feat(cfworkers): replace presigned URLs with direct S3 credentials#6
Merged
feat(cfworkers): replace presigned URLs with direct S3 credentials#6
Conversation
…WNLOAD_URL to builder job
…of presigned URLs Cache and state are now accessed by the builder using S3_ARTIFACTS_BUCKET, S3_STATE_BUCKET, S3_REGION, S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY env vars.
…credentials directly
igoramf
changed the title
igoramf
force-pushed
the
feat/cfworkers-state
branch
from
72e9274 to
9b1b1a8
Compare
Remove static S3 credentials from builder jobs. The operator now creates a ServiceAccount (deco-operator-builders) in the site namespace before each job, and sets serviceAccountName on the pod spec. Credentials are provided via EKS Pod Identity, so S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY are no longer passed. Also adds build.serviceAccount helm value and BUILD_SERVICE_ACCOUNT env var.
nicacioliveira
previously approved these changes
May 8, 2026
Add BUILD_ROLE_ARN env var. The operator sets eks.amazonaws.com/role-arn on the ServiceAccount via CreateOrUpdate so IRSA credentials are injected into builder pods automatically.
…or builder pods Allows targeting a specific node pool and scheduling on tainted nodes, configurable as operator-level defaults (Helm values / env vars) with per-site override via spec.build.nodeSelector and spec.build.tolerations. Also replaces the single BuilderRoleArn with a generic BuilderSAAnnotations map so any number of ServiceAccount annotations can be injected. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nicacioliveira
previously approved these changes
May 8, 2026
…and SA annotations support Updates helm-generator to emit BUILD_NODE_SELECTOR and BUILD_TOLERATIONS env vars, fixes the $-variable corruption in ReplaceAllString by switching to strings.Replace, and switches nodeSelector env var to JSON format (consistent with tolerations). Regenerates CRDs and RBAC via controller-gen to include the new fields. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nicacioliveira
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The builder job now receives S3 credentials directly (region, access key,
secret key) along with explicit bucket names for logs, artifacts, and state.
Removes the presign layer entirely — no more generating short-lived URLs
in the operator and passing them to the job.
Also adds StateBucket to S3Config and wires S3_STATE_BUCKET through the
Helm generator and chart templates.