From 1ed58a5f0b8f999d5e54969cb2d5cb1d98cdf08f Mon Sep 17 00:00:00 2001 From: James Greenhill Date: Wed, 20 May 2026 14:33:00 -0700 Subject: [PATCH] fix(provisioner): nest allowDirectSystemCredentials under storageSystemCredentials.aws MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #590 set spec.server.storageSystemCredentials.allowDirectSystemCredentials, but the operator CRD nests the AWS flags under .aws (gated by enableAWS): spec.server.storageSystemCredentials.aws.allowDirectSystemCredentials. The wrong-path field is pruned by the API server as unknown, so #590 was a no-op and the "System identity credentials are disabled" error would persist. Found by auditing the warehouse storage profile + CR server config against the operator CRD and Lakekeeper's S3-STS docs. - enableAWS: true (activates the aws credential block) - aws.allowDirectSystemCredentials: true (use Pod Identity creds for S3) - aws.assumeRoleRequireExternalID: false (same-account self-assume needs no external id — preempts the next blocker, since we send no external-id in the storage-credential) Build + provisioner tests green. Needs a CP rebuild to take effect. Co-Authored-By: Claude Opus 4.7 --- controlplane/provisioner/lakekeeper_k8s.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/controlplane/provisioner/lakekeeper_k8s.go b/controlplane/provisioner/lakekeeper_k8s.go index ed95e81..c671406 100644 --- a/controlplane/provisioner/lakekeeper_k8s.go +++ b/controlplane/provisioner/lakekeeper_k8s.go @@ -326,10 +326,18 @@ func (c *LakekeeperK8sClient) EnsureCR(ctx context.Context, spec LakekeeperCRSpe // credentials for S3 — needed so it can assume the // warehouse's sts-role-arn to vend. Lakekeeper defaults this // OFF; the operator only emits the enabling env when the - // object is present, so we set it explicitly (a nil parent - // wouldn't pick up the CRD's default=true). + // object is present, so we set it explicitly. The flags live + // under .aws (gated by enableAWS) — a nil parent wouldn't + // pick up the CRD defaults. assumeRoleRequireExternalID is + // false: same-account self-assume needs no external id (and + // requiring one would force an external-id in the + // storage-credential we don't send). "storageSystemCredentials": map[string]interface{}{ - "allowDirectSystemCredentials": true, + "enableAWS": true, + "aws": map[string]interface{}{ + "allowDirectSystemCredentials": true, + "assumeRoleRequireExternalID": false, + }, }, }, },