region handling is distinct from credential chains. The two sources that will be consulted for region are that environment variable, and the 'shared config' (the ini file at ~/.aws/config). Notably, ec2 metadata isn't consulted.
The current implementation of the ambient option does not impact those settings. I didn't really think about that, so I left it as it was before.
The region thing is a bit silly here since route53 is a global service, so the region only really matters if you want to reduce api latency by hitting a nearer server, or if you're using a different aws partition (like aws china or govcloud).
I'll go ahead and make it respect the ambient config for now, but I think the above may be an argument for defaulting regardless it in the future.
There was a problem hiding this comment.
Added a commit to do the above, and updated those unit tests.
euank
force-pushed
the
nonstatic-aws-creds
branch
from
9b98598
to
2d93161
Compare
This notably results in the region being a required field if the 'ambient' option is not set for a given issuer.
euank
force-pushed
the
nonstatic-aws-creds
branch
from
2d93161
to
faac070
Compare
|
/retest unrelated flake |
|
/lgtm 🎉 thanks for this @mattmoyer and @euank! Lots of work done here, but I think we've laid out a good framework and best practice for how we handle this in future, and can start rolling out similar changes for other providers too 😄. Really appreciate it, it's not easy finding time to go back and forth on PRs like this! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
This includes all the changes in #243, but also implements the flags discussed in #308 and fixes the failing test.
The flags are implemented such that ambient credentials are only used if the access id and secret key are blank, which I personally think is the correct behavior.
This should not be merged yet because I the following still needs to be done:
--issuer-ambient-credentialsresults in all four issuers working--cluster-issuer-ambient-credentials=falseresults in the ambient cluster issuer no longer workingMy current status on the above is that I'm having trouble getting the e2e tests to run locally; if I have trouble for longer I may file a separate issue about that.
Release note: