auth/aws: AWS CodeCommit IAM authentication

[taraspos]

Summary

This PR implements IAM role based authentification for AWS CodeCommit Git HTTPS URLs

• Support AWS CodeCommit Access with IAM Role source-controller#1978
• CodeCommit specific request signing was implemented in v4/signer: add codecommit git signing options aws/smithy-go#628

Testing

Verified locally that generated username and password works AWS CodeCommit repositories.

[taraspos]

Hey @matheuscscp I added the integration tests. Current state is following:

--- FAIL: TestGitCloneUsingProvider (130.58s)
    --- PASS: TestGitCloneUsingProvider/controller-level_workload_identity (8.31s)
    --- FAIL: TestGitCloneUsingProvider/object-level_workload_identity_(impersonation) (122.27s)
    --- SKIP: TestGitCloneUsingProvider/object-level_workload_identity_(direct_access) (0.00s)
    --- SKIP: TestGitCloneUsingProvider/object-level_workload_identity_(impersonation,_federation) (0.00s)
    --- SKIP: TestGitCloneUsingProvider/object-level_workload_identity_(direct_access,_federation) (0.00s)
=== RUN   TestGitCloneUsingSSH
    git_test.go:87: Skipping git test, not supported for provider
--- SKIP: TestGitCloneUsingSSH (0.00s)

The "impersonation" test is failing with:

panic: failed to create provider access token for service account 'default/test-workload-id': an AWS region is required for authenticating with a service account. please configure one in the object spec

goroutine 1 [running]:
main.checkGit({0x1ceb7d8, 0xb32a9dc8230})
        /Users/taraspos/code/fluxcd/pkg/tests/integration/testapp/main.go:243 +0x554
main.main()
        /Users/taraspos/code/fluxcd/pkg/tests/integration/testapp/main.go:156 +0x934

I'm not sure if this thing is expected to work with AWS IRSA; however, I can't say that I have a full understanding of what it's trying to do here. I would appreciate your review and assistance when you have a moment.

[matheuscscp]

Nice @taraspos, thanks very much for working on this! We're busy with some urgent bugfixes in helm-controller due to Helm 4 upgrade this week, I'm gonna try to make some time next week to review this. Thanks!

[taraspos]

Sounds good, thanks. Just want to make sure this change can still land in Flux 2.9 :)

[stefanprodan]

@taraspos so you managed to run successfully the test with controller-level workload identity by cloning from CodeCommit? Is the issue with object-level only?

[taraspos]

yes, that's correct.

[taraspos]

Hey @matheuscscp, wanted to drop a quick reminder about this PR :)

Let me know if I can do anything to move this forward!

[matheuscscp]

Hi @taraspos, no need to worry here, this will definitely get in for the next Flux release. I'm keeping a tab open, I will reach this soon.

[stefanprodan]

This PR is just a first step. We need this integrated into source-controller & image-automation-controller, and also docs.

[taraspos]

This PR is just a first step. We need this integrated into source-controller & image-automation-controller, and also docs.

And potentially Flux CLI as well?

I can start raising draft PRs in there when I have time.

[matheuscscp]

@taraspos CI is failing, can you pls take a look?

[taraspos]

Seems like setup-envtest released a new version that depends on Go 1.26.0

go: sigs.k8s.io/controller-runtime/tools/setup-envtest@latest: sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20260331165415-bce0ec74ad73 requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local)

Not related to my change, but I can raise a PR with a fix. Let me do it in a separate branch.

[matheuscscp]

Seems like setup-envtest released a new version that depends on Go 1.26.0

go: sigs.k8s.io/controller-runtime/tools/setup-envtest@latest: sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20260331165415-bce0ec74ad73 requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local)

Not related to my change, but I can raise a PR with a fix. Let me do it in a separate branch.

We just merged #1158, pls rebase and let's see if this gets fixed 🙏

[matheuscscp]

Started the review, will continue tomorrow 👌