feat(common): fail-closed guard for required IRSA role-arn#70
Merged
Conversation
Add an opt-in assertion to the common chart's ServiceAccount template so that, when serviceAccount.requireRoleArn is true, the render fails if the eks.amazonaws.com/role-arn annotation is empty or not a well-formed IAM role ARN. helm upgrade then aborts before applying instead of shipping a credential-less workload that passes its local health probe. Also add an opt-in helm-test (serviceAccount.irsaCheck.enabled) that runs aws sts get-caller-identity under the service account to validate IRSA end-to-end, a helm-unittest suite covering the guard, and the plugin wiring in the release workflow. Both new values default to false, so existing consumers are unaffected. Bump common 0.3.0 -> 0.4.0 and the keeperhub-stack umbrella 0.1.0 -> 0.2.0 (dependency, lock and vendored package regenerated).
azure/setup-helm without a version falls back to helm 3.9.0 when it cannot reach the GitHub release API, and 3.9.0 rejects the helm-unittest plugin manifest (unknown field platformHooks, supported from helm 3.15). Pin a modern helm so the plugin installs and the unittest suite runs.
🎉 Helm Chart Tests Passed!All modified charts have been successfully validated:
Summary:
📋 Detailed Information:
The PR is ready for review! 🚀 Note: Charts will be automatically released when this PR is merged to main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
On 2026-06-18 a prod cutover wrote an empty
eks.amazonaws.com/role-arnannotation onto the sharedkeeperhub-prodServiceAccount. The EKS pod-identity webhook injects AWS credentials only when a non-empty role-arn is present, so the schedule/block dispatchers and executor came up with no AWS access and could not reach SQS.helm upgradereported success and pods passed their local/healthprobes, so the bad state was invisible to both Helm and Kubernetes (~54 min outage, 1268 failed executions).This adds the mechanical guard the post-mortem asks for.
Changes
commonchart:serviceAccount.requireRoleArn: trueand the role-arn annotation is empty or not a well-formed IAM role ARN, sohelm upgradeaborts at render time.serviceAccount.irsaCheck.enabled) runningaws sts get-caller-identityunder the service account to validate IRSA end-to-end.false, non-breaking for other consumers.Versions:
common0.3.0 -> 0.4.0keeperhub-stack0.1.0 -> 0.2.0 (dependency bumped to common 0.4.0;Chart.lockand vendored package regenerated)Verification
helm unittest charts/common-> 6/6 pass.helm templatewith an empty/malformed role-arn aborts withserviceAccount eks.amazonaws.com/role-arn is missing or malformed; valid arn renders the SA; default-off renders unchanged.Ordering
The keeperhub deploy consumes the published
keeperhub-stackchart, so this must merge and be released before the companion keeperhub PR (which bumps the deploy pin to 0.2.0 and enablesrequireRoleArn/irsaCheck).