mirrors/eks-anywhere-packages

fix: Remove redundant upgradeRelease call in Install() (#1291)

fix: Remove redundant upgradeRelease call in Install()

The second upgradeRelease (introduced in PR #521) passes identical values to the first call, producing a pure redundant helm upgrade on every reconcile. For non-idempotent charts like Harbor (genCA in core-secret.yaml), this triggers unnecessary pod rollouts.

Cluster validation: after fix, helm release revision stays stable across reconcile cycles (no +1 per reconcile from redundant upgrade).

Fixes #3902

fix: also remove redundant AddSecretToAllNamespace call

After removing the second upgradeRelease, the two AddSecretToAllNamespace calls are now consecutive with no operation between them, making the second one redundant as well.

Amazon EKS Anywhere Curated Packages

Build status:

The Amazon EKS Anywhere Curated Packages are only available to customers with the Amazon EKS Anywhere Enterprise Subscription. To request a free trial, talk to your Amazon representative or connect with one here.

EKS Anywhere Curated Packages is a management system for installation, configuration and maintenance of additional components for your Kubernetes cluster. Examples of these components may include Container Registry, Ingress, and LoadBalancer, etc.

Here are the steps for getting started with EKS Anywhere Curated Packages.

Development

EKS Anywhere Curated Packages is tested using Prow, the Kubernetes CI system. EKS operates an installation of Prow, which is visible at https://prow.eks.amazonaws.com/. Please read our CONTRIBUTING guide before making a pull request.

The dependencies which make up EKS Anywhere Curated Packages are defined and built via the build-tooling repo.

Local Development

Local development can be done using tilt.

Setup

install tilt binary on your machine following instructions
install and configure amazon-ecr-credential-helper

set REGISTRY and KUBERNETES_CONTEXTS env var:

export REGISTRY='public.ecr.aws/<your-public-ecr-registry-id>'
export KUBERNETES_CONTEXTS=$(kubectl config current-context)

If running tilt on a remote host, you can port-forward tilt’s web UI by forwarding over ssh:

ssh -v -L 10350:localhost:10350 <remote-host>

After running tilt up, tilt’s UI should now be available at localhost:10350 on your local machine.

Vulnerability Checking

This repository includes comprehensive vulnerability scanning for all Go dependencies across all modules.

Running Vulnerability Checks Locally

To scan all Go modules for known vulnerabilities:

make vulncheck

This will run govulncheck against:

Root module (./)
credentialproviderpackage module
generatebundlefile module
ecrtokenrefresher module

CI/CD Integration

Vulnerability scanning runs automatically via GitHub Actions:

On Pull Requests: Dependency review checks for newly introduced vulnerable dependencies
On Push to Main: Full vulnerability scan across all modules
Daily Scheduled Scans: Automated scans run at 7am UTC to catch newly disclosed vulnerabilities
Manual Trigger: Can be triggered manually via GitHub Actions workflow dispatch

Automated Dependency Updates

GitHub Dependabot is configured to:

Monitor all 4 Go modules for security updates
Monitor GitHub Actions for updates
Create pull requests automatically when vulnerabilities are detected
Run weekly checks for new updates

To view security advisories and Dependabot alerts, visit the repository’s Security tab on GitHub.

Security

If you discover a potential security issue in this project, or think you may have discovered a security issue, we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public GitHub issue.

License

This project is licensed under the Apache-2.0 License.