Support flag to bind to any interface not only localhost #126
Description
I have been working on getting IAM-RA working in kubernetes on an On-Premise cluster to configure for instance Cert-Manager to use Route53 for DNS01 validation.
But unfortunately the Cert-Manager Helm chart does not support adding a sidecar container. The sidecar would also create a circular dependency as Cert-Manager would also be used to create the certificate for for IAM-RA which would not be possible as the sidecar would depend on a secret that is not yet created.
The option then would be to configure Cert-Manager only with the extraEnv thar points to a Service that points to a Pod with the roles-anywhere credentials helper. That would make the coupling to IAM-RA a lot looser and fit with the Kubernetes mindset of Eventual Consistency.
This would though require rolesanywhere-credential-helper in serving mode to be allowed connections from all hosts. This options should be disabled by default but be possible to enable and show that this is configured in the log.
This would remove a layer of security, it could be an idea to add an ENV option that allows a static password/Token or similar to be used for authentication. I don't know the specifics of the AWS_EC2_METADATA_SERVICE_ENDPOINT if there are already build in options for security that could be used.
There are 2 workarounds that I see at the moment:
One is to patch LocalHostAddress to "" in
https://github.com/aws/rolesanywhere-credential-helper/blob/main/aws_signing_helper/serve.go#L324
Second is to setup a Nginx or similar as a primary container and setup proxy to 127.0.0.1:9911 There it's also possible to setup httpauth if wanted.