Skip to content

chore(deps): migrated aws sdk v1 to v2 for EKS with argocd-k8s-auth #26200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
reggie-k wants to merge 4 commits into
base: master
Choose a base branch
from
Open

chore(deps): migrated aws sdk v1 to v2 for EKS with argocd-k8s-auth #26200

reggie-k wants to merge 4 commits into from
+69 −24

Conversation

@reggie-k
Copy link
Member

@reggie-k reggie-k commented Feb 1, 2026
edited
Loading

Related to #12419
Previous PR:
#25222

  • Migrated the sdk-go library to v2 for cmd/argocd-k8s-auth/commands/aws.go
  • Added more unit tests.
  • Performed extensive manual tests with kubectl using an argocd-k8s-auth generated-token against a live EKS cluster - with IAM role, AWS_PROFILE and AWS cred env vars.
  • Performed extensive e2e tests with a locally running argo-cd against a live EKS cluster - syncing an App using a cluster secret with IAM role, AWS_PROFILE and AWS cred env vars.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Title of the PR
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@bunnyshell
Copy link

bunnyshell bot commented Feb 1, 2026
edited
Loading

✅ Preview Environment deployed on Bunnyshell

Component Endpoints
argocd https://argocd-bqbimx.bunnyenv.com/
argocd-ttyd https://argocd-web-cli-bqbimx.bunnyenv.com/

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🔴 /bns:stop to stop the environment
  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

@reggie-k
placate linter
432f958 
Signed-off-by: reggie-k <[email protected]>
reggie-k
reggie-k commented Feb 1, 2026
View reviewed changes
cmd/argocd-k8s-auth/commands/aws.go
if profile != "" {
opts = append(opts, config.WithSharedConfigProfile(profile))
}
cfg, err := config.LoadDefaultConfig(ctx, opts...)
Copy link
Member Author

@reggie-k reggie-k Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/migrate-gosdk.html#configuration-loading

reggie-k
reggie-k commented Feb 1, 2026
View reviewed changes
cmd/argocd-k8s-auth/commands/aws.go
if roleARN != "" {
creds := stscreds.NewCredentials(sess, roleARN)
stsAPI = sts.New(sess, &aws.Config{Credentials: creds})
appCreds := stscreds.NewAssumeRoleProvider(client, roleARN)
Copy link
Member Author

@reggie-k reggie-k Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to AWS Security Token Service Credentials in https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/migrate-gosdk.html

reggie-k
reggie-k commented Feb 1, 2026
View reviewed changes
cmd/argocd-k8s-auth/commands/aws.go
request.HTTPRequest.Header.Add(clusterIDHeader, clusterName)
signed, err := request.Presign(requestPresignParam)

presignClient := sts.NewPresignClient(client)
Copy link
Member Author

@reggie-k reggie-k Feb 1, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to Presigned Requests in the migration guide.
Another way to implement this was using middleware, according to HTTP request/response in the guide, but this way an invalid token was generated.

@reggie-k reggie-k marked this pull request as ready for review February 1, 2026 19:18
@reggie-k reggie-k requested a review from a team as a code owner February 1, 2026 19:18
agaudreault
agaudreault approved these changes Feb 2, 2026
View reviewed changes
Copy link
Member

@agaudreault agaudreault left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I haven't tested it with eks cluster

ppapapetrou76
ppapapetrou76 approved these changes Feb 2, 2026
View reviewed changes
Copy link
Contributor

@ppapapetrou76 ppapapetrou76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM I left a few optional code improvements

cmd/argocd-k8s-auth/commands/aws.go
Comment on lines 96 to +99
if roleARN != "" {
creds := stscreds.NewCredentials(sess, roleARN)
stsAPI = sts.New(sess, &aws.Config{Credentials: creds})
appCreds := stscreds.NewAssumeRoleProvider(client, roleARN)
cfg.Credentials = aws.NewCredentialsCache(appCreds)
client = sts.NewFromConfig(cfg)
Copy link
Contributor

@ppapapetrou76 ppapapetrou76 Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that this is not added entirely in this PR but it would be nice if we can add UT - optional ofc

reggie-k and others added 2 commits February 3, 2026 12:24
@reggie-k @ppapapetrou76
Update cmd/argocd-k8s-auth/commands/aws_test.go
2348f63 
Co-authored-by: Papapetrou Patroklos <[email protected]>
Signed-off-by: Regina Voloshin <[email protected]>
@reggie-k @ppapapetrou76
Update cmd/argocd-k8s-auth/commands/aws.go
1105aa8 
Co-authored-by: Papapetrou Patroklos <[email protected]>
Signed-off-by: Regina Voloshin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agaudreault agaudreault agaudreault approved these changes

+1 more reviewer

@ppapapetrou76 ppapapetrou76 ppapapetrou76 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reggie-k @ppapapetrou76 @agaudreault