feat: add option to assume-role in route53 #1917
Conversation
jetstack-bot
added
release-note-none
jetstack-bot
added
area/acme
|
Hi @moolen. Thanks for your PR. I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
the
size/L
moolen
force-pushed
the
feat/route53-assume-role
branch
from
bcd9200
to
b542eb0
Compare
jetstack-bot
added
dco-signoff: yes
|
@moolen I see this hasn't been assigned yet. Where are you in the development? Hoping to get this merged as this is a feature that I require. Thanks |
|
I'm waiting for feedback. I missed the part with /assign @kragniz |
No problem. That is why I pinged you. I missed that in my PR as well. I am going to build your branch and test. |
|
Test successfully. |
|
thanks for your effort! <3 |
|
Thanks for testing @cyrus-mc 😄 I'm going to take a look over the implementation for this today. I'm personally not so well versed in AWS APIs, so I'm going to defer API review to someone else who is.. 🙄. /cc @simonswine |
jetstack-bot
added
ok-to-test
and removed
needs-ok-to-test
|
/test pull-cert-manager-e2e-v1-13 (could not resolve host github.com) |
| @@ -22,6 +22,8 @@ Amazon Route53 | |||
| secretAccessKeySecretRef: | |||
| name: prod-route53-credentials-secret | |||
| key: secret-access-key | |||
| # you may specify a role to assume | |||
| role: arn:aws:iam::XXXXXXXXXXXX:role/cert-manager | |||
There was a problem hiding this comment.
I think a full blown example would be great here (Including IAM Role configuration, AssumePolicy and so on)
Also pointing out the two options using Instance Profile + Assume Role (useAmbientCerds=false) or AccessKey + SecretKey + AssumeRole. (useAmbientCerds=true)
There was a problem hiding this comment.
Yep, are these to auth methods mutually exclusive? If you could update comments on API types to explain this too, we may want to consider restructuring how auth is defined if so to make it fit better.. but let's first document what's what so we are all on the same page 😄
| klog.V(5).Infof("assuming role: %s", d.Role) | ||
| stsSvc := d.StsProvider(sess) | ||
| result, err := stsSvc.AssumeRole(&sts.AssumeRoleInput{ | ||
| DurationSeconds: aws.Int64(900), |
There was a problem hiding this comment.
Not too sure how long we use that GetSession(). A validation might take longer than 900 seconds and we might not cleanup properly.
It also might be the case that we always get a new session on every reconcile (@munnerz to confirm)
There was a problem hiding this comment.
It also might be the case that we always get a new session on every reconcile (@munnerz to confirm)
We do currently get a new session on each reconcile (although we don't always obtain a session on every reconcile, i.e. we only get one if we need to Present or CleanUp the record, so you shouldn't see 10s or hundreds of sessions being created for a single challenge)
There was a problem hiding this comment.
A validation might take longer than 900 seconds and we might not cleanup properly.
Good point! 1h is the sdk default and should be enough.
jetstack-bot
added
dco-signoff: no
jetstack-bot
added
size/XL
moolen
force-pushed
the
feat/route53-assume-role
branch
from
c7114cc
to
e6ac3d7
Compare
jetstack-bot
added
dco-signoff: yes
|
@simonswine & @munnerz i added docs for auth, policies, api spec and changed the |
|
ping @simonswine @munnerz |
|
Thanks for this 😄 /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: moolen, munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
|
Would you mind also editing your original comment and adding a short (one-line) release note for this change? |
|
/retest |
1 similar comment
|
/retest |
jetstack-bot
added
release-note
|
/retest |
|
Can you run /lgtm cancel |
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
moolen
force-pushed
the
feat/route53-assume-role
branch
from
6664746
to
5915872
Compare
jetstack-bot
added
the
area/deploy
|
i rebased, updated the CRDs and squashed the commits. that should do it 🤞 *edit |
|
/lgtm |
What this PR does / why we need it:
This PR adds the field
roleto the route53 dns provider. It allows users to specify a role per route53 provider which lets them manage zones in other accounts. see discussion at #1274Which issue this PR fixes: fixes #1274
Special notes for your reviewer:
There is bunch of documentation missing regarding route53 (see #1750). This PR will add a minimum-viable documentation only for this specific field.
The assume-role logic itself is trivial but i really wanted a way to test the behavior (hence the indirection using
type sessionProvider).Release note: