From dbbd746dccc309f2cb9ed860a9ea51f581e8fbdc Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 10 Jul 2026 18:44:25 +0200 Subject: [PATCH] feat(eks-ci): declare the GitHub Actions OIDC identity provider Re-lands #2 (which was accidentally based on the stale scaffold branch rather than main) as a clean commit on top of main. Co-Authored-By: Claude Fable 5 --- deploy/eks-ci/github-oidc-provider.yaml | 30 +++++++++++++++++++++++++ deploy/eks-ci/kustomization.yaml | 26 +++++++++++++++++++++ deploy/kustomization.yaml | 4 +++- 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 deploy/eks-ci/github-oidc-provider.yaml create mode 100644 deploy/eks-ci/kustomization.yaml diff --git a/deploy/eks-ci/github-oidc-provider.yaml b/deploy/eks-ci/github-oidc-provider.yaml new file mode 100644 index 0000000..ccc57cc --- /dev/null +++ b/deploy/eks-ci/github-oidc-provider.yaml @@ -0,0 +1,30 @@ +# The GitHub Actions OIDC identity provider for this AWS account. One per +# account; every repo/workflow-scoped CI role trusts it with a `sub` condition +# (first consumer: the ksail EKS smoke-test role, step 2 in kustomization.yaml). +# Delete is omitted so a Flux prune can never remove the account's OIDC trust +# anchor out from under roles that reference it. +apiVersion: iam.aws.m.upbound.io/v1beta1 +kind: OpenIDConnectProvider +metadata: + name: github-actions +spec: + managementPolicies: + - Observe + - Create + - Update + - LateInitialize + forProvider: + url: https://token.actions.githubusercontent.com + clientIdList: + - sts.amazonaws.com + # AWS has trusted GitHub's root CAs directly since 2023-07 and ignores + # these for token.actions.githubusercontent.com, but the field is part of + # the resource shape — pin GitHub's two published thumbprints so the spec + # is deterministic rather than provider-computed. + thumbprintList: + - 6938fd4d98bab03faadb97b34396831e3780aea1 + - 1c58a3a8518e8759bf075b76b750d4f2df264fcd + providerConfigRef: + kind: ProviderConfig + name: default + diff --git a/deploy/eks-ci/kustomization.yaml b/deploy/eks-ci/kustomization.yaml new file mode 100644 index 0000000..1f040c6 --- /dev/null +++ b/deploy/eks-ci/kustomization.yaml @@ -0,0 +1,26 @@ +# EKS CI identity (platform#2326, child 2 of platform#2324): the AWS-side +# identity the ksail "System Test - EKS" workflow assumes via GitHub Actions +# OIDC — no long-lived key is stored anywhere. Platform-side activation +# (provider-aws-iam MRDs + tenant RBAC for exactly OpenIDConnectProvider and +# Role) landed via platform#2565; these manifests are the activation +# checkpoint it left dark. +# +# Two-step rollout (the role's trust policy must name the provider's EXACT +# ARN, which embeds the AWS account id — only observable after step 1 +# reconciles; principal ARNs cannot be wildcarded): +# 1. (this slice) The GitHub OIDC identity provider. Reconciling it proves +# the OpenBao bootstrap credential end-to-end and surfaces the account id +# in status.atProvider.arn. +# 2. (follow-up) The `Role`: trust scoped to +# repo:devantler-tech/ksail:environment:ci, maxSessionDuration 7200 (the +# smoke job may run 120 min incl. cleanup), least-privilege permissions +# as an INLINE policy (per platform#2564: Policy/RolePolicyAttachment +# MRDs are deliberately NOT activated), scoped to the workflow's +# st-eks-*/eksctl-st-eks-* naming. Its ARN then goes to the ksail `ci` +# environment as AWS_OIDC_ROLE_ARN (child 3, the workflow's clean-skip +# gate). +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - github-oidc-provider.yaml + diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml index d3cb998..757e3d7 100644 --- a/deploy/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -10,4 +10,6 @@ # add credentials or provider config here. apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: [] +resources: + - eks-ci/ +