Skip to content

Commit a1a02e6

Browse files
committed
refactor(s3accesspoint): collapse deployment config into per-tenant secret
Move BaseRoleARN and Region from the deployment-level config into the per-tenant Credentials blob, drop SessionDuration in favour of a 1h constant, and read the dev-mode bypass from CHAINLOOP_S3_ACCESS_POINT_DEV_MODE instead of config. The ManagedCASBackends proto blocks, the corresponding wire plumbing, and the loader Options surface are all gone. The provider is now registered unconditionally; on-prem deployments without managed CAS simply never have managed rows. A single chainloop install can also serve tenants across multiple AWS accounts without a config change since BaseRoleARN is per-secret. Assisted-by: Claude Code Signed-off-by: Jose I. Paris <jiparis@chainloop.dev> Chainloop-Trace-Sessions: 234a03ed-b238-4506-95f0-235242842db2
1 parent 333a45e commit a1a02e6

16 files changed

Lines changed: 326 additions & 962 deletions

File tree

app/artifact-cas/cmd/wire.go

Lines changed: 0 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,6 @@ import (
2525
"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/server"
2626
"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/service"
2727
"github.com/chainloop-dev/chainloop/pkg/blobmanager/loader"
28-
"github.com/chainloop-dev/chainloop/pkg/blobmanager/s3accesspoint"
2928
"github.com/chainloop-dev/chainloop/pkg/credentials"
3029
"github.com/go-kratos/kratos/v2/log"
3130
"github.com/google/wire"
@@ -38,35 +37,13 @@ func wireApp(*conf.Bootstrap, *conf.Server, *conf.Auth, credentials.Reader, log.
3837
server.ProviderSet,
3938
service.ProviderSet,
4039
loader.LoadProviders,
41-
newLoaderOptions,
42-
wire.FieldsOf(new(*conf.Bootstrap), "ManagedCasBackends"),
4340
newApp,
4441
serviceOpts,
4542
newProtoValidator,
4643
),
4744
)
4845
}
4946

50-
// newLoaderOptions builds the loader.Options struct from the deployment
51-
// Bootstrap. When `managed_cas_backends.s3_access_point` is absent (the
52-
// common case for on-prem) S3AccessPoint stays nil and the provider is
53-
// not registered, leaving the binary's behaviour identical to the
54-
// pre-managed-CAS world.
55-
func newLoaderOptions(in *conf.ManagedCASBackends, l log.Logger) *loader.Options {
56-
opts := &loader.Options{Logger: l}
57-
if in == nil || in.GetS3AccessPoint() == nil {
58-
return opts
59-
}
60-
ap := in.GetS3AccessPoint()
61-
opts.S3AccessPoint = &s3accesspoint.Config{
62-
BaseRoleARN: ap.GetBaseRoleArn(),
63-
Region: ap.GetRegion(),
64-
SessionDuration: ap.GetSessionDuration().AsDuration(),
65-
DevModeUseAmbientCredentials: ap.GetDevModeUseAmbientCredentials(),
66-
}
67-
return opts
68-
}
69-
7047
func serviceOpts(l log.Logger) []service.NewOpt {
7148
return []service.NewOpt{
7249
service.WithLogger(l),

app/artifact-cas/cmd/wire_gen.go

Lines changed: 1 addition & 24 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/artifact-cas/configs/config.devel.yaml

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -39,17 +39,3 @@ observability:
3939

4040
auth:
4141
public_key_path: ${PUBLIC_KEY_PATH:../../devel/devkeys/cas.pub}
42-
43-
# Optional managed CAS provider (S3 Access Points). Mirrors the
44-
# controlplane's managed_cas_backends block — both binaries must agree
45-
# on the settings since each independently instantiates the provider.
46-
# Leave commented out for on-prem deployments that don't use managed CAS.
47-
# managed_cas_backends:
48-
# s3_access_point:
49-
# base_role_arn: arn:aws:iam::123456789012:role/chainloop-cas-tenant
50-
# region: us-east-1
51-
# session_duration: 1h
52-
# # DEV ONLY: bypass sts:AssumeRole and use whatever AWS identity the
53-
# # SDK default credential chain produces (env vars, ~/.aws/credentials,
54-
# # IRSA, …). Skips per-tenant isolation; never enable in production.
55-
# # dev_mode_use_ambient_credentials: true

0 commit comments

Comments
 (0)