diff --git a/api/v1/gitrepository_types.go b/api/v1/gitrepository_types.go
index f104fd0f1..d7468fca6 100644
--- a/api/v1/gitrepository_types.go
+++ b/api/v1/gitrepository_types.go
@@ -39,6 +39,10 @@ const (
// GitProviderGitHub provides support for authentication to git
// repositories using GitHub App authentication
GitProviderGitHub string = "github"
+
+ // GitProviderAWS provides support for authentication to AWS CodeCommit
+ // repositories using IAM credentials.
+ GitProviderAWS string = "aws"
)
const (
@@ -77,7 +81,7 @@ const (
// GitRepositorySpec specifies the required configuration to produce an
// Artifact for a Git repository.
-// +kubebuilder:validation:XValidation:rule="!has(self.serviceAccountName) || (has(self.provider) && self.provider == 'azure')",message="serviceAccountName can only be set when provider is 'azure'"
+// +kubebuilder:validation:XValidation:rule="!has(self.serviceAccountName) || (has(self.provider) && (self.provider == 'azure' || self.provider == 'aws'))",message="serviceAccountName can only be set when provider is 'azure' or 'aws'"
type GitRepositorySpec struct {
// URL specifies the Git repository URL, it can be an HTTP/S or SSH address.
// +kubebuilder:validation:Pattern="^(http|https|ssh)://.*$"
@@ -93,14 +97,14 @@ type GitRepositorySpec struct {
// +optional
SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
- // Provider used for authentication, can be 'azure', 'github', 'generic'.
+ // Provider used for authentication, can be 'aws', 'azure', 'github', 'generic'.
// When not specified, defaults to 'generic'.
- // +kubebuilder:validation:Enum=generic;azure;github
+ // +kubebuilder:validation:Enum=generic;aws;azure;github
// +optional
Provider string `json:"provider,omitempty"`
// ServiceAccountName is the name of the Kubernetes ServiceAccount used to
- // authenticate to the GitRepository. This field is only supported for 'azure' provider.
+ // authenticate to the GitRepository. This field is only supported for 'azure' and 'aws' providers.
// +optional
ServiceAccountName string `json:"serviceAccountName,omitempty"`
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml
index 7e2554252..471e58b2f 100644
--- a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml
+++ b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml
@@ -105,10 +105,11 @@ spec:
type: string
provider:
description: |-
- Provider used for authentication, can be 'azure', 'github', 'generic'.
+ Provider used for authentication, can be 'aws', 'azure', 'github', 'generic'.
When not specified, defaults to 'generic'.
enum:
- generic
+ - aws
- azure
- github
type: string
@@ -177,7 +178,7 @@ spec:
serviceAccountName:
description: |-
ServiceAccountName is the name of the Kubernetes ServiceAccount used to
- authenticate to the GitRepository. This field is only supported for 'azure' provider.
+ authenticate to the GitRepository. This field is only supported for 'azure' and 'aws' providers.
type: string
sparseCheckout:
description: |-
@@ -242,8 +243,9 @@ spec:
type: object
x-kubernetes-validations:
- message: serviceAccountName can only be set when provider is 'azure'
- rule: '!has(self.serviceAccountName) || (has(self.provider) && self.provider
- == ''azure'')'
+ or 'aws'
+ rule: '!has(self.serviceAccountName) || (has(self.provider) && (self.provider
+ == ''azure'' || self.provider == ''aws''))'
status:
default:
observedGeneration: -1
diff --git a/docs/api/v1/source.md b/docs/api/v1/source.md
index 935d74275..b58c99029 100644
--- a/docs/api/v1/source.md
+++ b/docs/api/v1/source.md
@@ -407,7 +407,7 @@ string
|
(Optional)
- Provider used for authentication, can be ‘azure’, ‘github’, ‘generic’.
+ Provider used for authentication, can be ‘aws’, ‘azure’, ‘github’, ‘generic’.
When not specified, defaults to ‘generic’.
|
@@ -421,7 +421,7 @@ string
(Optional)
ServiceAccountName is the name of the Kubernetes ServiceAccount used to
-authenticate to the GitRepository. This field is only supported for ‘azure’ provider.
+authenticate to the GitRepository. This field is only supported for ‘azure’ and ‘aws’ providers.
|
@@ -2120,7 +2120,7 @@ string
|
(Optional)
- Provider used for authentication, can be ‘azure’, ‘github’, ‘generic’.
+ Provider used for authentication, can be ‘aws’, ‘azure’, ‘github’, ‘generic’.
When not specified, defaults to ‘generic’.
|
@@ -2134,7 +2134,7 @@ string
(Optional)
ServiceAccountName is the name of the Kubernetes ServiceAccount used to
-authenticate to the GitRepository. This field is only supported for ‘azure’ provider.
+authenticate to the GitRepository. This field is only supported for ‘azure’ and ‘aws’ providers.
|
diff --git a/docs/spec/v1/gitrepositories.md b/docs/spec/v1/gitrepositories.md
index 673eea63f..96e1590dc 100644
--- a/docs/spec/v1/gitrepositories.md
+++ b/docs/spec/v1/gitrepositories.md
@@ -245,6 +245,7 @@ used for authentication purposes.
Supported options are:
- `generic`
+- `aws`
- `azure`
- `github`
@@ -254,6 +255,65 @@ mechanisms using `spec.secretRef` are used for authentication.
For a complete guide on how to set up authentication for cloud providers,
see the integration [docs](/flux/integrations/).
+#### AWS
+
+The `aws` provider can be used to authenticate to
+[AWS CodeCommit](https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html)
+repositories using IAM credentials sourced from the controller runtime identity.
+
+**Note:** When the `aws` provider is used, `.spec.url` must be an AWS
+CodeCommit HTTPS endpoint in the format
+`https://git-codecommit..amazonaws.com/v1/repos/`.
+For a full list of available regions and their endpoints, see the
+[AWS CodeCommit regions documentation](https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git).
+
+##### Pre-requisites
+
+- An EKS cluster with either
+ [EKS Pod Identity](https://fluxcd.io/flux/integrations/aws/#with-eks-pod-identity)
+ or
+ [IAM Roles for Service Accounts (IRSA)](https://fluxcd.io/flux/integrations/aws/#with-oidc-federation)
+ configured.
+- An IAM role with the `codecommit:GitPull` permission for the target
+ repository.
+
+##### Configure Flux controller
+
+1. Configure authentication using your preferred [method](https://fluxcd.io/flux/integrations/aws/#authentication).
+
+ Example IAM role policy (see [docs](https://fluxcd.io/flux/integrations/aws/#for-amazon-codecommit) for more details):
+
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": "codecommit:GitPull",
+ "Resource": "arn:aws:codecommit:::"
+ }
+ ]
+ }
+ ```
+
+2. Configure AWS CodeCommit `GitRepository`
+
+ ```yaml
+ ---
+ apiVersion: source.toolkit.fluxcd.io/v1
+ kind: GitRepository
+ metadata:
+ name: codecommit-repository
+ namespace: flux-system
+ spec:
+ interval: 5m0s
+ provider: aws
+ serviceAccountName: my-tenant # optional (used for object-level workload identity)
+ url: https://git-codecommit..amazonaws.com/v1/repos/
+ ref:
+ branch: main
+ ```
+
#### Azure
The `azure` provider can be used to authenticate to Azure DevOps repositories
diff --git a/internal/controller/gitrepository_controller.go b/internal/controller/gitrepository_controller.go
index 36776e689..429684d98 100644
--- a/internal/controller/gitrepository_controller.go
+++ b/internal/controller/gitrepository_controller.go
@@ -670,11 +670,13 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
// Configure provider authentication if specified.
var getCreds func() (*authutils.GitCredentials, error)
switch provider := obj.GetProvider(); provider {
- case sourcev1.GitProviderAzure: // If AWS or GCP are added in the future they can be added here separated by a comma.
+ // If other providers (GCP, etc.) are added in the future they can be added here separated by a comma.
+ case sourcev1.GitProviderAzure, sourcev1.GitProviderAWS:
getCreds = func() (*authutils.GitCredentials, error) {
opts := []auth.Option{
auth.WithClient(r.Client),
auth.WithServiceAccountNamespace(obj.GetNamespace()),
+ auth.WithGitURL(u),
}
if obj.Spec.ServiceAccountName != "" {
diff --git a/internal/controller/gitrepository_controller_test.go b/internal/controller/gitrepository_controller_test.go
index 46835e5d7..c5ea17d7d 100644
--- a/internal/controller/gitrepository_controller_test.go
+++ b/internal/controller/gitrepository_controller_test.go
@@ -929,6 +929,23 @@ func TestGitRepositoryReconciler_getAuthOpts_provider(t *testing.T) {
},
wantErr: auth.FeatureGateObjectLevelWorkloadIdentity,
},
+ {
+ name: "aws provider with non codecommit URL",
+ url: "https://github.com/org/repo.git",
+ beforeFunc: func(obj *sourcev1.GitRepository) {
+ obj.Spec.Provider = sourcev1.GitProviderAWS
+ },
+ wantErr: "failed to create provider access token for the controller",
+ },
+ {
+ name: "aws provider with service account and feature gate for object-level identity disabled",
+ url: "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo",
+ beforeFunc: func(obj *sourcev1.GitRepository) {
+ obj.Spec.Provider = sourcev1.GitProviderAWS
+ obj.Spec.ServiceAccountName = "aws-sa"
+ },
+ wantErr: auth.FeatureGateObjectLevelWorkloadIdentity,
+ },
{
name: "github provider with no secret ref",
url: "https://github.com/org/repo.git",