netlify[bot]
commented
2 months ago Deploy Preview for cert-manager ready!
Built without sensitive environment variables
| Name | Link |
|---|---|
| Latest commit | 4d8ddd2e4255ac4e889decb4f593549e3a5cee08 |
| Latest deploy log | https://app.netlify.com/sites/cert-manager/deploys/6707978b0916e20008ab20dc |
| Deploy Preview | https://deploy-preview-1555--cert-manager.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
cert-manager-prow[bot]
Preview: https://deploy-preview-1555--cert-manager.netlify.app/docs/configuration/acme/dns01/route53/
The aim of this PR is to help users understand that fundamentally cert-manager needs to get an access key somehow, so that it can authenticate to Route53.
There are legacy mechanisms, where it can use an IAM User and a long-term access key from a mounted file, or from an environment variable in the cert-manager Pod, or by loading it from a Secret.
There are best-practice mechanisms, where it can use an IAM Role and get a temporary access key from STS, either by explicitly sending a Kubernetes ServiceAccount token to STS (AssumeRoleWithWebIdentity). Or by fetching a temporary access token from a local server such as IMDS on an EC2 node or from a Pod Identity agent in a DaemonSet Pod on a Kubernetes Node.
There are ambient mechanisms, where credentials are global to the cert-manager controller. And there are non-ambient mechanisms, where the credentials can be unique to each Issuer or ClusterIssuer.
I have also added documentation about how cert-manager chooses an AWS region and how that region is used.
Fixes: https://github.com/cert-manager/website/issues/56 Fixes: https://github.com/cert-manager/website/issues/753 Fixes: https://github.com/cert-manager/cert-manager/issues/4738