Skip to content

ci: share IRSA to pr namespace ServiceAccount #1028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
paulfouquet wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

ci: share IRSA to pr namespace ServiceAccount #1028

paulfouquet wants to merge 3 commits into from

Conversation

@paulfouquet
Copy link
Collaborator

@paulfouquet paulfouquet commented Jun 5, 2025
edited
Loading

Motivation

The PR namespace Service Account needs a IRSA (IAM Role for ServiceAccount) to be able to do some operations on buckets and assume other shared roles.

ServiceAccount in the argo namespace:

Name:                workflow-runner-sa
Namespace:           argo
Labels:              app.kubernetes.io/name=workflow-runner-sa
                     aws.cdk.eks/prune-abc
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::012345678910:role/Workflows-EksWorkflowsArgoRunnerServiceAccountRole-abc
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

ServiceAccount in the pr-* namespace:

Name:                workflow-runner-sa
Namespace:           pr-*
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

Modifications

  • Create a IRSA for the pr-* ServiceAccounts
  • Modify the ServiceAccount creation template to allow passing this IRSA as a GH secret

TODO

Deploy:
image

Verification

TODO

@paulfouquet paulfouquet added the workflows Deploy workflows in temporary namespace label Jun 5, 2025
@paulfouquet paulfouquet added workflows Deploy workflows in temporary namespace and removed workflows Deploy workflows in temporary namespace labels Jun 5, 2025
@paulfouquet paulfouquet self-assigned this Jun 5, 2025
@paulfouquet paulfouquet marked this pull request as ready for review June 5, 2025 22:51
@paulfouquet paulfouquet requested review from a team as code owners June 5, 2025 22:51
@paulfouquet
Copy link
Collaborator Author

paulfouquet commented Jun 9, 2025

Putting this PR on hold (Draft) as it is not complying with security requirements:

Any production secrets must be defined in an environment that is only accessible by the main/master branch.

@paulfouquet paulfouquet marked this pull request as draft June 9, 2025 02:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schmidtnz schmidtnz schmidtnz approved these changes

@blacha blacha Awaiting requested review from blacha blacha is a code owner automatically assigned from linz/li-topo-data-engineering

@amfage amfage Awaiting requested review from amfage amfage is a code owner automatically assigned from linz/li-topo-data-engineering

@MDavidson17 MDavidson17 Awaiting requested review from MDavidson17 MDavidson17 is a code owner automatically assigned from linz/li-topo-data-engineering

@tawera-manaena tawera-manaena Awaiting requested review from tawera-manaena tawera-manaena is a code owner automatically assigned from linz/proj-basemaps-dev

Assignees

@paulfouquet paulfouquet

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@paulfouquet @schmidtnz