ROSAENG-130 | feat: add support for AWS podidentity

[cdoan1]

On AWS, the prod deployment can use AWS MQ and AWS RDS
With eks clusters, we can generate the secrets in aws secret manager, and sync these secrets down to the pod via pod identity and secretprovderclass.

Summary by CodeRabbit

• New Features
  • Added support for external databases with pod identity authentication, enabling secure database connections without storing credentials in Kubernetes Secrets.
  • Integrated AWS Secrets Manager for centralized credential management.
  • New configuration options for database SSL mode and custom secret mount paths.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yasun1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @cdoan1. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

This pull request introduces AWS Secrets Manager integration with Kubernetes pod identity support for external database credential management. The changes add conditional deployment configuration to use CSI Secrets Store volumes when pod identity is enabled, a new SecretProviderClass template for AWS Secrets Manager integration, and corresponding values file entries to control this behavior. When pod identity is disabled, the deployment continues using traditional Kubernetes Secrets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

The changes introduce a new pod identity feature across multiple template and configuration files with conditional branching logic. Review requires understanding the interaction between CSI Secrets Store, pod identity mechanisms, and deployment configuration, along with verifying proper conditional rendering of templates based on multiple configuration flags.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding AWS pod identity support. It accurately reflects the primary purpose of the changeset across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/templates/deployment.yaml`:
- Around line 43-50: The --db-sslmode flag is only rendered inside the
pod-identity branch so .Values.database.external.sslMode is ignored when using
external DB with secret mount mode; update charts/templates/deployment.yaml to
ensure the --db-sslmode={{ .Values.database.external.sslMode | default "require"
}} argument is emitted whenever .Values.database.external.enabled is true
(either move it outside the usePodIdentity conditional or add a separate
conditional for external enabled and not usePodIdentity), referencing the
existing conditional keys .Values.database.external.enabled and
.Values.database.external.usePodIdentity and the flag name --db-sslmode to
locate where to add/move the line.
- Around line 145-151: The CSI volumeAttributes currently always renders a
secretProviderClass even when
.Values.database.external.createSecretProviderClass is false and
.Values.database.external.secretProviderClass is empty; update the template
around the csi block to conditionally render the secretProviderClass key only
when the computed value is non-empty (check
.Values.database.external.createSecretProviderClass OR
.Values.database.external.secretProviderClass) so the CSI config is omitted if
no provider class is provided; locate the ternary expression that builds the
name (uses include "hyperfleet-api.fullname",
.Values.database.external.secretProviderClass,
.Values.database.external.createSecretProviderClass) and wrap or gate the
secretProviderClass output with an if that ensures the rendered string is not
empty.

In `@charts/templates/secretproviderclass.yaml`:
- Around line 13-16: The SecretProviderClass template currently renders
potentially empty values for region and objectName which defers failure to
runtime; update the template to validate and fail fast by wrapping
.Values.database.external.aws.region and
.Values.database.external.aws.secretName with the Helm required function (e.g.,
required "aws.region is required" .Values.database.external.aws.region) so
template rendering fails when those inputs are empty; ensure the required checks
are applied where region and objectName are inserted in the SecretProviderClass
objects block to prevent creating a pod-mount-time error.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a3e0604-0fcb-4da0-b5bf-1c29e58c6e3f

📥 Commits

Reviewing files that changed from the base of the PR and between 53db6e3 and 01a20a1.

📒 Files selected for processing (3)

• charts/templates/deployment.yaml
• charts/templates/secretproviderclass.yaml
• charts/values.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

database.external.sslMode is ignored when pod identity is disabled.

At Line 43 and Line 68, --db-sslmode is only added inside the pod-identity branch. For external DB using Kubernetes Secret mode, the value in database.external.sslMode has no effect.

🔧 Proposed fix

         command:
         - /app/hyperfleet-api
         - migrate
+        {{- if .Values.database.external.enabled }}
+        - --db-sslmode={{ .Values.database.external.sslMode | default "require" }}
+        {{- end }}
         {{- if and .Values.database.external.enabled .Values.database.external.usePodIdentity }}
         - --db-host-file={{ .Values.database.external.secretMountPath }}/db.host
         - --db-port-file={{ .Values.database.external.secretMountPath }}/db.port
         - --db-name-file={{ .Values.database.external.secretMountPath }}/db.name
         - --db-user-file={{ .Values.database.external.secretMountPath }}/db.user
         - --db-password-file={{ .Values.database.external.secretMountPath }}/db.password
-        - --db-sslmode={{ .Values.database.external.sslMode | default "require" }}
         {{- end }}
@@
         - --api-server-bindaddress={{ .Values.server.bindAddress | default ":8000" }}
         - --health-server-bindaddress={{ .Values.server.healthBindAddress | default ":8080" }}
         - --metrics-server-bindaddress={{ .Values.server.metricsBindAddress | default ":9090" }}
+        {{- if .Values.database.external.enabled }}
+        - --db-sslmode={{ .Values.database.external.sslMode | default "require" }}
+        {{- end }}
         {{- if and .Values.database.external.enabled .Values.database.external.usePodIdentity }}
         - --db-host-file={{ .Values.database.external.secretMountPath }}/db.host
         - --db-port-file={{ .Values.database.external.secretMountPath }}/db.port
         - --db-name-file={{ .Values.database.external.secretMountPath }}/db.name
         - --db-user-file={{ .Values.database.external.secretMountPath }}/db.user
         - --db-password-file={{ .Values.database.external.secretMountPath }}/db.password
-        - --db-sslmode={{ .Values.database.external.sslMode | default "require" }}
         {{- end }}

Also applies to: 68-75

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/templates/deployment.yaml` around lines 43 - 50, The --db-sslmode flag
is only rendered inside the pod-identity branch so
.Values.database.external.sslMode is ignored when using external DB with secret
mount mode; update charts/templates/deployment.yaml to ensure the
--db-sslmode={{ .Values.database.external.sslMode | default "require" }}
argument is emitted whenever .Values.database.external.enabled is true (either
move it outside the usePodIdentity conditional or add a separate conditional for
external enabled and not usePodIdentity), referencing the existing conditional
keys .Values.database.external.enabled and
.Values.database.external.usePodIdentity and the flag name --db-sslmode to
locate where to add/move the line.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add a render-time guard for empty secretProviderClass.

At Line 150, if createSecretProviderClass=false and database.external.secretProviderClass is empty, the pod renders with an invalid CSI config and fails at startup.

🔧 Proposed fix

       - name: secrets
       {{- if and .Values.database.external.enabled .Values.database.external.usePodIdentity }}
+        {{- $spcName := ternary (printf "%s-db-secrets" (include "hyperfleet-api.fullname" .)) .Values.database.external.secretProviderClass .Values.database.external.createSecretProviderClass }}
+        {{- if empty $spcName }}
+        {{- fail "database.external.secretProviderClass is required when usePodIdentity=true and createSecretProviderClass=false" }}
+        {{- end }}
         csi:
           driver: secrets-store.csi.k8s.io
           readOnly: true
           volumeAttributes:
-            secretProviderClass: {{ ternary (printf "%s-db-secrets" (include "hyperfleet-api.fullname" .)) .Values.database.external.secretProviderClass .Values.database.external.createSecretProviderClass | quote }}
+            secretProviderClass: {{ $spcName | quote }}
       {{- else }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/templates/deployment.yaml` around lines 145 - 151, The CSI
volumeAttributes currently always renders a secretProviderClass even when
.Values.database.external.createSecretProviderClass is false and
.Values.database.external.secretProviderClass is empty; update the template
around the csi block to conditionally render the secretProviderClass key only
when the computed value is non-empty (check
.Values.database.external.createSecretProviderClass OR
.Values.database.external.secretProviderClass) so the CSI config is omitted if
no provider class is provided; locate the ternary expression that builds the
name (uses include "hyperfleet-api.fullname",
.Values.database.external.secretProviderClass,
.Values.database.external.createSecretProviderClass) and wrap or gate the
secretProviderClass output with an if that ensures the rendered string is not
empty.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fail fast when AWS SecretProviderClass inputs are empty.

At Line 13 and Line 15, empty region or objectName can render successfully but fail later at pod mount/runtime. Guard these with required so misconfiguration is caught during template rendering.

🔧 Proposed fix

 {{- if and .Values.database.external.enabled .Values.database.external.usePodIdentity .Values.database.external.createSecretProviderClass }}
+{{- $awsRegion := required "database.external.aws.region is required when createSecretProviderClass=true" .Values.database.external.aws.region }}
+{{- $awsSecretName := required "database.external.aws.secretName is required when createSecretProviderClass=true" .Values.database.external.aws.secretName }}
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
@@
 spec:
   provider: aws
   parameters:
     usePodIdentity: "true"
-    region: {{ .Values.database.external.aws.region | quote }}
+    region: {{ $awsRegion | quote }}
     objects: |
-      - objectName: {{ .Values.database.external.aws.secretName | quote }}
+      - objectName: {{ $awsSecretName | quote }}
         objectType: "secretsmanager"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	region: {{ .Values.database.external.aws.region | quote }}
	objects: |
	- objectName: {{ .Values.database.external.aws.secretName | quote }}
	objectType: "secretsmanager"
	{{- if and .Values.database.external.enabled .Values.database.external.usePodIdentity .Values.database.external.createSecretProviderClass }}
	{{- $awsRegion := required "database.external.aws.region is required when createSecretProviderClass=true" .Values.database.external.aws.region }}
	{{- $awsSecretName := required "database.external.aws.secretName is required when createSecretProviderClass=true" .Values.database.external.aws.secretName }}
	apiVersion: secrets-store.csi.x-k8s.io/v1
	kind: SecretProviderClass
	metadata:
	name: {{ .Values.database.external.secretProviderClassName }}
	spec:
	provider: aws
	parameters:
	usePodIdentity: "true"
	region: {{ $awsRegion | quote }}
	objects: |
	- objectName: {{ $awsSecretName | quote }}
	objectType: "secretsmanager"
	{{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/templates/secretproviderclass.yaml` around lines 13 - 16, The
SecretProviderClass template currently renders potentially empty values for
region and objectName which defers failure to runtime; update the template to
validate and fail fast by wrapping .Values.database.external.aws.region and
.Values.database.external.aws.secretName with the Helm required function (e.g.,
required "aws.region is required" .Values.database.external.aws.region) so
template rendering fails when those inputs are empty; ensure the required checks
are applied where region and objectName are inserted in the SecretProviderClass
objects block to prevent creating a pod-mount-time error.