feat(eks-ci): add the GitHub-OIDC CI role for the ksail EKS smoke test#4
feat(eks-ci): add the GitHub-OIDC CI role for the ksail EKS smoke test#4devantler wants to merge 4 commits into
Conversation
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ce9566858c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
The EKS API's documented accessEntryArn uses the accessEntry/ segment while the service authorization convention documents access-entry/; a non-matching pattern grants nothing, so cover both to keep access-entry management working for API-mode clusters.
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7417e4810d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…rovider lifecycle perms Codex P1s on #4: (1) eksctl with iam.withOIDC needs Create/Delete/Tag OpenIDConnectProvider — granted scoped to oidc-provider/oidc.eks.* so the GitHub Actions provider stays untouchable; (2) iam:CreateRole is now conditioned on the eks-ci-smoke-boundary permissions boundary (new Policy MR) so a workflow assuming eks-ci cannot mint an unbounded role and pass it to EC2 to escalate beyond the smoke-test scope.
|
Codex Review: Didn't find any major issues. You're on a roll. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Why
The ksail EKS smoke test still cannot run: the AWS-side identity it must assume does not exist yet. Step 1 (the GitHub OIDC provider) now reconciles on prod after the platform egress fix, which surfaced the exact provider ARN this role's trust policy requires.
What
Adds the
eks-ciIAM role: trust locked to the ksail repo'scienvironment via GitHub OIDC (no long-lived keys), a 2-hour session cap, and an inline least-privilege policy scoped to the smoke test'sst-eks-*/eksctl-st-eks-*resource naming wherever IAM supports it. Once it reconciles, its ARN goes to the ksailcienvironment asAWS_OIDC_ROLE_ARN(the workflow's activation gate — merging this creates the role but activates nothing in CI).Part of devantler-tech/platform#2326 (child 2, step 2 of 2).
Merge order: devantler-tech/platform#2612 (activates the
Policymanaged-resource kind) must merge first, or the new permissions-boundary manifest sits pending; ksail#6082 then wires the boundary into the generatedeks.yamlbefore the workflow's first dispatch.