Conversation
jamie-harness
approved these changes
Mar 30, 2026
anurag-harness
requested changes
Mar 30, 2026
Collaborator
anurag-harness
left a comment
anurag-harness
left a comment
There was a problem hiding this comment.
This wont help since placeholders are removed on buildkit anyways
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes-
Default PLUGIN_BUILDKIT_INHERIT_AUTH to true and strip static AWS credentials when not provided
It fixes both IRSA and inherit from delegate flow.
buildkit-inherit-auth now defaults to true (cli.BoolFlag → cli.BoolTFlag) so AWS environment variables and IRSA web identity tokens are automatically forwarded into the BuildKit container without requiring explicit opt-in.
When PLUGIN_HARNESS_SELF_HOSTED_S3_ACCESS_KEY / PLUGIN_HARNESS_SELF_HOSTED_S3_SECRET_KEY are not set, the harness_placeholder_aws_creds entries are stripped from --cache-from / --cache-to strings, allowing BuildKit to fall back to instance role or IRSA credentials for S3 cache access.
Why: On K8s builds using IRSA for S3-backed DLC, the BuildKit container runs isolated from the pod's IAM identity. Previously, users had to explicitly enable credential inheritance and ensure no static keys were present in the cache configuration. Together these changes make IRSA-based DLC work by default without manual intervention.