Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCI provider: add support for instance principal authentication #1701

Merged
merged 13 commits into from
Apr 11, 2023
Merged

OCI provider: add support for instance principal authentication #1701

merged 13 commits into from
Apr 11, 2023

Conversation

ericrrath
Copy link
Contributor

Oracle Cloud Infrastructure (OCI) supports "instance princpal" authentication.
From the reference docs:

After you set up the required resources and policies, an application running
on an instance can call Oracle Cloud Infrastructure public services, removing
the need to configure user credentials or a configuration file.

This change adds support to the OCI provider for instance principal
authentication when external-dns is run on an OCI instance (e.g. in OCI OKE).
Existing support for key/fingerprint-based authentication is unchanged.

Checklist

  • [x ] Update changelog in CHANGELOG.md, use section "Unreleased".

@ericrrath
OCI provider: add support for OCI IAM instance principal authentication
51cf0d9 
Oracle Cloud Infrastructure (OCI) supports "instance princpal" authentication.
From
<https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm>:

> After you set up the required resources and policies, an application running
> on an instance can call Oracle Cloud Infrastructure public services, removing
> the need to configure user credentials or a configuration file.

This change adds support to the OCI provider for instance principal
authentication when external-dns is run on an OCI instance (e.g. in OCI OKE).
Existing support for key/fingerprint-based authentication is unchanged.
@ericrrath
OCI provider: updated tutorial with info about instance principal auth
9d90d08
@ericrrath
added entry to changelog under 'unreleased'
c5ddb1e
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 31, 2020
@ericrrath
Copy link
Contributor Author

/assign @Raffo

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 6, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 7, 2020
@ericrrath
Copy link
Contributor Author

Sorry, I didn't do a good job selling the benefit of this change in the original comment on the PR. Without this change, someone running external-dns on Oracle OCI, and using OCI DNS, must provide a valid private key in order to authenticate with OCI and call OCI API functions to list zones, list records, and update records. This creates the possibility that an attacker who gains access to the running instance of external-dns will gain unauthorized access to the key, and then be able to make malicious calls to the API from wherever they like.

This change allows you to run external-dns on OCI and make calls to the OCI API that are authenticated based on where the call came from. In this scenario, an attacker who gains access to the running instance of external-dns cannot steal the key because there's no key to steal. So the damage is limited to the attacker making malicious calls from the instance itself.

But the biggest benefit is not having to deal with any keys. No rotation, no CI/CD worries, etc. You set up the dynamic group and policy, and it just works.

@seanmalloy
Copy link
Member

/kind feature

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Aug 19, 2020
@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Aug 20, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 27, 2020
@dansimone
Copy link
Contributor

I would like to see this feature.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 31, 2020
@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Aug 31, 2020
@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Sep 4, 2020
@ericrrath
Copy link
Contributor Author

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Dec 7, 2021
@jlamillan
Copy link
Contributor

Looks good to me.

@njuettner - anything else we can do to nudge this along?

@theabmitra
Copy link

looks good to me

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 3, 2022
@jlamillan
Copy link
Contributor

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 3, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 1, 2022
@ericrrath
Copy link
Contributor Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 2, 2022
@ericrrath
Copy link
Contributor Author

Hi @njuettner @Raffo @seanmalloy @szuecs - is there anything I can do to make this PR more attractive for approval and merging? It adds support for "instance principal" authentication with Oracle OCI, so you can deploy external-dns to an OCI compute instance and allow it to call the OCI DNS API without providing explicit credentials. Any feedback is appreciated! This has been working great for us for 3+ years now.

@szuecs
Copy link
Contributor

szuecs commented Aug 24, 2022

@ericrrath sorry for not being fast in responding. I think our problem is the current backlog. Next 2 weeks we won't have a decision, but from mid of September we have a regular maintainers meeting to discuss PRs and from there it's only a matter of time until we get to yours.

@ericrrath
Copy link
Contributor Author

@szuecs - thanks for the update! I understand. Let me know if I can do anything to help.

@ericrrath
Copy link
Contributor Author

@szuecs - Hi, was there any decision made in mid-September about PRs like this one? Let me know if there's anything I can do to help.

@ivandelic
Copy link

I would like to see this one! I think Instance Principals are now the primary authentication method in OCI. Too bad we can't use them currently. Please approve the PR as soon as possible.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 1, 2023
@ericrrath
Copy link
Contributor Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 2, 2023
@robo-cap
Copy link

We need an authentication method more secure than user credentials. Please approve the pull request.

@szuecs
Copy link
Contributor

szuecs commented Apr 11, 2023

/ok-to-test
/approve

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Apr 11, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericrrath, jlamillan, szuecs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 11, 2023
@szuecs
Copy link
Contributor

szuecs commented Apr 11, 2023

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 11, 2023
@k8s-ci-robot k8s-ci-robot merged commit e7749e9 into kubernetes-sigs:master Apr 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlamillan jlamillan jlamillan approved these changes

@linki linki Awaiting requested review from linki

@njuettner njuettner Awaiting requested review from njuettner

Assignees

@szuecs szuecs

@Raffo Raffo

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet