support assumeRoleWithWebIdentity for Route53 issuer

deploy/crds/crd-challenges.yaml

@@ -492,6 +492,41 @@ spec:
  Name of the resource being referred to.
  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  type: string
+ auth:
+ description: Auth configures how cert-manager authenticates.
+ type: object
+ required:
+ - kubernetes
+ properties:
+ kubernetes:
+ description: |-
+ Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+ by passing a bound ServiceAccount token.
+ type: object
+ required:
+ - serviceAccountRef
+ properties:
+ serviceAccountRef:
+ description: |-
+ A reference to a service account that will be used to request a bound
+ token (also known as "projected token"). To use this field, you must
+ configure an RBAC rule to let cert-manager request a token.
+ type: object
+ required:
+ - name
+ properties:
+ audiences:
+ description: |-
+ TokenAudiences is an optional list of audiences to include in the
+ token passed to AWS. The default token consisting of the issuer's namespace
+ and name is always included.
+ If unset the audience defaults to `sts.amazonaws.com`.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name of the ServiceAccount used to request a token.
+ type: string
  hostedZoneID:
  description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  type: string

deploy/crds/crd-clusterissuers.yaml

@@ -599,6 +599,41 @@ spec:
  Name of the resource being referred to.
  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  type: string
+ auth:
+ description: Auth configures how cert-manager authenticates.
+ type: object
+ required:
+ - kubernetes
+ properties:
+ kubernetes:
+ description: |-
+ Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+ by passing a bound ServiceAccount token.
+ type: object
+ required:
+ - serviceAccountRef
+ properties:
+ serviceAccountRef:
+ description: |-
+ A reference to a service account that will be used to request a bound
+ token (also known as "projected token"). To use this field, you must
+ configure an RBAC rule to let cert-manager request a token.
+ type: object
+ required:
+ - name
+ properties:
+ audiences:
+ description: |-
+ TokenAudiences is an optional list of audiences to include in the
+ token passed to AWS. The default token consisting of the issuer's namespace
+ and name is always included.
+ If unset the audience defaults to `sts.amazonaws.com`.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name of the ServiceAccount used to request a token.
+ type: string
  hostedZoneID:
  description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  type: string

deploy/crds/crd-issuers.yaml

@@ -599,6 +599,41 @@ spec:
  Name of the resource being referred to.
  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  type: string
+ auth:
+ description: Auth configures how cert-manager authenticates.
+ type: object
+ required:
+ - kubernetes
+ properties:
+ kubernetes:
+ description: |-
+ Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+ by passing a bound ServiceAccount token.
+ type: object
+ required:
+ - serviceAccountRef
+ properties:
+ serviceAccountRef:
+ description: |-
+ A reference to a service account that will be used to request a bound
+ token (also known as "projected token"). To use this field, you must
+ configure an RBAC rule to let cert-manager request a token.
+ type: object
+ required:
+ - name
+ properties:
+ audiences:
+ description: |-
+ TokenAudiences is an optional list of audiences to include in the
+ token passed to AWS. The default token consisting of the issuer's namespace
+ and name is always included.
+ If unset the audience defaults to `sts.amazonaws.com`.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name of the ServiceAccount used to request a token.
+ type: string
  hostedZoneID:
  description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  type: string

hack/webIdentityToken

@@ -0,0 +1 @@
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzEwMzUxNjM4LCJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwiYXVkIjoiaHR0cHM6Ly9leGFtcGxlLmNvbSIsImV4cCI6MTc0MTg4NzYwOH0.yu4G8_3ZDsWA1wJC4jZjh9FCEGbW0eke1ffFw1Xhvvw

internal/apis/acme/types_issuer.go

@@ -421,6 +421,9 @@ type ACMEIssuerDNS01ProviderDigitalOcean struct {
 // ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
 // configuration for AWS
 type ACMEIssuerDNS01ProviderRoute53 struct {
+ // Auth configures how cert-manager authenticates.
+ Auth *Route53Auth
+
  // The AccessKeyID is used for authentication.
  // Cannot be set when SecretAccessKeyID is set.
  // If neither the Access Key nor Key ID are set, we fall-back to using env
@@ -453,6 +456,35 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
  Region string
 }
 
+// Route53Auth is configuration used to authenticate with a Route53.
+type Route53Auth struct {
+ // Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+ // by passing a bound ServiceAccount token.
+ Kubernetes *Route53KubernetesAuth
+}
+
+// Route53KubernetesAuth is a configuration to authenticate against Route53
+// using a bound Kubernetes ServiceAccount token.
+type Route53KubernetesAuth struct {
+ // A reference to a service account that will be used to request a bound
+ // token (also known as "projected token"). To use this field, you must
+ // configure an RBAC rule to let cert-manager request a token.
+ ServiceAccountRef *ServiceAccountRef
+}
+
+// ServiceAccountRef is a service account used by cert-manager to request a
+// token. The expiration of the token is also set by cert-manager to 10 minutes.
+type ServiceAccountRef struct {
+ // Name of the ServiceAccount used to request a token.
+ Name string
+
+ // TokenAudiences is an optional list of audiences to include in the
+ // token passed to AWS. The default token consisting of the issuer's namespace
+ // and name is always included.
+ // If unset the audience defaults to `sts.amazonaws.com`.
+ TokenAudiences []string
+}
+
 // ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
 // configuration for Azure DNS
 type ACMEIssuerDNS01ProviderAzureDNS struct {

internal/apis/acme/v1alpha2/types_issuer.go

@@ -475,6 +475,10 @@ type ACMEIssuerDNS01ProviderDigitalOcean struct {
 // ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
 // configuration for AWS
 type ACMEIssuerDNS01ProviderRoute53 struct {
+ // Auth configures how cert-manager authenticates.
+ // +optional
+ Auth *Route53Auth `json:"auth,omitempty"`
+
  // The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
  // see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  // +optional
@@ -503,6 +507,36 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
  Region string `json:"region"`
 }
 
+// Route53Auth is configuration used to authenticate with a Route53.
+type Route53Auth struct {
+ // Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+ // by passing a bound ServiceAccount token.
+ Kubernetes *Route53KubernetesAuth `json:"kubernetes"`
+}
+
+// Route53KubernetesAuth is a configuration to authenticate against Route53
+// using a bound Kubernetes ServiceAccount token.
+type Route53KubernetesAuth struct {
+ // A reference to a service account that will be used to request a bound
+ // token (also known as "projected token"). To use this field, you must
+ // configure an RBAC rule to let cert-manager request a token.
+ ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef"`
+}
+
+// ServiceAccountRef is a service account used by cert-manager to request a
+// token. The expiration of the token is also set by cert-manager to 10 minutes.
+type ServiceAccountRef struct {
+ // Name of the ServiceAccount used to request a token.
+ Name string `json:"name"`
+
+ // TokenAudiences is an optional list of audiences to include in the
+ // token passed to AWS. The default token consisting of the issuer's namespace
+ // and name is always included.
+ // If unset the audience defaults to `sts.amazonaws.com`.
+ // +optional
+ TokenAudiences []string `json:"audiences,omitempty"`
+}
+
 // ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
 // configuration for Azure DNS
 type ACMEIssuerDNS01ProviderAzureDNS struct {