4 years ago · 1d70e03b05
--- a/go.mod
+++ b/go.mod
@@ -50,7 +50,7 @@ require (
 
				 	github.com/akeylesslabs/akeyless-go-cloud-id v0.3.4
			
 
				 	github.com/akeylesslabs/akeyless-go/v2 v2.15.29
			
 
				 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1554
			
 
				-	github.com/aws/aws-sdk-go v1.41.13
			
 
				+	github.com/aws/aws-sdk-go v1.43.36
			
 
				 	github.com/crossplane/crossplane-runtime v0.15.1
			
 
				 	github.com/go-logr/logr v1.2.3
			
 
				 	github.com/golang-jwt/jwt/v4 v4.4.1
			
--- a/go.sum
+++ b/go.sum
@@ -139,8 +139,9 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
 
				 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg=
			
 
				 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
			
 
				 github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM=
			
 
				-github.com/aws/aws-sdk-go v1.41.13 h1:wGgr6jkHdGExF33phfOqijFq7ZF+h7a6FXvJc77GpTc=
			
 
				 github.com/aws/aws-sdk-go v1.41.13/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
			
 
				+github.com/aws/aws-sdk-go v1.43.36 h1:8a+pYKNT7wSxUy3fi5dSqKQdfmit7SYGg5fv4zf+WuA=
			
 
				+github.com/aws/aws-sdk-go v1.43.36/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
			
 
				 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
			
 
				 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
			
 
				 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
			
--- a/pkg/provider/aws/auth/auth.go
+++ b/pkg/provider/aws/auth/auth.go
@@ -223,7 +223,7 @@ func DefaultJWTProvider(name, namespace, roleArn, region string) (credentials.Pr
 
				 		k8sClient:      clientset.CoreV1(),
			
 
				 	}
			
 
				 
			
 
				-	return stscreds.NewWebIdentityRoleProviderWithToken(
			
 
				+	return stscreds.NewWebIdentityRoleProviderWithOptions(
			
 
				 		sts.New(sess), roleArn, "external-secrets-provider-aws", tokenFetcher), nil
			
 
				 }
			
 
				 
			
--- a/terraform/aws/modules/cluster/irsa.tf
+++ b/terraform/aws/modules/cluster/irsa.tf
@@ -47,6 +47,7 @@ resource "aws_iam_role" "eso-e2e-irsa" {
 
				           Action = [
			
 
				             "ssm:GetParameter",
			
 
				             "ssm:PutParameter",
			
 
				+            "ssm:DescribeParameters",
			
 
				           ]
			
 
				           Effect   = "Allow"
			
 
				           Resource = "*"
			
--- a/terraform/aws/modules/cluster/main.tf
+++ b/terraform/aws/modules/cluster/main.tf
@@ -112,6 +112,24 @@ resource "aws_security_group" "additional" {
 
				     ]
			
 
				   }
			
 
				 
			
 
				+  # allow control-plane to access webhook
			
 
				+  ingress {
			
 
				+    from_port        = 9443
			
 
				+    to_port          = 9443
			
 
				+    protocol         = "tcp"
			
 
				+    cidr_blocks      = ["0.0.0.0/0"]
			
 
				+    ipv6_cidr_blocks = ["::/0"]
			
 
				+  }
			
 
				+
			
 
				+  ingress {
			
 
				+    from_port        = 443
			
 
				+    to_port          = 443
			
 
				+    protocol         = "tcp"
			
 
				+    cidr_blocks      = ["0.0.0.0/0"]
			
 
				+    ipv6_cidr_blocks = ["::/0"]
			
 
				+  }
			
 
				+
			
 
				+
			
 
				   # 443, 53, 123 is already allowed
			
 
				   egress {
			
 
				     from_port        = 80