Route53: Allow STS token to be refreshed by the AWS client if necessary #7236
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
| ServiceAccountName: providerConfig.Route53.Auth.Kubernetes.ServiceAccountRef.Name, | ||
| Audiences: audiences, | ||
| Namespace: resourceNamespace, | ||
| Client: s.Client.CoreV1().ServiceAccounts(resourceNamespace), | ||
| } |
There was a problem hiding this comment.
Instead of creating a Kubernetes service account token every time we instantiate the solver,
this instead provides a custom IdentityTokenRetriever which the AWS-SDK can call as and when it needs the token.
This also allows the AWS client to refresh the STS token if the DNS-01 prepare or cleanup operations are delayed or if an AWS endpoint is unreachable or returns an error and the AWS client needs to retry any of the STS or Route53 operations.
pkg/apis/acme/v1/types_issuer.go
Outdated
| @@ -630,6 +630,7 @@ type ServiceAccountRef struct { | |||
| // and name is always included. | |||
| // If unset the audience defaults to `sts.amazonaws.com`. | |||
| // +optional | |||
| // +default=["sts.amazonaws.com"] | |||
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
d5079a0 to
ad30b33
Compare
5e5f1cb to
6d921ff
Compare
6d921ff to
0760094
Compare
|
/kind bug feature |
1083eb7 to
4bed2f9
Compare
3e74a05 to
5315300
Compare
…own STS client Signed-off-by: Richard Wall <richard.wall@venafi.com>
5315300 to
440cd54
Compare
| RoleArn: aws.String(d.Role), | ||
| RoleSessionName: aws.String("cert-manager"), | ||
| }) | ||
| case d.AccessKeyID != "" && d.SecretAccessKey != "": |
There was a problem hiding this comment.
It is very hard to follow the refactor of this switch statement, would it be possible to move this to a seperate PR?
|
Issues go stale after 90d of inactivity. |
|
Stale issues rot after 30d of inactivity. |
|
Rotten issues close after 30d of inactivity. |
|
@cert-manager-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/remove-lifecycle rotten |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@wallrj: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
An alternative approach to #7235.
Instead of creating a bespoke STS client and STS credential provider, this branch just uses the AWS-SDK LoadDefaultConfig mechanisms which creates an STS client if Assume role configuration is provided.
Fixes: #7102
Fixes: #5455
Fixes: cert-manager/website#56