Merge pull request #2035 from taraspos/taras/aws-codecommit

matheuscscp · web-flow · commit 89399adc30bd · 2026-04-24T16:57:31.000+01:00
feat: AWS CodeCommit support
diff --git a/api/v1/gitrepository_types.go b/api/v1/gitrepository_types.go
@@ -39,6 +39,10 @@ const (
 	// GitProviderGitHub provides support for authentication to git
 	// repositories using GitHub App authentication
 	GitProviderGitHub string = "github"
+
+	// GitProviderAWS provides support for authentication to AWS CodeCommit
+	// repositories using IAM credentials.
+	GitProviderAWS string = "aws"
 )
 
 const (
@@ -77,7 +81,7 @@ const (
 
 // GitRepositorySpec specifies the required configuration to produce an
 // Artifact for a Git repository.
-// +kubebuilder:validation:XValidation:rule="!has(self.serviceAccountName) || (has(self.provider) && self.provider == 'azure')",message="serviceAccountName can only be set when provider is 'azure'"
+// +kubebuilder:validation:XValidation:rule="!has(self.serviceAccountName) || (has(self.provider) && (self.provider == 'azure' || self.provider == 'aws'))",message="serviceAccountName can only be set when provider is 'azure' or 'aws'"
 type GitRepositorySpec struct {
 	// URL specifies the Git repository URL, it can be an HTTP/S or SSH address.
 	// +kubebuilder:validation:Pattern="^(http|https|ssh)://.*$"
@@ -93,14 +97,14 @@ type GitRepositorySpec struct {
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
-	// Provider used for authentication, can be 'azure', 'github', 'generic'.
+	// Provider used for authentication, can be 'aws', 'azure', 'github', 'generic'.
 	// When not specified, defaults to 'generic'.
-	// +kubebuilder:validation:Enum=generic;azure;github
+	// +kubebuilder:validation:Enum=generic;aws;azure;github
 	// +optional
 	Provider string `json:"provider,omitempty"`
 
 	// ServiceAccountName is the name of the Kubernetes ServiceAccount used to
-	// authenticate to the GitRepository. This field is only supported for 'azure' provider.
+	// authenticate to the GitRepository. This field is only supported for 'azure' and 'aws' providers.
 	// +optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml
@@ -105,10 +105,11 @@ spec:
                 type: string
               provider:
                 description: |-
-                  Provider used for authentication, can be 'azure', 'github', 'generic'.
+                  Provider used for authentication, can be 'aws', 'azure', 'github', 'generic'.
                   When not specified, defaults to 'generic'.
                 enum:
                 - generic
+                - aws
                 - azure
                 - github
                 type: string
@@ -177,7 +178,7 @@ spec:
               serviceAccountName:
                 description: |-
                   ServiceAccountName is the name of the Kubernetes ServiceAccount used to
-                  authenticate to the GitRepository. This field is only supported for 'azure' provider.
+                  authenticate to the GitRepository. This field is only supported for 'azure' and 'aws' providers.
                 type: string
               sparseCheckout:
                 description: |-
@@ -242,8 +243,9 @@ spec:
             type: object
             x-kubernetes-validations:
             - message: serviceAccountName can only be set when provider is 'azure'
-              rule: '!has(self.serviceAccountName) || (has(self.provider) && self.provider
-                == ''azure'')'
+                or 'aws'
+              rule: '!has(self.serviceAccountName) || (has(self.provider) && (self.provider
+                == ''azure'' || self.provider == ''aws''))'
           status:
             default:
               observedGeneration: -1
diff --git a/docs/api/v1/source.md b/docs/api/v1/source.md
@@ -407,7 +407,7 @@ string
 </td>
 <td>
 <em>(Optional)</em>
-<p>Provider used for authentication, can be &lsquo;azure&rsquo;, &lsquo;github&rsquo;, &lsquo;generic&rsquo;.
+<p>Provider used for authentication, can be &lsquo;aws&rsquo;, &lsquo;azure&rsquo;, &lsquo;github&rsquo;, &lsquo;generic&rsquo;.
 When not specified, defaults to &lsquo;generic&rsquo;.</p>
 </td>
 </tr>
@@ -421,7 +421,7 @@ string
 <td>
 <em>(Optional)</em>
 <p>ServiceAccountName is the name of the Kubernetes ServiceAccount used to
-authenticate to the GitRepository. This field is only supported for &lsquo;azure&rsquo; provider.</p>
+authenticate to the GitRepository. This field is only supported for &lsquo;azure&rsquo; and &lsquo;aws&rsquo; providers.</p>
 </td>
 </tr>
 <tr>
@@ -2120,7 +2120,7 @@ string
 </td>
 <td>
 <em>(Optional)</em>
-<p>Provider used for authentication, can be &lsquo;azure&rsquo;, &lsquo;github&rsquo;, &lsquo;generic&rsquo;.
+<p>Provider used for authentication, can be &lsquo;aws&rsquo;, &lsquo;azure&rsquo;, &lsquo;github&rsquo;, &lsquo;generic&rsquo;.
 When not specified, defaults to &lsquo;generic&rsquo;.</p>
 </td>
 </tr>
@@ -2134,7 +2134,7 @@ string
 <td>
 <em>(Optional)</em>
 <p>ServiceAccountName is the name of the Kubernetes ServiceAccount used to
-authenticate to the GitRepository. This field is only supported for &lsquo;azure&rsquo; provider.</p>
+authenticate to the GitRepository. This field is only supported for &lsquo;azure&rsquo; and &lsquo;aws&rsquo; providers.</p>
 </td>
 </tr>
 <tr>
diff --git a/docs/spec/v1/gitrepositories.md b/docs/spec/v1/gitrepositories.md
@@ -245,6 +245,7 @@ used for authentication purposes.
 Supported options are:
 
 - `generic`
+- `aws`
 - `azure`
 - `github`
 
@@ -254,6 +255,65 @@ mechanisms using `spec.secretRef` are used for authentication.
 For a complete guide on how to set up authentication for cloud providers,
 see the integration [docs](/flux/integrations/).
 
+#### AWS
+
+The `aws` provider can be used to authenticate to
+[AWS CodeCommit](https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html)
+repositories using IAM credentials sourced from the controller runtime identity.
+
+**Note:** When the `aws` provider is used, `.spec.url` must be an AWS
+CodeCommit HTTPS endpoint in the format
+`https://git-codecommit.<region>.amazonaws.com/v1/repos/<repository-name>`.
+For a full list of available regions and their endpoints, see the
+[AWS CodeCommit regions documentation](https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git).
+
+##### Pre-requisites
+
+- An EKS cluster with either
+  [EKS Pod Identity](https://fluxcd.io/flux/integrations/aws/#with-eks-pod-identity)
+  or
+  [IAM Roles for Service Accounts (IRSA)](https://fluxcd.io/flux/integrations/aws/#with-oidc-federation)
+  configured.
+- An IAM role with the `codecommit:GitPull` permission for the target
+  repository.
+
+##### Configure Flux controller
+
+1. Configure authentication using your preferred [method](https://fluxcd.io/flux/integrations/aws/#authentication).
+
+    Example IAM role policy (see [docs](https://fluxcd.io/flux/integrations/aws/#for-amazon-codecommit) for more details):
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": "codecommit:GitPull",
+                "Resource": "arn:aws:codecommit:<region>:<account-id>:<repository-name>"
+            }
+        ]
+    }
+    ```
+
+2. Configure AWS CodeCommit `GitRepository`
+
+    ```yaml
+    ---
+    apiVersion: source.toolkit.fluxcd.io/v1
+    kind: GitRepository
+    metadata:
+      name: codecommit-repository
+      namespace: flux-system
+    spec:
+      interval: 5m0s
+      provider: aws
+      serviceAccountName: my-tenant # optional (used for object-level workload identity)
+      url: https://git-codecommit.<region>.amazonaws.com/v1/repos/<repository-name>
+      ref:
+        branch: main
+    ```
+
 #### Azure
 
 The `azure` provider can be used to authenticate to Azure DevOps repositories
diff --git a/internal/controller/gitrepository_controller.go b/internal/controller/gitrepository_controller.go
@@ -670,11 +670,13 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 	// Configure provider authentication if specified.
 	var getCreds func() (*authutils.GitCredentials, error)
 	switch provider := obj.GetProvider(); provider {
-	case sourcev1.GitProviderAzure: // If AWS or GCP are added in the future they can be added here separated by a comma.
+	// If other providers (GCP, etc.) are added in the future they can be added here separated by a comma.
+	case sourcev1.GitProviderAzure, sourcev1.GitProviderAWS:
 		getCreds = func() (*authutils.GitCredentials, error) {
 			opts := []auth.Option{
 				auth.WithClient(r.Client),
 				auth.WithServiceAccountNamespace(obj.GetNamespace()),
+				auth.WithGitURL(u),
 			}
 
 			if obj.Spec.ServiceAccountName != "" {
diff --git a/internal/controller/gitrepository_controller_test.go b/internal/controller/gitrepository_controller_test.go
@@ -929,6 +929,23 @@ func TestGitRepositoryReconciler_getAuthOpts_provider(t *testing.T) {
 			},
 			wantErr: auth.FeatureGateObjectLevelWorkloadIdentity,
 		},
+		{
+			name: "aws provider with non codecommit URL",
+			url:  "https://github.com/org/repo.git",
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.Provider = sourcev1.GitProviderAWS
+			},
+			wantErr: "failed to create provider access token for the controller",
+		},
+		{
+			name: "aws provider with service account and feature gate for object-level identity disabled",
+			url:  "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo",
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.Provider = sourcev1.GitProviderAWS
+				obj.Spec.ServiceAccountName = "aws-sa"
+			},
+			wantErr: auth.FeatureGateObjectLevelWorkloadIdentity,
+		},
 		{
 			name: "github provider with no secret ref",
 			url:  "https://github.com/org/repo.git",
