Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for cert-manager #745

Closed
Yannig opened this issue Apr 19, 2019 · 3 comments

Comments

@Yannig
Copy link
Contributor

commented Apr 19, 2019

Why do you want this feature?

When adding cert-manager with a cluster created by eksctl, i'm not able to create a certificate.

This issue will be followed by a PR.

What feature/behavior/change do you want?

The problem came from the default policy used with --external-dns-access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

In this case, the cert-manager pod send error of this kind:

I0419 12:14:12.777229       1 controller.go:205] challenges controller: syncing item 'kube-system/bla-bla-961647875-0'
I0419 12:14:12.777482       1 dns.go:89] Presenting DNS01 challenge for domain "bla.bla"
E0419 12:14:13.157374       1 controller.go:207] challenges controller: Re-queuing item "kube-system/bla-bla-961647875-0" due to error processing: Failed to determine Route 53 hosted zone ID: AccessDenied: User: arn:aws:sts::xxx:assumed-role/eksctl-prod-a-nodegroup-ng-baxxxx-NodeInstanceRole-XXX/i-xxx is not authorized to perform: route53:ListHostedZonesByName
        status code: 403, request id: xx-xx-xx-xx-xx

If I add "route53:ListHostedZonesByName", the error became:

I0419 12:15:33.157661       1 controller.go:205] challenges controller: syncing item 'kube-system/bla-bla-961647875-0'
I0419 12:15:33.157908       1 dns.go:89] Presenting DNS01 challenge for domain "bla.bla"
E0419 12:17:36.674535       1 controller.go:207] challenges controller: Re-queuing item "kube-system/bla-bla-961647875-0" due to error processing: Time limit exceeded. Last error: Failed to query Route 53 change status: AccessDenied: User: arn:aws:sts::121748747150:assumed-role/eksctl-prod-a-nodegroup-ng-ba8014-NodeInstanceRole-XXX/i-xxx is not authorized to perform: route53:GetChange on resource: arn:aws:route53:::change/xxx
        status code: 403, request id: xx-xx-xx-xx-xx

To get it working, I need the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "route53:ListHostedZonesByName",
                "route53:GetChange"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}```
Yannig added a commit to Yannig/eksctl that referenced this issue Apr 19, 2019
Yannig added a commit to Yannig/eksctl that referenced this issue Apr 19, 2019
@errordeveloper

This comment has been minimized.

Copy link
Member

commented Apr 24, 2019

Yannig added a commit to Yannig/eksctl that referenced this issue Jun 1, 2019
@JoaAlteos

This comment has been minimized.

Copy link

commented Jun 13, 2019

I am also having a similar issue, at the moment I have manually added the policy via IAM but that causes a drift of the stack on AWS CloudFormation.

It would be awesome if this could be looked into, as this PR seems to fix the issue.
I am not sure though whether it should be enabled by default, would it make sense for it to be part of the addon policies?

nodeGroups:
    - name: node-group-1
      iam:
        withAddonPolicies:
          ebs: true
          autoScaler: true
          externalDNS: true
          certManager: true

Thanks @Yannig

Yannig added a commit to Yannig/eksctl that referenced this issue Jun 14, 2019
Yannig added a commit to Yannig/eksctl that referenced this issue Jun 14, 2019
@Yannig Yannig referenced this issue Jun 14, 2019
4 of 6 tasks complete

@errordeveloper errordeveloper modified the milestones: 0.1.37, 0.1.36 Jun 14, 2019

@errordeveloper

This comment has been minimized.

Copy link
Member

commented Jun 17, 2019

Closed via #885.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.