OCI provider: add support for instance principal authentication

[ericrrath]

Oracle Cloud Infrastructure (OCI) supports "instance princpal" authentication. From the reference docs:

After you set up the required resources and policies, an application running on an instance can call Oracle Cloud Infrastructure public services, removing the need to configure user credentials or a configuration file.

This change adds support to the OCI provider for instance principal authentication when external-dns is run on an OCI instance (e.g. in OCI OKE). Existing support for key/fingerprint-based authentication is unchanged.

Checklist

• [x ] Update changelog in CHANGELOG.md, use section "Unreleased".

[ericrrath]

/assign @raffo

[ericrrath]

Sorry, I didn't do a good job selling the benefit of this change in the original comment on the PR. Without this change, someone running external-dns on Oracle OCI, and using OCI DNS, must provide a valid private key in order to authenticate with OCI and call OCI API functions to list zones, list records, and update records. This creates the possibility that an attacker who gains access to the running instance of external-dns will gain unauthorized access to the key, and then be able to make malicious calls to the API from wherever they like.

This change allows you to run external-dns on OCI and make calls to the OCI API that are authenticated based on where the call came from. In this scenario, an attacker who gains access to the running instance of external-dns cannot steal the key because there's no key to steal. So the damage is limited to the attacker making malicious calls from the instance itself.

But the biggest benefit is not having to deal with any keys. No rotation, no CI/CD worries, etc. You set up the dynamic group and policy, and it just works.

[seanmalloy]

/kind feature

[dansimone]

I would like to see this feature.

[dansimone]

@Raffo Any particular hold up on this one? This looks like a very isolated change (to the OCI provider code path only).

[gavares]

Also looking for this feature to be merged. Any update or action on this?

[ericrrath]

@Raffo and @njuettner - is there anything I can do to make this PR more appealing for review? The size/L size label was applied, but changes to the docs and unit tests account for a fair amount of the diff. The functional change is pretty narrow. Let me know; would love to make it easier for people to use external-dns with OCI.

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ericrrath, jlamillan To complete the pull request process, please ask for approval from raffo after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[ericrrath]

Hi @linki @njuettner @Raffo -- is there anything I can to do to make this PR more attractive for review and eventual approval? The OCI IAM instance principal functionality makes external-dns more attractive to people who want to run it in Oracle's OCI cloud; it allows policy-based access control without having to provide credentials.

[ericrrath]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[ericrrath]

/remove-lifecycle rotten

[jlamillan]

Looks good to me.

@njuettner - anything else we can do to nudge this along?

[theabmitra]

looks good to me

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[jlamillan]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ericrrath]

/remove-lifecycle stale

[ericrrath]

Hi @njuettner @Raffo @seanmalloy @szuecs - is there anything I can do to make this PR more attractive for approval and merging? It adds support for "instance principal" authentication with Oracle OCI, so you can deploy external-dns to an OCI compute instance and allow it to call the OCI DNS API without providing explicit credentials. Any feedback is appreciated! This has been working great for us for 3+ years now.

[szuecs]

@ericrrath sorry for not being fast in responding. I think our problem is the current backlog. Next 2 weeks we won't have a decision, but from mid of September we have a regular maintainers meeting to discuss PRs and from there it's only a matter of time until we get to yours.

[ericrrath]

@szuecs - thanks for the update! I understand. Let me know if I can do anything to help.

[ericrrath]

@szuecs - Hi, was there any decision made in mid-September about PRs like this one? Let me know if there's anything I can do to help.

[ivandelic]

I would like to see this one! I think Instance Principals are now the primary authentication method in OCI. Too bad we can't use them currently. Please approve the PR as soon as possible.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ericrrath]

/remove-lifecycle stale

[robo-cap]

We need an authentication method more secure than user credentials. Please approve the pull request.

[szuecs]

/ok-to-test /approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericrrath, jlamillan, szuecs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• ~~OWNERS~~ [szuecs]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[szuecs]

/lgtm