whitelist two environment variables for AWS IAM roles in Kubernetes #3229
whitelist two environment variables for AWS IAM roles in Kubernetes #3229
Conversation
I see the build job didn't return here. Is there anything I can do to get that passed? |
/rebase |
e429bb5
to
d9fcea9
Compare
Keen for this PR to be merged |
This sounds like an important feature, for AWS CodeCommit users 👍 |
I'd like to consider including this in the next release, but there are some CI checks which are still marked as failing. @mattwillsher can you rebase this and add signoff according to instructions that the DCO merge check will provide? (Basically just If you are still interested in merging this, the rebase update should trigger CI to run again. I will add it to the 1.21.3 milestone for now. Thanks. |
Hi, I want to include this in the next release, but I don't use AWS CodeCommit and can't test it by myself Also, the DCO bot won't let me merge it if it isn't rebased, and signed-off Would you be willing to rebase and amend the commit with |
d9fcea9
to
54a4a43
Compare
Done |
Thank you, that helps. Using the Github UI to catch up the branch... |
I will rebase this into a release branch later, and update this PR with the final status when it gets merged in 1.22.0. 👍 thanks for your contribution! |
go.mod - reset k8s machinery to 1.17.17 This is the latest release that we can update to -- see fluxcd#3378 Try to remove when distribution/distribution#2905 is out docker/distribution patch still needed for now (Put it back for now.) On 2021-02-25 this has been merged, 2.7.2 of docker/distribution should include it hopefully relatively soon! Signed-off-by: Kingdon Barrett <kingdon@weave.works>
/rebase |
19c2f46
to
f1c61d9
Compare
Signed-off-by: Matt Willsher <matt@monki.org.uk> Signed-off-by: Kingdon Barrett <kingdon@weave.works>
f1c61d9
to
3d4b462
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Such that the AWS CodeCommit git credential helper can be used in the fluxcd container so that static git credentials are not needed. This does require additional components in the fluxcd container. For example:
An IAM role for the service account can then be used to authentication to CodeCommit (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), with
--git-url
set to the HTTPS URL of the CodeCommit repo as given by aws, and a patch to the flux ServiceAccount giving the IAM role ARN:This goes someway to address #2895