Optional AWS Route53 region

[wallrj]

When you install cert-manager on EKS and use IAM Roles for Service Accounts or Pod Identity,
an AWS mutating webhook will add AWS_REGION and AWS_DEFAULT_REGION environment variables to the controller Pod. There's no need to specify the region in the Issuer config so it should not be a required field.

📖 Read Grant Kubernetes workloads access to AWS using Kubernetes Service Accounts to learn more about these two mechanisms.

AWS Route53 is a global service and does not have regional endpoints.
The AWS SDK for Go V2 uses the region (whether supplied or detected from environment variables) as a hint,
with which to compute the AWS partition domain name (i.e. route53.amazonaws.com / amazonaws.com.cn / route53.us-gov.amazonaws.com) and the credential scope (us-east-1 / cn-northwest-1 / us-gov-west-1).
Here is the metadata that the SDK uses for Route53.

• Updated the webhook validation tests, to demonstrate that all the Route53 fields are now optional.
• Removed the webhook validation for region, which was being used if the user supplied an empty string for region.
• OpenAPI validation was also being used, if the region field was omitted from the supplied JSON.
• So I marked annotated the field with omitempty and +optional and regenerated the CRDS.

Fixes: #6175
Fixes: cert-manager/website#56

/kind bug

The Route53 DNS01 solver of the ACME Issuer can now detect the AWS region from the `AWS_REGION` and `AWS_DEFAULT_REGION` environment variables, which is set by the IAM for Service Accounts (IRSA) webhook and by the Pod Identity webhook. 
The `issuer.spec.acme.solvers.dns01.route53.region` field is now optional.
The API documentation of the `region` field has been updated to explain when and how the region value is used.

Testing

API Documentation

$ kubectl explain issuer.spec.acme.solvers.dns01.route53.region
GROUP:      cert-manager.io
KIND:       Issuer
VERSION:    v1

FIELD: region <string>

DESCRIPTION:
    Override the AWS region.

    Route53 is a global service and does not have regional endpoints but the
    region specified here (or via environment variables) is used as a hint to
    help compute the correct AWS credential scope and partition when it
    connects to Route53. See:
    - [Amazon Route 53 endpoints and
    quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
    - [Global
    services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)

    Region is not needed if you use [IAM Roles for Service Accounts
    (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
    Instead an AWS_REGION environment variable is added to the cert-manager
    controller Pod by:
    [Amazon EKS Pod Identity
    Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook),

    Region is not needed if you use [EKS Pod
    Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
    Instead an AWS_REGION environment variable is added to the cert-manager
    controller Pod by:
    [Amazon EKS Pod Identity
    Agent](https://github.com/aws/eks-pod-identity-agent),

    Region is not used for computing STS regional endpoints.
    If you configure the `role` field, cert-manager will always use the
    global STS endpoint to make AssumeRole and AssumeRoleWithWebIdentity
    requests.

    Region is ignored if ambient credentials mode is disabled, by
    `--cluster-issuer-ambient-credentials` or `--isssuer-ambient-credentials`
    controller flags.

[inteon]

Do you know what would happen if the signature has the wrong region?

[wallrj]

I misunderstood. My latest understanding is that the region given here or from AWS_REGION is used as a hint to select one of two credential scope regions.
I've updated the comment and added some links to AWS documentation.
See also:

• https://github.com/aws/aws-sdk-go-v2/blob/98ae6886ccefe00db38a3088e273e524abf3b196/service/route53/internal/endpoints/endpoints.go

[wallrj]

Example failure:

• https://prow.infra.cert-manager.io/view/gs/cert-manager-prow-artifacts/pr-logs/pull/cert-manager_cert-manager/7287/pull-cert-manager-master-make-test/1836742485573898240

[wallrj]

I misunderstood. My latest understanding is that the region given here or from AWS_REGION is used as a hint to select one of two credential scope regions.
I've updated the comment and added some links to AWS documentation.
See also:

• https://github.com/aws/aws-sdk-go-v2/blob/98ae6886ccefe00db38a3088e273e524abf3b196/service/route53/internal/endpoints/endpoints.go

[wallrj]

I wrote this wrong. Should be:

Suggested change

	// Region is ignored if ambient credentials mode is disabled, by
	// `--cluster-issuer-ambient-credentials` or `--isssuer-ambient-credentials`
	// controller flags.
	// Region is used unconditionally if ambient credentials mode is disabled, by
	// `--cluster-issuer-ambient-credentials` or `--isssuer-ambient-credentials`
	// controller flags.

Personally, I think this is a bug, but that is how it's coded.
Ambient mode should only concern the loading of ambient credentials,
not other metadata such as region.

[inteon]

Thanks for investigating this. I'm 100% onboard with making the region field optional.
Might want to tune the comment a bit more in the future, but LGTM for this beta release.
/approve
/lgtm

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [inteon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj]

/kind bug

[wallrj]

/kind feature