Skip to content

feat: Supporting using pod default credentials for Integration Source and Sink #8731

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 8, 2025
Merged

feat: Supporting using pod default credentials for Integration Source and Sink #8731

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1e60f57
Supporting using pod default credentials for Integration Source and Sink
qswinson Sep 16, 2025
fb160b5
use different environment variables
qswinson Oct 1, 2025
2468aea
Merge remote-tracking branch 'origin/main' into aws-default-creds
qswinson Oct 1, 2025
f282427
increase timeout in TLS test to allow cert manager to clean itself up
dprotaso Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions config/core/resources/integrationsink.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,9 @@ spec:
name:
description: 'Secret name'
type: string
serviceAccountName:
description: 'Optional ServiceAccount to assign to pod. This enables the pod default credentials to be used instead of the auth secret.'
type: string
status:
description: Status represents the current state of the IntegrationSink. This data may be out of date.
type: object
Expand Down
3 changes: 3 additions & 0 deletions config/core/resources/integrationsource.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,9 @@ spec:
name:
description: 'Secret name'
type: string
serviceAccountName:
description: 'Optional ServiceAccount to assign to pod. This enables the pod default credentials to be used instead of the auth secret.'
type: string
template:
type: object
x-kubernetes-preserve-unknown-fields: true
Expand Down
6 changes: 4 additions & 2 deletions pkg/apis/common/integration/v1alpha1/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,13 @@ type Auth struct {

// SecretKey is the AWS secret access key.
SecretKey string `json:"secretKey,omitempty"`
Copy link
Member

@dprotaso dprotaso Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matzew @creydr how come I don't see this and accessKey field in the Integration* CRDs. Is stuff read from the secret and then these fields populated?

Copy link
Member

@matzew matzew Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that is via secret and there populated


ServiceAccountName string `json:"serviceAccountName,omitempty"`
}

func (a *Auth) HasAuth() bool {
return a != nil && a.Secret != nil &&
a.Secret.Ref != nil && a.Secret.Ref.Name != ""
return a != nil && ((a.Secret != nil &&
a.Secret.Ref != nil && a.Secret.Ref.Name != "") || a.ServiceAccountName != "")
}

type Secret struct {
Expand Down
49 changes: 49 additions & 0 deletions pkg/apis/sinks/v1alpha1/integration_sink_validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,23 @@ func TestIntegrationSinkSpecValidation(t *testing.T) {
},
want: nil,
},
{
name: "valid AWS S3 sink with service account and region",
spec: IntegrationSinkSpec{
Aws: &Aws{
S3: &v1alpha1.AWSS3{
AWSCommon: v1alpha1.AWSCommon{
Region: "us-east-1",
},
Arn: "example-bucket",
},
Auth: &v1alpha1.Auth{
ServiceAccountName: "aws-service-account",
},
},
},
want: nil,
},
{
name: "valid AWS SQS sink with auth and region",
spec: IntegrationSinkSpec{
Expand All @@ -84,6 +101,23 @@ func TestIntegrationSinkSpecValidation(t *testing.T) {
},
want: nil,
},
{
name: "valid AWS SQS sink with service account and region",
spec: IntegrationSinkSpec{
Aws: &Aws{
SQS: &v1alpha1.AWSSQS{
AWSCommon: v1alpha1.AWSCommon{
Region: "us-east-1",
},
Arn: "example-queue",
},
Auth: &v1alpha1.Auth{
ServiceAccountName: "aws-service-account",
},
},
},
want: nil,
},
{
name: "multiple sinks set (invalid)",
spec: IntegrationSinkSpec{
Expand Down Expand Up @@ -188,6 +222,21 @@ func TestIntegrationSinkSpecValidation(t *testing.T) {
},
want: apis.ErrMissingField("aws.auth.secret.ref.name"),
},
{
name: "AWS sink without auth credentials (invalid)",
spec: IntegrationSinkSpec{
Aws: &Aws{
S3: &v1alpha1.AWSS3{
AWSCommon: v1alpha1.AWSCommon{
Region: "us-east-1",
},
Arn: "example-bucket",
},
Auth: &v1alpha1.Auth{},
},
},
want: apis.ErrMissingField("aws.auth.secret.ref.name"),
},
{
name: "AWS S3 sink without region (invalid)",
spec: IntegrationSinkSpec{
Expand Down
80 changes: 80 additions & 0 deletions pkg/apis/sources/v1alpha1/integration_validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,23 @@ func TestIntegrationSourceSpecValidation(t *testing.T) {
},
want: nil,
},
{
name: "valid AWS S3 source with service account and region",
spec: IntegrationSourceSpec{
Aws: &Aws{
S3: &v1alpha1.AWSS3{
AWSCommon: v1alpha1.AWSCommon{
Region: "us-east-1",
},
Arn: "example-bucket",
},
Auth: &v1alpha1.Auth{
ServiceAccountName: "aws-service-account",
},
},
},
want: nil,
},
{
name: "valid AWS SQS source with auth and region",
spec: IntegrationSourceSpec{
Expand All @@ -85,6 +102,23 @@ func TestIntegrationSourceSpecValidation(t *testing.T) {
},
want: nil,
},
{
name: "valid AWS SQS source with service account and region",
spec: IntegrationSourceSpec{
Aws: &Aws{
SQS: &v1alpha1.AWSSQS{
AWSCommon: v1alpha1.AWSCommon{
Region: "us-east-1",
},
Arn: "example-queue",
},
Auth: &v1alpha1.Auth{
ServiceAccountName: "aws-service-account",
},
},
},
want: nil,
},
{
name: "valid AWS DDBStreams source with auth and region",
spec: IntegrationSourceSpec{
Expand All @@ -106,6 +140,23 @@ func TestIntegrationSourceSpecValidation(t *testing.T) {
},
want: nil,
},
{
name: "valid AWS DDBStreams source with service account and region",
spec: IntegrationSourceSpec{
Aws: &Aws{
DDBStreams: &v1alpha1.AWSDDBStreams{
AWSCommon: v1alpha1.AWSCommon{
Region: "us-east-1",
},
Table: "example-table",
},
Auth: &v1alpha1.Auth{
ServiceAccountName: "aws-service-account",
},
},
},
want: nil,
},
{
name: "multiple sources set (invalid)",
spec: IntegrationSourceSpec{
Expand Down Expand Up @@ -172,6 +223,35 @@ func TestIntegrationSourceSpecValidation(t *testing.T) {
},
want: apis.ErrMissingField("aws.sqs.arn"),
},
{
name: "AWS SQS source without Auth (invalid)",
spec: IntegrationSourceSpec{
Aws: &Aws{
SQS: &v1alpha1.AWSSQS{
AWSCommon: v1alpha1.AWSCommon{
Region: "us-east-1",
},
Arn: "example-queue",
},
},
},
want: apis.ErrMissingField("aws.auth.secret.ref.name"),
},
{
name: "AWS SQS source without Auth credentials (invalid)",
spec: IntegrationSourceSpec{
Aws: &Aws{
SQS: &v1alpha1.AWSSQS{
AWSCommon: v1alpha1.AWSCommon{
Region: "us-east-1",
},
Arn: "example-queue",
},
Auth: &v1alpha1.Auth{},
},
},
want: apis.ErrMissingField("aws.auth.secret.ref.name"),
},
{
name: "AWS DDBStreams source without Table (invalid)",
spec: IntegrationSourceSpec{
Expand Down
23 changes: 23 additions & 0 deletions pkg/reconciler/integration/sink/resources/container_image.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink, authProxyImage string, f
},
},
},
ServiceAccountName: makeServiceAccountName(sink),
},
},
},
Expand Down Expand Up @@ -367,6 +368,11 @@ func makeEnv(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) []corev
integration.MakeSecretEnvVar("CAMEL_KAMELET_AWS_S3_SINK_ACCESSKEY", commonv1a1.AwsAccessKey, secretName),
integration.MakeSecretEnvVar("CAMEL_KAMELET_AWS_S3_SINK_SECRETKEY", commonv1a1.AwsSecretKey, secretName),
}...)
} else {
envVars = append(envVars, corev1.EnvVar{
Name: "CAMEL_KAMELET_AWS_S3_SINK_USE_DEFAULT_CREDENTIALS_PROVIDER",
Value: "true",
})
}
return envVars
}
Expand All @@ -379,6 +385,11 @@ func makeEnv(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) []corev
integration.MakeSecretEnvVar("CAMEL_KAMELET_AWS_SQS_SINK_ACCESSKEY", commonv1a1.AwsAccessKey, secretName),
integration.MakeSecretEnvVar("CAMEL_KAMELET_AWS_SQS_SINK_SECRETKEY", commonv1a1.AwsSecretKey, secretName),
}...)
} else {
envVars = append(envVars, corev1.EnvVar{
Name: "CAMEL_KAMELET_AWS_SQS_SINK_USE_DEFAULT_CREDENTIALS_PROVIDER",
Value: "true",
})
}
return envVars
}
Expand All @@ -391,6 +402,11 @@ func makeEnv(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) []corev
integration.MakeSecretEnvVar("CAMEL_KAMELET_AWS_SNS_SINK_ACCESSKEY", commonv1a1.AwsAccessKey, secretName),
integration.MakeSecretEnvVar("CAMEL_KAMELET_AWS_SNS_SINK_SECRETKEY", commonv1a1.AwsSecretKey, secretName),
}...)
} else {
envVars = append(envVars, corev1.EnvVar{
Name: "CAMEL_KAMELET_AWS_SNS_SINK_USE_DEFAULT_CREDENTIALS_PROVIDER",
Value: "true",
})
}
return envVars
}
Expand All @@ -399,6 +415,13 @@ func makeEnv(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) []corev
return envVars
}

func makeServiceAccountName(sink *v1alpha1.IntegrationSink) string {
if sink.Spec.Aws != nil && sink.Spec.Aws.Auth != nil && sink.Spec.Aws.Auth.ServiceAccountName != "" {
return sink.Spec.Aws.Auth.ServiceAccountName
}
return ""
}

func selectImage(sink *v1alpha1.IntegrationSink) string {
// Injected in ./config/core/deployments/controller.yaml
switch {
Expand Down
Loading
Loading