From 08b39f7b82f736f98e87d7d415e530ea76a531de Mon Sep 17 00:00:00 2001 From: Taras <9948629+taraspos@users.noreply.github.com> Date: Mon, 27 Apr 2026 13:03:49 +0100 Subject: [PATCH] feat: add support of aws codecommit bootstrap Signed-off-by: Taras <9948629+taraspos@users.noreply.github.com> --- cmd/flux/bootstrap_git.go | 34 ++++++++++++++++++++------- cmd/flux/create_source_git.go | 6 +++++ cmd/flux/create_source_git_test.go | 2 +- go.mod | 3 ++- go.sum | 6 +++-- internal/flags/source_git_provider.go | 5 +++- pkg/manifestgen/sync/options.go | 1 + pkg/manifestgen/sync/sync.go | 1 + 8 files changed, 45 insertions(+), 13 deletions(-) diff --git a/cmd/flux/bootstrap_git.go b/cmd/flux/bootstrap_git.go index 494e1fd3..2ea2babd 100644 --- a/cmd/flux/bootstrap_git.go +++ b/cmd/flux/bootstrap_git.go @@ -28,6 +28,9 @@ import ( "github.com/spf13/cobra" corev1 "k8s.io/api/core/v1" + "github.com/fluxcd/pkg/auth" + "github.com/fluxcd/pkg/auth/aws" + authutils "github.com/fluxcd/pkg/auth/utils" "github.com/fluxcd/pkg/git" "github.com/fluxcd/pkg/git/gogit" @@ -62,9 +65,12 @@ command will perform an upgrade if needed.`, # Run bootstrap for a Git repository with a private key and password flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file= --password= --path=clusters/my-cluster - # Run bootstrap for a Git repository on AWS CodeCommit + # Run bootstrap for a Git repository on AWS CodeCommit using SSH flux bootstrap git --url=ssh://@git-codecommit..amazonaws.com/v1/repos/ --private-key-file= --password= --path=clusters/my-cluster + # Run bootstrap for a Git repository on AWS CodeCommit using HTTPS with IAM credentials + flux bootstrap git --url=https://git-codecommit..amazonaws.com/v1/repos/ --path=clusters/my-cluster + # Run bootstrap for a Git repository on Azure Devops flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/// --private-key-file= --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 --path=clusters/my-cluster @@ -109,6 +115,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error { bootstrapArgs.tokenAuth = true } + var gitProvider string gitPassword := os.Getenv(gitPasswordEnvVar) if gitPassword != "" && gitArgs.password == "" { gitArgs.password = gitPassword @@ -131,8 +138,12 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error { return err } + ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout) + defer cancel() + if strings.Contains(repositoryURL.Hostname(), "git-codecommit") && strings.Contains(repositoryURL.Hostname(), "amazonaws.com") { - if repositoryURL.Scheme == string(git.SSH) { + // https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control.html + if repositoryURL.Scheme == string(git.SSH) { // IAM user + SSH if repositoryURL.User == nil { return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be specified in the url") } @@ -142,14 +153,18 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error { if bootstrapArgs.privateKeyFile == "" { return fmt.Errorf("private key file is required for bootstrapping against AWS CodeCommit using ssh") } + } else if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth { // IAM role + HTTPS + creds, err := authutils.GetGitCredentials(ctx, "aws", auth.WithGitURL(*repositoryURL)) + if err != nil { + return fmt.Errorf("failed to get AWS CodeCommit IAM git credentials: %w", err) + } + gitArgs.username = creds.Username + gitArgs.password = creds.Password + bootstrapArgs.tokenAuth = true + gitProvider = aws.ProviderName } - if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth { - return fmt.Errorf("--token-auth=true must be specified for using an HTTPS AWS CodeCommit url") - } - } - ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout) - defer cancel() + } kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions) if err != nil { @@ -297,6 +312,9 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error { ManifestFile: sync.MakeDefaultOptions().ManifestFile, RecurseSubmodules: bootstrapArgs.recurseSubmodules, } + if gitProvider != "" { + syncOpts.Provider = gitProvider + } entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath) if err != nil { diff --git a/cmd/flux/create_source_git.go b/cmd/flux/create_source_git.go index 94a5b943..c976e010 100644 --- a/cmd/flux/create_source_git.go +++ b/cmd/flux/create_source_git.go @@ -124,6 +124,12 @@ For private Git repositories, the basic authentication credentials are stored in --username=username \ --password=password + # Create a source for a Git repository using AWS CodeCommit with IAM credentials + flux create source git podinfo \ + --url=https://git-codecommit..amazonaws.com/v1/repos/podinfo \ + --branch=master \ + --provider=aws + # Create a source for a Git repository using azure provider flux create source git podinfo \ --url=https://dev.azure.com/foo/bar/_git/podinfo \ diff --git a/cmd/flux/create_source_git_test.go b/cmd/flux/create_source_git_test.go index 0fed23e0..91e37da2 100644 --- a/cmd/flux/create_source_git_test.go +++ b/cmd/flux/create_source_git_test.go @@ -152,7 +152,7 @@ func TestCreateSourceGitExport(t *testing.T) { { name: "source with invalid provider", args: "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider dummy --branch=test --interval=1m0s --export", - assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|azure|github"), + assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|github|aws|azure"), }, { name: "source with empty provider", diff --git a/go.mod b/go.mod index f70fd894..0c89ee78 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/fluxcd/notification-controller/api v1.8.4 github.com/fluxcd/pkg/apis/event v0.25.0 github.com/fluxcd/pkg/apis/meta v1.26.0 - github.com/fluxcd/pkg/auth v0.40.0 + github.com/fluxcd/pkg/auth v0.41.0 github.com/fluxcd/pkg/chartutil v1.23.0 github.com/fluxcd/pkg/envsubst v1.5.0 github.com/fluxcd/pkg/git v0.46.0 @@ -101,6 +101,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect github.com/aws/smithy-go v1.24.0 // indirect + github.com/aws/smithy-go/aws-http-auth v1.1.3 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/bshuster-repo/logrus-logstash-hook v1.1.0 // indirect diff --git a/go.sum b/go.sum index 069554d1..95a5bbd3 100644 --- a/go.sum +++ b/go.sum @@ -87,6 +87,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ= github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk= github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= +github.com/aws/smithy-go/aws-http-auth v1.1.3 h1:8/T7/2n8x+x9sIAmi5h5mDKS8v7/u2GEpF6T6RrGMrc= +github.com/aws/smithy-go/aws-http-auth v1.1.3/go.mod h1:KL46VTjVK9De3jurMqDLBkXCP9vrAvD03zQrmyzyrQ0= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -196,8 +198,8 @@ github.com/fluxcd/pkg/apis/kustomize v1.16.0 h1:PhWXEhqQqsisIpwp1/wHvTvo+MO+GGzs github.com/fluxcd/pkg/apis/kustomize v1.16.0/go.mod h1:IZOy4CCtR/hxMGb7erK1RfbGnczVv4/dRBoVD37AywI= github.com/fluxcd/pkg/apis/meta v1.26.0 h1:dxP1FfBpTCYso6odzRcltVnnRuBb2VyhhgV0VX9YbUE= github.com/fluxcd/pkg/apis/meta v1.26.0/go.mod h1:c7o6mJGLCMvNrfdinGZehkrdZuFT9vZdZNrn66DtVD0= -github.com/fluxcd/pkg/auth v0.40.0 h1:p6Kw6KH+z8oRqngKhmTt8ILKD/rC+8tP87a//kLZhi8= -github.com/fluxcd/pkg/auth v0.40.0/go.mod h1:Oq/hIEKUMTbL2bv5blf+EhC/jXXJLsOjIMtJj/AtG3Y= +github.com/fluxcd/pkg/auth v0.41.0 h1:7NaaPN03ginRUUA928n7hiRJoBoMrF/Prl0AtDlLXBQ= +github.com/fluxcd/pkg/auth v0.41.0/go.mod h1:U9xNHUyxOdPhxRnSW7dwloEF9EMeITxt84g8CD8YB3Q= github.com/fluxcd/pkg/cache v0.13.0 h1:MqtlgOwIVcGKKgV422e39O+KFSVMWuExKeRaMDBjJlk= github.com/fluxcd/pkg/cache v0.13.0/go.mod h1:0xRZ1hitrIFQ6pl68ke2wZLbIqA2VLzY78HpDo9DVxs= github.com/fluxcd/pkg/chartutil v1.23.0 h1:ohstQEVnrBIbN85FGu83hnmAohLl0PdOoPlsM6+cjyI= diff --git a/internal/flags/source_git_provider.go b/internal/flags/source_git_provider.go index fb2e6c5b..3f205c6c 100644 --- a/internal/flags/source_git_provider.go +++ b/internal/flags/source_git_provider.go @@ -21,13 +21,16 @@ import ( "strings" "github.com/fluxcd/flux2/v2/internal/utils" + "github.com/fluxcd/pkg/auth/aws" + "github.com/fluxcd/pkg/auth/azure" sourcev1 "github.com/fluxcd/source-controller/api/v1" ) var supportedSourceGitProviders = []string{ sourcev1.GitProviderGeneric, - sourcev1.GitProviderAzure, sourcev1.GitProviderGitHub, + aws.ProviderName, + azure.ProviderName, } type SourceGitProvider string diff --git a/pkg/manifestgen/sync/options.go b/pkg/manifestgen/sync/options.go index 4a209827..cab51037 100644 --- a/pkg/manifestgen/sync/options.go +++ b/pkg/manifestgen/sync/options.go @@ -33,6 +33,7 @@ type Options struct { TargetPath string ManifestFile string RecurseSubmodules bool + Provider string } func MakeDefaultOptions() Options { diff --git a/pkg/manifestgen/sync/sync.go b/pkg/manifestgen/sync/sync.go index 26de1827..526ebfc1 100644 --- a/pkg/manifestgen/sync/sync.go +++ b/pkg/manifestgen/sync/sync.go @@ -68,6 +68,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) { Name: options.Secret, }, RecurseSubmodules: options.RecurseSubmodules, + Provider: options.Provider, }, }