feat(eks-ci): add the GitHub-OIDC CI role for the ksail EKS smoke test#4
feat(eks-ci): add the GitHub-OIDC CI role for the ksail EKS smoke test#4devantler wants to merge 4 commits into
Conversation
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ce9566858c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
The EKS API's documented accessEntryArn uses the accessEntry/ segment while the service authorization convention documents access-entry/; a non-matching pattern grants nothing, so cover both to keep access-entry management working for API-mode clusters.
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7417e4810d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…rovider lifecycle perms Codex P1s on #4: (1) eksctl with iam.withOIDC needs Create/Delete/Tag OpenIDConnectProvider — granted scoped to oidc-provider/oidc.eks.* so the GitHub Actions provider stays untouchable; (2) iam:CreateRole is now conditioned on the eks-ci-smoke-boundary permissions boundary (new Policy MR) so a workflow assuming eks-ci cannot mint an unbounded role and pass it to EC2 to escalate beyond the smoke-test scope.
|
Codex Review: Didn't find any major issues. You're on a roll. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
⛔ HOLD — do not merge this PR yet (merge-order gate)This PR is CLEAN and promoted, so the merge policy would otherwise pick it up. It must not merge in its current shape. Why. Raised by the codex review on platform#2612 — which auto-merged before it could be addressed. Sequence to unblock:
I will make edit (2) once #2631 merges. Flagging here so no run merges this in the meantime. |
⛔ HOLD still stands — and the scope grewUpdate to my earlier hold: the review on platform#2631 showed that moving only the boundary policy to the platform fixed nothing. The cap on what So both files move to the platform, not just one. platform#2631 now owns:
and the tenant ServiceAccount now grants only What this PR becomes: I will do that once #2631 merges. Until then: do not merge this. |
Closing — superseded by
|
Why
The ksail EKS smoke test still cannot run: the AWS-side identity it must assume does not exist yet. Step 1 (the GitHub OIDC provider) now reconciles on prod after the platform egress fix, which surfaced the exact provider ARN this role's trust policy requires.
What
Adds the
eks-ciIAM role: trust locked to the ksail repo'scienvironment via GitHub OIDC (no long-lived keys), a 2-hour session cap, and an inline least-privilege policy scoped to the smoke test'sst-eks-*/eksctl-st-eks-*resource naming wherever IAM supports it. Once it reconciles, its ARN goes to the ksailcienvironment asAWS_OIDC_ROLE_ARN(the workflow's activation gate — merging this creates the role but activates nothing in CI).Part of devantler-tech/platform#2326 (child 2, step 2 of 2).
Merge order: devantler-tech/platform#2612 (activates the
Policymanaged-resource kind) must merge first, or the new permissions-boundary manifest sits pending; ksail#6082 then wires the boundary into the generatedeks.yamlbefore the workflow's first dispatch.