mirror of
https://github.com/kubernetes-sigs/external-dns.git
synced 2025-10-17 21:01:00 +02:00
ref: use AWS's AssumeRoleProvider to refresh credentials
This commit is contained in:
Martin Linkhorst
parent
587b4128cb
commit
4dd4decf7d
@ -91,6 +91,7 @@ var defaultConfig = &Config{
|
||||
GoogleProject: "",
|
||||
DomainFilter: []string{},
|
||||
AWSZoneType: "",
|
||||
AWSAssumeRole: "",
|
||||
AzureConfigFile: "/etc/kubernetes/azure.json",
|
||||
AzureResourceGroup: "",
|
||||
CloudflareProxied: false,
|
||||
@ -165,7 +166,7 @@ func (cfg *Config) ParseFlags(args []string) error {
|
||||
app.Flag("zone-id-filter", "Filter target zones by hosted zone id; specify multiple times for multiple zones (optional)").Default("").StringsVar(&cfg.ZoneIDFilter)
|
||||
app.Flag("google-project", "When using the Google provider, current project is auto-detected, when running on GCP. Specify other project with this. Must be specified when running outside GCP.").Default(defaultConfig.GoogleProject).StringVar(&cfg.GoogleProject)
|
||||
app.Flag("aws-zone-type", "When using the AWS provider, filter for zones of this type (optional, options: public, private)").Default(defaultConfig.AWSZoneType).EnumVar(&cfg.AWSZoneType, "", "public", "private")
|
||||
app.Flag("aws-assume-role", "TODO").StringVar(&cfg.AWSAssumeRole)
|
||||
app.Flag("aws-assume-role", "When using the AWS provider, assume this IAM role. Useful for hosted zones in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123455567:role/external-dns` (optional)").Default(defaultConfig.AWSAssumeRole).StringVar(&cfg.AWSAssumeRole)
|
||||
app.Flag("azure-config-file", "When using the Azure provider, specify the Azure configuration file (required when --provider=azure").Default(defaultConfig.AzureConfigFile).StringVar(&cfg.AzureConfigFile)
|
||||
app.Flag("azure-resource-group", "When using the Azure provider, override the Azure resource group to use (optional)").Default(defaultConfig.AzureResourceGroup).StringVar(&cfg.AzureResourceGroup)
|
||||
app.Flag("cloudflare-proxied", "When using the Cloudflare provider, specify if the proxy mode must be enabled (default: disabled)").BoolVar(&cfg.CloudflareProxied)
|
||||
|
||||
@ -40,6 +40,7 @@ var (
|
||||
DomainFilter: []string{""},
|
||||
ZoneIDFilter: []string{""},
|
||||
AWSZoneType: "",
|
||||
AWSAssumeRole: "",
|
||||
AzureConfigFile: "/etc/kubernetes/azure.json",
|
||||
AzureResourceGroup: "",
|
||||
CloudflareProxied: false,
|
||||
@ -74,6 +75,7 @@ var (
|
||||
DomainFilter: []string{"example.org", "company.com"},
|
||||
ZoneIDFilter: []string{"/hostedzone/ZTST1", "/hostedzone/ZTST2"},
|
||||
AWSZoneType: "private",
|
||||
AWSAssumeRole: "some-other-role",
|
||||
AzureConfigFile: "azure.json",
|
||||
AzureResourceGroup: "arg",
|
||||
CloudflareProxied: true,
|
||||
@ -141,6 +143,7 @@ func TestParseFlags(t *testing.T) {
|
||||
"--zone-id-filter=/hostedzone/ZTST1",
|
||||
"--zone-id-filter=/hostedzone/ZTST2",
|
||||
"--aws-zone-type=private",
|
||||
"--aws-assume-role=some-other-role",
|
||||
"--policy=upsert-only",
|
||||
"--registry=noop",
|
||||
"--txt-owner-id=owner-1",
|
||||
@ -180,6 +183,7 @@ func TestParseFlags(t *testing.T) {
|
||||
"EXTERNAL_DNS_DOMAIN_FILTER": "example.org\ncompany.com",
|
||||
"EXTERNAL_DNS_ZONE_ID_FILTER": "/hostedzone/ZTST1\n/hostedzone/ZTST2",
|
||||
"EXTERNAL_DNS_AWS_ZONE_TYPE": "private",
|
||||
"EXTERNAL_DNS_AWS_ASSUME_ROLE": "some-other-role",
|
||||
"EXTERNAL_DNS_POLICY": "upsert-only",
|
||||
"EXTERNAL_DNS_REGISTRY": "noop",
|
||||
"EXTERNAL_DNS_TXT_OWNER_ID": "owner-1",
|
||||
|
||||
@ -21,10 +21,9 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
"github.com/aws/aws-sdk-go/service/route53"
|
||||
"github.com/aws/aws-sdk-go/service/sts"
|
||||
"github.com/kubernetes-incubator/external-dns/endpoint"
|
||||
"github.com/kubernetes-incubator/external-dns/plan"
|
||||
"github.com/linki/instrumented_http"
|
||||
@ -84,7 +83,7 @@ type AWSProvider struct {
|
||||
func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTypeFilter ZoneTypeFilter, assumeRole string, dryRun bool) (*AWSProvider, error) {
|
||||
config := aws.NewConfig()
|
||||
|
||||
config = config.WithHTTPClient(
|
||||
config.WithHTTPClient(
|
||||
instrumented_http.NewClient(config.HTTPClient, &instrumented_http.Callbacks{
|
||||
PathProcessor: func(path string) string {
|
||||
parts := strings.Split(path, "/")
|
||||
@ -102,26 +101,8 @@ func NewAWSProvider(domainFilter DomainFilter, zoneIDFilter ZoneIDFilter, zoneTy
|
||||
}
|
||||
|
||||
if assumeRole != "" {
|
||||
svc := sts.New(session)
|
||||
|
||||
params := &sts.AssumeRoleInput{
|
||||
RoleArn: aws.String(assumeRole),
|
||||
RoleSessionName: aws.String("external-dns"),
|
||||
}
|
||||
|
||||
log.Infof("Assuming role %s..", aws.StringValue(params.RoleArn))
|
||||
|
||||
resp, err := svc.AssumeRole(params)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
session.Config.WithCredentials(credentials.NewStaticCredentialsFromCreds(credentials.Value{
|
||||
AccessKeyID: aws.StringValue(resp.Credentials.AccessKeyId),
|
||||
SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey),
|
||||
SessionToken: aws.StringValue(resp.Credentials.SessionToken),
|
||||
ProviderName: "assumeRoleProvider",
|
||||
}))
|
||||
log.Infof("Assuming role: %s", assumeRole)
|
||||
config.WithCredentials(stscreds.NewCredentials(session, assumeRole))
|
||||
}
|
||||
|
||||
provider := &AWSProvider{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user