website
website copied to clipboard
cert-manager
Issuer with IRSA needs ambient credentials flag
This should help reduce the amount of time people might waste trying to figure out how to resolve the following error:
error instantiating route53 challenge solver: unable to construct route53 provider: empty credentials; perhaps you meant to enable ambient credentials?
A couple of related bug reports:
- https://github.com/jetstack/cert-manager/issues/3009
- https://github.com/jetstack/cert-manager/issues/3079
Deploy Preview for cert-manager-website ready!
| Name | Link |
|---|---|
| Latest commit | f855dce2c8862e739e8f9520e3158f3a036f234c |
| Latest deploy log | https://app.netlify.com/sites/cert-manager-website/deploys/6256dfd4673d9900099420f8 |
| Deploy Preview | https://deploy-preview-701--cert-manager-website.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site settings.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @rossigee. Thanks for your PR.
I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
I'm curious if any of the maintainers can chime in here with why the Issuer and ClusterIssuer have different functionality here? Shouldn't either one be trying to use the modern AWS SDK to its full extent and collecting credentials from all supported sources?
I'm curious if any of the maintainers can chime in here with why the Issuer and ClusterIssuer have different functionality here? Shouldn't either one be trying to use the modern AWS SDK to its full extent and collecting credentials from all supported sources?
I found the answer in a document which we obviously forgot to port over to the new website:
https://github.com/jetstack/cert-manager/blob/95883c47dd31ad6c0e7652a192e4c51981d67592/docs/user-guides/ambient-credentials.md?plain=1#L33-L46
## When are Ambient Credentials used
Ambient credentials are supported for the 'route53' ACME dns01 provider.
They will only be used if no credentials are supplied, even if the supplied credentials are incorrect.
By default, they may be used by ClusterIssuers, but not regular issuers. The
`--issuer-ambient-credentials` and
`--cluster-issuer-ambient-credentials=false` flags on the cert-manager may be
used to override this behavior.
Note that ambient credentials are disabled for regular Issuers by default to
ensure unprivileged users who may create issuers cannot issue certificates
using any credentials cert-manager incidentally has access to.
So I suggest we add that to the current docs
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: rossigee
To complete the pull request process, please assign maelvls after the PR has been reviewed.
You can assign the PR to them by writing /assign @maelvls in a comment when ready.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.
:memo: Please follow instructions in the contributing guide to update your commits with the DCO
Full details of the Developer Certificate of Origin can be found at developercertificate.org.
The list of commits missing DCO signoff:
- 8775d48 Issuer with IRSA needs ambient credentials flag
- f855dce Re-use existing documentation describing ambient credentials for non-cluster Issuers.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
@rossigee: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| pull-cert-manager-website-verify | f855dce2c8862e739e8f9520e3158f3a036f234c | link | true | /test pull-cert-manager-website-verify |
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
PR needs rebase.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![cert-manager-prow[bot] avatar](https://avatars.githubusercontent.com/in/877404?v=4 "Published by a pub.dev verified publisher"){kind=small}