diff --git a/deploy/crds/crd-challenges.yaml b/deploy/crds/crd-challenges.yaml index 6f62ee8ed..7c8bcb084 100644 --- a/deploy/crds/crd-challenges.yaml +++ b/deploy/crds/crd-challenges.yaml @@ -329,6 +329,18 @@ spec: accessKeyID: description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: The SecretAccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. type: string diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 66726210e..2ce14ffa2 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -364,6 +364,18 @@ spec: accessKeyID: description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: The SecretAccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. type: string diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index fa158ebca..fad893c4f 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -364,6 +364,18 @@ spec: accessKeyID: description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: The SecretAccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. type: string diff --git a/internal/apis/acme/types_issuer.go b/internal/apis/acme/types_issuer.go index 9019b9db7..03060af8b 100644 --- a/internal/apis/acme/types_issuer.go +++ b/internal/apis/acme/types_issuer.go @@ -403,6 +403,10 @@ type ACMEIssuerDNS01ProviderRoute53 struct { // see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials AccessKeyID string + // The SecretAccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + SecretAccessKeyID cmmeta.SecretKeySelector + // The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials SecretAccessKey cmmeta.SecretKeySelector diff --git a/internal/apis/acme/v1/zz_generated.conversion.go b/internal/apis/acme/v1/zz_generated.conversion.go index ec3ce1a05..8ee336f2a 100644 --- a/internal/apis/acme/v1/zz_generated.conversion.go +++ b/internal/apis/acme/v1/zz_generated.conversion.go @@ -1205,6 +1205,9 @@ func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1_ACMEIssuerDNS01ProviderRF func autoConvert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *v1.ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error { out.AccessKeyID = in.AccessKeyID + if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil { + return err + } if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil { return err } @@ -1221,6 +1224,9 @@ func Convert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRo func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *v1.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error { out.AccessKeyID = in.AccessKeyID + if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil { + return err + } if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil { return err } diff --git a/internal/apis/acme/v1alpha2/types_issuer.go b/internal/apis/acme/v1alpha2/types_issuer.go index 67200a400..4e5699489 100644 --- a/internal/apis/acme/v1alpha2/types_issuer.go +++ b/internal/apis/acme/v1alpha2/types_issuer.go @@ -457,6 +457,11 @@ type ACMEIssuerDNS01ProviderRoute53 struct { // +optional AccessKeyID string `json:"accessKeyID,omitempty"` + // The SecretAccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + // +optional + SecretAccessKeyID cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef"` + // The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials // +optional diff --git a/internal/apis/acme/v1alpha2/zz_generated.conversion.go b/internal/apis/acme/v1alpha2/zz_generated.conversion.go index 6b93f9387..daa0c186a 100644 --- a/internal/apis/acme/v1alpha2/zz_generated.conversion.go +++ b/internal/apis/acme/v1alpha2/zz_generated.conversion.go @@ -1204,6 +1204,9 @@ func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1alpha2_ACMEIssuerDNS01Prov func autoConvert_v1alpha2_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error { out.AccessKeyID = in.AccessKeyID + if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil { + return err + } if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil { return err } @@ -1220,6 +1223,9 @@ func Convert_v1alpha2_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01Prov func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1alpha2_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error { out.AccessKeyID = in.AccessKeyID + if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil { + return err + } if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil { return err } diff --git a/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go b/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go index b7f307116..22f76d141 100644 --- a/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1alpha2/zz_generated.deepcopy.go @@ -573,6 +573,7 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) { *out = *in + out.SecretAccessKeyID = in.SecretAccessKeyID out.SecretAccessKey = in.SecretAccessKey return } diff --git a/internal/apis/acme/v1alpha3/types_issuer.go b/internal/apis/acme/v1alpha3/types_issuer.go index 2e2e508a2..3c3576e98 100644 --- a/internal/apis/acme/v1alpha3/types_issuer.go +++ b/internal/apis/acme/v1alpha3/types_issuer.go @@ -457,6 +457,11 @@ type ACMEIssuerDNS01ProviderRoute53 struct { // +optional AccessKeyID string `json:"accessKeyID,omitempty"` + // The SecretAccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + // +optional + SecretAccessKeyID cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef"` + // The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials // +optional diff --git a/internal/apis/acme/v1alpha3/zz_generated.conversion.go b/internal/apis/acme/v1alpha3/zz_generated.conversion.go index bbe65d289..698de3f03 100644 --- a/internal/apis/acme/v1alpha3/zz_generated.conversion.go +++ b/internal/apis/acme/v1alpha3/zz_generated.conversion.go @@ -1204,6 +1204,9 @@ func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1alpha3_ACMEIssuerDNS01Prov func autoConvert_v1alpha3_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error { out.AccessKeyID = in.AccessKeyID + if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil { + return err + } if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil { return err } @@ -1220,6 +1223,9 @@ func Convert_v1alpha3_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01Prov func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1alpha3_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error { out.AccessKeyID = in.AccessKeyID + if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil { + return err + } if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil { return err } diff --git a/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go b/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go index a20eacce9..7fc4fa9f4 100644 --- a/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1alpha3/zz_generated.deepcopy.go @@ -573,6 +573,7 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) { *out = *in + out.SecretAccessKeyID = in.SecretAccessKeyID out.SecretAccessKey = in.SecretAccessKey return } diff --git a/internal/apis/acme/v1beta1/types_issuer.go b/internal/apis/acme/v1beta1/types_issuer.go index 780f21f65..34ad47617 100644 --- a/internal/apis/acme/v1beta1/types_issuer.go +++ b/internal/apis/acme/v1beta1/types_issuer.go @@ -456,6 +456,11 @@ type ACMEIssuerDNS01ProviderRoute53 struct { // +optional AccessKeyID string `json:"accessKeyID,omitempty"` + // The SecretAccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + // +optional + SecretAccessKeyID cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef"` + // The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials // +optional diff --git a/internal/apis/acme/v1beta1/zz_generated.conversion.go b/internal/apis/acme/v1beta1/zz_generated.conversion.go index 766cbab9e..0caab5f7f 100644 --- a/internal/apis/acme/v1beta1/zz_generated.conversion.go +++ b/internal/apis/acme/v1beta1/zz_generated.conversion.go @@ -1204,6 +1204,9 @@ func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1beta1_ACMEIssuerDNS01Provi func autoConvert_v1beta1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error { out.AccessKeyID = in.AccessKeyID + if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil { + return err + } if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil { return err } @@ -1220,6 +1223,9 @@ func Convert_v1beta1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01Provi func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1beta1_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error { out.AccessKeyID = in.AccessKeyID + if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil { + return err + } if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil { return err } diff --git a/internal/apis/acme/v1beta1/zz_generated.deepcopy.go b/internal/apis/acme/v1beta1/zz_generated.deepcopy.go index c9d14963e..49f0a4607 100644 --- a/internal/apis/acme/v1beta1/zz_generated.deepcopy.go +++ b/internal/apis/acme/v1beta1/zz_generated.deepcopy.go @@ -573,6 +573,7 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) { *out = *in + out.SecretAccessKeyID = in.SecretAccessKeyID out.SecretAccessKey = in.SecretAccessKey return } diff --git a/internal/apis/acme/zz_generated.deepcopy.go b/internal/apis/acme/zz_generated.deepcopy.go index 1f2e49190..5646e70dd 100644 --- a/internal/apis/acme/zz_generated.deepcopy.go +++ b/internal/apis/acme/zz_generated.deepcopy.go @@ -573,6 +573,7 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) { *out = *in + out.SecretAccessKeyID = in.SecretAccessKeyID out.SecretAccessKey = in.SecretAccessKey return } diff --git a/pkg/apis/acme/v1/types_issuer.go b/pkg/apis/acme/v1/types_issuer.go index 56c28f6b4..a08e57546 100644 --- a/pkg/apis/acme/v1/types_issuer.go +++ b/pkg/apis/acme/v1/types_issuer.go @@ -460,6 +460,11 @@ type ACMEIssuerDNS01ProviderRoute53 struct { // +optional AccessKeyID string `json:"accessKeyID,omitempty"` + // The SecretAccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + // +optional + SecretAccessKeyID cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef"` + // The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials // +optional diff --git a/pkg/apis/acme/v1/zz_generated.deepcopy.go b/pkg/apis/acme/v1/zz_generated.deepcopy.go index bdd020a3f..6de6f2fe0 100644 --- a/pkg/apis/acme/v1/zz_generated.deepcopy.go +++ b/pkg/apis/acme/v1/zz_generated.deepcopy.go @@ -573,6 +573,7 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) { *out = *in + out.SecretAccessKeyID = in.SecretAccessKeyID out.SecretAccessKey = in.SecretAccessKey return } diff --git a/pkg/issuer/acme/dns/dns.go b/pkg/issuer/acme/dns/dns.go index 50ba39543..b72d07a07 100644 --- a/pkg/issuer/acme/dns/dns.go +++ b/pkg/issuer/acme/dns/dns.go @@ -292,6 +292,20 @@ func (s *Solver) solverForChallenge(ctx context.Context, issuer v1.GenericIssuer } case providerConfig.Route53 != nil: dbg.Info("preparing to create Route53 provider") + secretAccessKeyID := strings.TrimSpace(providerConfig.Route53.AccessKeyID) + if providerConfig.Route53.SecretAccessKeyID.Name != "" { + secretAccessKeyIDSecret, err := s.secretLister.Secrets(resourceNamespace).Get(providerConfig.Route53.SecretAccessKeyID.Name) + if err != nil { + return nil, nil, fmt.Errorf("error getting route53 secret access key id: %s", err) + } + + secretAccessKeyIDBytes, ok := secretAccessKeyIDSecret.Data[providerConfig.Route53.SecretAccessKeyID.Key] + if !ok { + return nil, nil, fmt.Errorf("error getting route53 secret access key id: key '%s' not found in secret", providerConfig.Route53.SecretAccessKeyID.Key) + } + secretAccessKeyID = string(secretAccessKeyIDBytes) + } + secretAccessKey := "" if providerConfig.Route53.SecretAccessKey.Name != "" { secretAccessKeySecret, err := s.secretLister.Secrets(resourceNamespace).Get(providerConfig.Route53.SecretAccessKey.Name) @@ -307,7 +321,7 @@ func (s *Solver) solverForChallenge(ctx context.Context, issuer v1.GenericIssuer } impl, err = s.dnsProviderConstructors.route53( - strings.TrimSpace(providerConfig.Route53.AccessKeyID), + secretAccessKeyID, strings.TrimSpace(secretAccessKey), providerConfig.Route53.HostedZoneID, providerConfig.Route53.Region,