weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Allow non-static AWS credentials for Route 53.

Browse Source 
This change maintains backwards compatibility, but makes the `accessKeyID` and `secretAccessKeySecretRef` fields of the `route53` DNS provider optional.
If not provided, AWS credentials will be loaded from `AWS_*` environment variables or the EC2 metadata service.
This should also work for things that impersonate the EC2 metadata service, such as [kube2iam](https://github.com/jtblin/kube2iam) and [kail](https://github.com/uswitch/kiam).

Signed-off-by: Matt Moyer <moyer@heptio.com>
This commit is contained in:
Matt Moyer 2018-01-11 12:05:19 -06:00 committed by Euan Kemp
parent 37ed6f3ab1
commit 1236a93d1e
3 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/api-types/issuer/spec.md
View File

@ -125,8 +125,13 @@ clouddns:
```yaml
route53:
accessKeyID: AKIAIOSFODNN7EXAMPLE
region: eu-west-1
# optional -- if not specified, load credentials from from standard AWS
# environment variables or from EC2 instance metadata
accessKeyID: AKIAIOSFODNN7EXAMPLE
# also optional
secretAccessKeySecretRef:
name: prod-route53-credentials-secret
key: secret-access-key

18
pkg/issuer/acme/dns/dns.go
View File

@ -156,14 +156,18 @@ func (s *Solver) solverFor(crt *v1alpha1.Certificate, domain string) (solver, er
return nil, fmt.Errorf("error instantiating cloudflare challenge solver: %s", err.Error())
}
case providerConfig.Route53 != nil:
secretAccessKeySecret, err := s.secretLister.Secrets(s.resourceNamespace).Get(providerConfig.Route53.SecretAccessKey.Name)
if err != nil {
return nil, fmt.Errorf("error getting route53 secret access key: %s", err.Error())
}
secretAccessKey := ""
if providerConfig.Route53.SecretAccessKey.Name != "" {
secretAccessKeySecret, err := s.secretLister.Secrets(s.resourceNamespace).Get(providerConfig.Route53.SecretAccessKey.Name)
if err != nil {
return nil, fmt.Errorf("error getting route53 secret access key: %s", err.Error())
}
secretAccessKeyBytes, ok := secretAccessKeySecret.Data[providerConfig.Route53.SecretAccessKey.Key]
if !ok {
return nil, fmt.Errorf("error getting route53 secret access key: key '%s' not found in secret", providerConfig.Route53.SecretAccessKey.Key)
secretAccessKeyBytes, ok := secretAccessKeySecret.Data[providerConfig.Route53.SecretAccessKey.Key]
if !ok {
return nil, fmt.Errorf("error getting route53 secret access key: key '%s' not found in secret", providerConfig.Route53.SecretAccessKey.Key)
}
secretAccessKey = string(secretAccessKeyBytes)
}
impl, err = s.dnsProviderConstructors.route53(

14
pkg/issuer/acme/dns/route53/route53.go
View File

@ -83,13 +83,19 @@ func NewDNSProvider() (*DNSProvider, error) {
// NewDNSProviderAccessKey returns a DNSProvider instance configured for the AWS
// Route 53 service using static credentials from its parameters
func NewDNSProviderAccessKey(accessKeyID, secretAccessKey, hostedZoneID, region string) (*DNSProvider, error) {
creds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
r := customRetryer{}
r.NumMaxRetries = maxRetries
config := request.WithRetryer(aws.NewConfig(), r).WithCredentials(creds)
config := request.WithRetryer(aws.NewConfig(), r)
// If an accessKeyID and secretAccessKey were set, use them. Otherwise, fall
// back on the aws-sdk-go's default credential handling behavior which loads
// from environment variables, shared credential file or EC2 instance role:
// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials.
if accessKeyID != "" && secretAccessKey != "" {
creds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
config.WithCredentials(creds)
}
if region != "" {
config.WithRegion(region)