Skip to content

feat: add IRSA (IAM Roles for Service Accounts) support#110

Open
RonnanSouza wants to merge 1 commit into
mainfrom
feat/irsa-support
Open

feat: add IRSA (IAM Roles for Service Accounts) support#110
RonnanSouza wants to merge 1 commit into
mainfrom
feat/irsa-support

Conversation

@RonnanSouza

Copy link
Copy Markdown
Contributor

Summary

  • Add an alternative AWS authentication method for KopsControlPlane using IRSA instead of static credentials in Kubernetes Secrets
  • New irsaRef field on KCP spec references a ServiceAccount annotated with eks.amazonaws.com/role-arn; the operator assumes the role via STS AssumeRole
  • Backward compatible: existing identityRef-based authentication continues to work unchanged

Changes

  • CRD: Add IRSASpec type and optional irsaRef field to KopsControlPlaneSpec; regenerate CRD manifests and DeepCopy methods
  • Credential resolution: New ResolveAWSCredentials() picks IRSA when irsaRef is set, falls back to identityRef Secret
  • Session token support: AWS_SESSION_TOKEN now propagated to Terraform env vars and kOps env vars
  • RBAC: Add get/list/watch on serviceaccounts for the controller
  • Tests: Unit tests for IRSA credential resolution (missing SA, missing annotation, preference over identityRef, neither set)
  • Docs: README updated with IRSA usage instructions and examples

Test plan

  • go build ./... passes
  • go test ./... passes (all existing + 5 new tests)
  • make lint passes (0 issues)
  • make manifests regenerates CRDs with new irsaRef field
  • make generate regenerates DeepCopy for IRSASpec
  • Deploy to dev environment and test with a real IRSA-annotated ServiceAccount

🤖 Generated with Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant