Skip to content

Add assume role for Issuer #427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2025
Merged

Add assume role for Issuer #427

merged 1 commit into from
Nov 14, 2025

Conversation

@paragor
Copy link

@paragor paragor commented Oct 16, 2025
edited
Loading

Issue # 361

Closes # 361

Reason for this change

AWS RAM has restrictions that disallow issuing isCA: true certs from Subordinate AWS PCA.
see https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html

However, for example, Linkerd requires such a certificate.

This pull request allows for requesting an issue certificate directly from AWS PCA that is located in a different account.

Description of changes

A new optional field 'role' was added to Issuer and ClusterIssuer CRDs, which allows assuming a role for another account and working with AWS PCA from a different account.

@paragor paragor mentioned this pull request Oct 16, 2025
Open
@bmsiegel bmsiegel mentioned this pull request Nov 6, 2025
Merged
@nickperry
Copy link

nickperry commented Nov 7, 2025

@paragor I think you might need to rebase now, since #430 was merged.

@bmsiegel bmsiegel force-pushed the assume_role_from_issuer_config branch from 9b40996 to ebfb00a Compare November 7, 2025 14:22
@cert-manager-prow cert-manager-prow bot added size/M and removed size/L labels Nov 7, 2025
@paragor
Copy link
Author

paragor commented Nov 7, 2025

@nickperry Hi, thank you for moving this topic forward. I’ll test my PR this weekend!

@bmsiegel
Copy link
Contributor

bmsiegel commented Nov 7, 2025

Just pushed a rebase to this PR. We will need to work on writing integration tests as well for this change since it's going to end up being a new support auth flow.

@paragor paragor force-pushed the assume_role_from_issuer_config branch 2 times, most recently from 6c1d47a to 9fe73ca Compare November 9, 2025 18:04
@paragor
Copy link
Author

paragor commented Nov 9, 2025

I’ve just renamed the attribute role -> roleArn. I have tested it locally, and everything looks good.
I’ll try to finish writing the integration tests this week. However, I’ll need help running them - the test run is expensive because it requires creating several AWS PCAs.

If anyone would like to pick up and complete the tests, feel free to do so.

@bmsiegel
Copy link
Contributor

bmsiegel commented Nov 10, 2025
edited
Loading

I hate to do this, but can you change the role field back to just role? Cert-manager uses a role arn in one of its specs so we'd like to stay consistent with it:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: example
spec:
  acme:
    ...
    solvers:
    - dns01:
        route53:
          region: us-east-1
          role: <iam-role-arn> # This must be set so cert-manager what role to attempt to authenticate with
          auth:
            kubernetes:
              serviceAccountRef:
                name: <service-account-name> # The name of the service account created

source: https://cert-manager.io/docs/configuration/acme/dns01/route53/#cross-account-access

@nickperry
Copy link

nickperry commented Nov 10, 2025

I hate to do this, but can you change the role field back to just role?

Not my PR so I can't push to it, but I have implemented the name change requested by @bmsiegel here if you want to cherry-pick it nickperry@a670b1c

@bmsiegel bmsiegel force-pushed the assume_role_from_issuer_config branch 2 times, most recently from 491b75a to 270e8e7 Compare November 11, 2025 19:54
@cert-manager-prow cert-manager-prow bot added size/L and removed size/M labels Nov 11, 2025
ARichman555
ARichman555 requested changes Nov 11, 2025
View reviewed changes
@bmsiegel bmsiegel force-pushed the assume_role_from_issuer_config branch 3 times, most recently from d2f851a to 901af13 Compare November 11, 2025 21:26
@nickperry
Copy link

nickperry commented Nov 14, 2025

We have been using this feature in non-prod at my organisation over the last few days and it works well. Thank you for implementing this @paragor.

@bmsiegel
Add role assumption for Issuer
24c3afc 
Signed-off-by: Egor Novikov <[email protected]>
Signed-off-by: Brady Siegel <[email protected]>
@bmsiegel bmsiegel force-pushed the assume_role_from_issuer_config branch from 901af13 to 24c3afc Compare November 14, 2025 16:54
@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Nov 14, 2025

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot merged commit 48cbabb into cert-manager:main Nov 14, 2025
22 of 24 checks passed
@apagliara apagliara mentioned this pull request Nov 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmsiegel bmsiegel bmsiegel left review comments

@ARichman555 ARichman555 ARichman555 requested changes

Assignees

No one assigned

Labels

approved dco-signoff: yes lgtm size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@paragor @nickperry @bmsiegel @ARichman555