-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add option to assume-role in route53 #1917
feat: add option to assume-role in route53 #1917
Conversation
Hi @moolen. Thanks for your PR. I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
bcd9200
to
b542eb0
Compare
@moolen I see this hasn't been assigned yet. Where are you in the development? Hoping to get this merged as this is a feature that I require. Thanks |
I'm waiting for feedback. I missed the part with /assign @kragniz |
No problem. That is why I pinged you. I missed that in my PR as well. I am going to build your branch and test. |
Test successfully. |
thanks for your effort! <3 |
Thanks for testing @cyrus-mc 😄 I'm going to take a look over the implementation for this today. I'm personally not so well versed in AWS APIs, so I'm going to defer API review to someone else who is.. 🙄. /cc @simonswine |
/test pull-cert-manager-e2e-v1-13 (could not resolve host github.com) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good in general 👍 , a few questions about the details are inline
@@ -22,6 +22,8 @@ Amazon Route53 | |||
secretAccessKeySecretRef: | |||
name: prod-route53-credentials-secret | |||
key: secret-access-key | |||
# you may specify a role to assume | |||
role: arn:aws:iam::XXXXXXXXXXXX:role/cert-manager |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a full blown example would be great here (Including IAM Role configuration, AssumePolicy and so on)
Also pointing out the two options using Instance Profile + Assume Role (useAmbientCerds=false
) or AccessKey + SecretKey + AssumeRole. (useAmbientCerds=true
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, are these to auth methods mutually exclusive? If you could update comments on API types to explain this too, we may want to consider restructuring how auth is defined if so to make it fit better.. but let's first document what's what so we are all on the same page 😄
klog.V(5).Infof("assuming role: %s", d.Role) | ||
stsSvc := d.StsProvider(sess) | ||
result, err := stsSvc.AssumeRole(&sts.AssumeRoleInput{ | ||
DurationSeconds: aws.Int64(900), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not too sure how long we use that GetSession()
. A validation might take longer than 900 seconds and we might not cleanup properly.
It also might be the case that we always get a new session on every reconcile (@munnerz to confirm)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It also might be the case that we always get a new session on every reconcile (@munnerz to confirm)
We do currently get a new session on each reconcile (although we don't always obtain a session on every reconcile, i.e. we only get one if we need to Present or CleanUp the record, so you shouldn't see 10s or hundreds of sessions being created for a single challenge)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A validation might take longer than 900 seconds and we might not cleanup properly.
Good point! 1h is the sdk default and should be enough.
c7114cc
to
e6ac3d7
Compare
@simonswine & @munnerz i added docs for auth, policies, api spec and changed the |
ping @simonswine @munnerz |
Thanks for this 😄 /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: moolen, munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Would you mind also editing your original comment and adding a short (one-line) release note for this change? |
/retest |
1 similar comment
/retest |
/retest |
Can you run /lgtm cancel |
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
6664746
to
5915872
Compare
i rebased, updated the CRDs and squashed the commits. that should do it 🤞 *edit |
/lgtm |
What this PR does / why we need it:
This PR adds the field
role
to the route53 dns provider. It allows users to specify a role per route53 provider which lets them manage zones in other accounts. see discussion at #1274Which issue this PR fixes: fixes #1274
Special notes for your reviewer:
There is bunch of documentation missing regarding route53 (see #1750). This PR will add a minimum-viable documentation only for this specific field.
The assume-role logic itself is trivial but i really wanted a way to test the behavior (hence the indirection using
type sessionProvider
).Release note: