New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support assumeRoleWithWebIdentity for Route53 issuer #6878
support assumeRoleWithWebIdentity for Route53 issuer #6878
Conversation
Hi @pwhitehead-splunk. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/ok-to-test |
Looking at this implementation, it relies on a token mounted within the cert-manager Pod, meaning cert-manager needs a token with broad permissions mounted. Would it be better to implement it in a similar way to Vault? Allowing for the token to either be loaded from a secret or to be issued from a service account. Loading from a secret covers the use case of a non IRSA token, issuing from a service account covers the IRSA case. Could look like something like this in the issuer config:
or
|
@ThatsMrTalbot Thank you for the feedback! The implementation was written with the expectation that the end user would use the token from the projected volume that's provided by IRSA or Workload Identity. The motivation for this PR was to issue certs in AKS when using Route53 solvers without requiring static credentials. I'm not familiar with GCP but I'd expect there's a similar implementation. apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
...
solvers:
- dns01:
route53:
region: us-west-2
role: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager # must trust the OIDC provider, should verify aud and sub
webIdentityToken: /var/run/secrets/azure/tokens/azure-identity-token # provided by Workload Identity Assuming the IAM Identity Provider and IAM role's trust is set up properly then the token's use is in line with its expected use case that IRSA/Workload Identity solves; we're exchanging a token for temporary credentials. The secret use case you mentioned is out of scope for what I hope to achieve, but if I follow your question properly, you're suggesting that we issue a new token with a configurable |
Hiya @pwhitehead-splunk Solutions like IRSA simply implement a mutating webhook to project a Kubernetes service account token with a different audience inside your pods. In the case of IRSA the audience is set to This implementation is true of both IRSA in AWS (https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/pkg/handler/handler.go#L332-L347) and Azure Workload Identity in AKS (https://github.com/Azure/azure-workload-identity/blob/9b60b5240fcbee6c2e4660b435a20dc2683ef945/pkg/webhook/webhook.go#L419-L438). What I was proposing is that instead of using the projected token in the cert-manager pod, we can issue a token ourselves using the TokenRequest API, this is something we already do in other parts the cert-manager codebase -
The TokenRequest API is the same API that is used by Kubelet for the projected service account tokens, which in turn are used by IRSA and Azure Workload Identity. So by requesting a token directly its achieving the same goal, without the need for cert-manager service account itself to have IAM permissions. The user can just reference a service account that has the needed IAM permissions and cert-manager can request a token itself. The token itself would look the same as one provided by IRSA or Azure Workload Identity. So my suggestion is basically instead of doing:
We do:
This has the added benefit of allowing different issuers to reference different service accounts with different IAM permissions in AWS. |
That makes sense, thanks for the clarification! I'll update the PR. |
76f5b53
to
d4df2a3
Compare
d4df2a3
to
0a42b47
Compare
47cc21f
to
ab6d57f
Compare
Signed-off-by: Paul Whitehead <[email protected]> fix test signature
Signed-off-by: Paul Whitehead <[email protected]>
ab6d57f
to
35571e0
Compare
Signed-off-by: Paul Whitehead <[email protected]>
@ThatsMrTalbot let me know what you think about the changes |
I really like this implementation, I think this will be a powerful secretless solution for AWS auth. I've had a quick skim and left a comment. Will give it a proper look tomorrow. Thanks for implementing this, its really cool 😄 |
Signed-off-by: Paul Whitehead <[email protected]>
/test pull-cert-manager-master-make-test |
Signed-off-by: Paul Whitehead <[email protected]>
/test pull-cert-manager-master-make-test |
Thanks very much for this! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ThatsMrTalbot The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Pull Request Motivation
Update the Route53 provider to support fetching credentials using
AssumeRoleWithWebIdentity
.Kind
/kind feature
Release Note