Rename aws authType for better clarity w/ Pod Identity support

J12934 · Weltraumschaf · commit f71a7eba0b06 · 2025-10-14T20:49:41.000+02:00
Pod Identity Auth was already working with the IRSA setting, which is somewhat confusing. The old value remains supported for now as renaming it would break installations. Related cleanup ticket for the next breaking change release: #3327 Signed-off-by: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
diff --git a/documentation/docs/getting-started/installation.md b/documentation/docs/getting-started/installation.md
@@ -172,7 +172,7 @@ Depending on the expected scan duration in your setup, this limitation can pose
     enabled: false
   s3:
     enabled: true
-    authType: "aws-irsa"  # Note: secureCodeBox still uses this config name even for Pod Identity
+    authType: "aws-iam"
     bucket: <your-bucket-name>
     endpoint: "s3.<your-region>.amazonaws.com"
   ```
@@ -261,7 +261,7 @@ Depending on the expected scan duration in your setup, this limitation can pose
     enabled: false
   s3:
     enabled: true
-    authType: "aws-irsa"
+    authType: "aws-iam"
     bucket: <your-bucket-name>
     endpoint: "s3.<your-region>.amazonaws.com"
   serviceAccount:
diff --git a/operator/README.md b/operator/README.md
@@ -104,8 +104,8 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
 | probes.liveness | object | `{"httpGet":{"path":"/healthz","port":"healthchecks"},"initialDelaySeconds":15,"periodSeconds":20}` | Liveness probe configuration |
 | probes.readiness | object | `{"httpGet":{"path":"/readyz","port":"healthchecks"},"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration   |
 | resources | object | `{"limits":{"cpu":"100m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
-| s3.authType | string | `"access-secret-key"` | Authentication method. Supports access-secret-key (used by most s3 endpoint) and aws-irsa (Used by AWS EKS IAM Role to Kubenetes Service Account Binding. Support for AWS IRSA is considered experimental in the secureCodeBox) |
-| s3.awsStsEndpoint | string | `"https://sts.amazonaws.com"` | STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-irsa" |
+| s3.authType | string | `"access-secret-key"` | Authentication method. Supports `access-secret-key` (used by most s3 endpoints) and `aws-iam`` (Used by AWS EKS IAM Role to Kubernetes Service Account Binding (IRSA) and EKS Pod Identity Authentication. Support for AWS IRSA is considered experimental in the secureCodeBox) |
+| s3.awsStsEndpoint | string | `"https://sts.amazonaws.com"` | STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-iam". Usually not required, even in IRSA or Pod Identity setups as the region gets injected by AWS into the pod. |
 | s3.bucket | string | `"my-bucket"` |  |
 | s3.enabled | bool | `false` |  |
 | s3.endpoint | string | `"fra1.digitaloceanspaces.com"` |  |
diff --git a/operator/controllers/execution/scans/scan_controller.go b/operator/controllers/execution/scans/scan_controller.go
@@ -261,13 +261,18 @@ func (r *ScanReconciler) initS3Connection() *minio.Client {
 
 	var creds *credentials.Credentials
 
-	if authType, ok := os.LookupEnv("S3_AUTH_TYPE"); ok && strings.ToLower(authType) == "aws-irsa" {
+	// todo(v6): remove support for authType = "aws-irsa" and only support "aws-iam": https://github.com/secureCodeBox/secureCodeBox/issues/3327
+	if authType, ok := os.LookupEnv("S3_AUTH_TYPE"); ok && (strings.ToLower(authType) == "aws-irsa" || strings.ToLower(authType) == "aws-iam") {
 		stsEndpoint := ""
+		// todo(v6): remove support for S3_AWS_STS_ENDPOINT env var and only support S3_AWS_IRSA_STS_ENDPOINT: https://github.com/secureCodeBox/secureCodeBox/issues/3327
 		if configuredStsEndpoint, ok := os.LookupEnv("S3_AWS_IRSA_STS_ENDPOINT"); ok {
 			stsEndpoint = configuredStsEndpoint
 		}
+		if configuredStsEndpoint, ok := os.LookupEnv("S3_AWS_STS_ENDPOINT"); ok {
+			stsEndpoint = configuredStsEndpoint
+		}
 
-		r.Log.Info("Using AWS IRSA ServiceAccount Bindung for S3 Authentication", "sts", stsEndpoint)
+		r.Log.Info("Using AWS IAM ServiceAccount Binding for S3 Authentication (IRSA or EKS Pod Identity)", "sts", stsEndpoint)
 		creds = credentials.NewIAM(stsEndpoint)
 	} else {
 		creds = credentials.NewEnvMinio()
diff --git a/operator/docs/README.ArtifactHub.md b/operator/docs/README.ArtifactHub.md
@@ -109,8 +109,8 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
 | probes.liveness | object | `{"httpGet":{"path":"/healthz","port":"healthchecks"},"initialDelaySeconds":15,"periodSeconds":20}` | Liveness probe configuration |
 | probes.readiness | object | `{"httpGet":{"path":"/readyz","port":"healthchecks"},"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration   |
 | resources | object | `{"limits":{"cpu":"100m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
-| s3.authType | string | `"access-secret-key"` | Authentication method. Supports access-secret-key (used by most s3 endpoint) and aws-irsa (Used by AWS EKS IAM Role to Kubenetes Service Account Binding. Support for AWS IRSA is considered experimental in the secureCodeBox) |
-| s3.awsStsEndpoint | string | `"https://sts.amazonaws.com"` | STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-irsa" |
+| s3.authType | string | `"access-secret-key"` | Authentication method. Supports `access-secret-key` (used by most s3 endpoints) and `aws-iam`` (Used by AWS EKS IAM Role to Kubernetes Service Account Binding (IRSA) and EKS Pod Identity Authentication. Support for AWS IRSA is considered experimental in the secureCodeBox) |
+| s3.awsStsEndpoint | string | `"https://sts.amazonaws.com"` | STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-iam". Usually not required, even in IRSA or Pod Identity setups as the region gets injected by AWS into the pod. |
 | s3.bucket | string | `"my-bucket"` |  |
 | s3.enabled | bool | `false` |  |
 | s3.endpoint | string | `"fra1.digitaloceanspaces.com"` |  |
diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml
@@ -106,7 +106,9 @@ spec:
                   name: {{ .Values.s3.keySecret }}
                   key: {{ .Values.s3.secretAttributeNames.secretkey }}
             {{- end }}
-            {{- if eq .Values.s3.authType "aws-irsa" }}
+            # todo(v6): remove support for authType = "aws-irsa" and only support "aws-iam": https://github.com/secureCodeBox/secureCodeBox/issues/3327
+            {{- if or (eq .Values.s3.authType "aws-irsa") (eq .Values.s3.authType "aws-iam") }}
+            {{- if .Values.s3.awsStsEndpoint }}
             - name: S3_AWS_IRSA_STS_ENDPOINT
               value: {{ .Values.s3.awsStsEndpoint | quote }}
             {{- end }}
diff --git a/operator/values.yaml b/operator/values.yaml
@@ -167,7 +167,7 @@ s3:
   bucket: "my-bucket"
   # Implicit 443. You probably only need to change this when the system uses a non default port
   port: null
-  # s3.authType -- Authentication method. Supports access-secret-key (used by most s3 endpoint) and aws-irsa (Used by AWS EKS IAM Role to Kubenetes Service Account Binding. Support for AWS IRSA is considered experimental in the secureCodeBox)
+  # s3.authType -- Authentication method. Supports `access-secret-key` (used by most s3 endpoints) and `aws-iam`` (Used by AWS EKS IAM Role to Kubernetes Service Account Binding (IRSA) and EKS Pod Identity Authentication. Support for AWS IRSA is considered experimental in the secureCodeBox)
   authType: access-secret-key
   # Name to a k8s secret in the same namespace as this release with credentials to the s3 bucket. Only used when s3.authType is set to "access-secret-key"
   # By default this assumes to have 'accesskey' and 'secretkey' as attributes
@@ -178,7 +178,7 @@ s3:
   secretAttributeNames:
     accesskey: accesskey
     secretkey: secretkey
-  # s3.awsStsEndpoint -- STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-irsa"
+  # s3.awsStsEndpoint -- STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-iam". Usually not required, even in IRSA or Pod Identity setups as the region gets injected by AWS into the pod.
   awsStsEndpoint: "https://sts.amazonaws.com"
 
   # -- Go Template that generates the path used to store raw result file and findings.json file in the s3 bucket. Can be used to store the files in a subfolder of the s3 bucket
