Feature/aws auth fixes (#64)

RobinDuhan · web-flow · commit 6401227eed0a · 2026-04-13T11:54:52.000+05:30
* Added support for http_timeout_seconds for HTTP calls to allow more time for Artifactory * Fixed secret_ttl_seconds in AWS configmap - Issue #51 * Removed host header from requests to Artifactory to prevent 403 failure
diff --git a/build/build-binary.sh b/build/build-binary.sh
@@ -30,7 +30,7 @@ for p in "${PLATFORMS[@]}"; do
         final_name+='.exe'
     fi
 
-    env GOOS="$GOOS" GOARCH="$GOARCH" go build -ldflags "-X 'main.Version=$VERSION'" -o $BUILD_DIR/$final_name ../ || errorExit "Building $final_name failed"
+    env GOOS="$GOOS" GOARCH="$GOARCH" CGO_ENABLED=0 go build -ldflags "-X 'main.Version=$VERSION'" -o $BUILD_DIR/$final_name ../ || errorExit "Building $final_name failed"
 done
 
 echo -e "\nDone!\nThe following binaries were created in the bin/ directory:"
diff --git a/helm/CHANGELOG.md b/helm/CHANGELOG.md
@@ -2,10 +2,15 @@
 
 All notable changes to this Helm chart will be documented in this file.
 
+## [1.1.0] - 7th April, 2026
+* Added KEP-4412 - Pod Level Identity Support For JFrog Artifactory on GCP
+* Added support for `http_timeout_seconds` for HTTP calls
+* Fixed `secret_ttl_seconds` in configmap to handle quotes
+* Removed `host` header from AWS Signed requests to Artifactory to prevent from overriding host issues on webserver
+
 ## [1.0.1] - 25th Mar, 2026
 * Added support for disabling auto-upgrade of binary through `autoUpgrade`
 * Added support for `aws_region` for `assume_role` authentication method
-* Added KEP-4412 - Pod Level Identity Support For JFrog Artifactory on GCP
 
 ## [1.0.0] - 23rd Feb, 2026
 * Allow using an existing ServiceAccount when `serviceAccount.create=false`
diff --git a/helm/templates/configmap-provider.yaml b/helm/templates/configmap-provider.yaml
@@ -75,6 +75,12 @@ data:
       "name": "disable_provider_autoupdate",
       "value": "{{ not $.Values.autoUpgrade }}"
     },
+    {{- if .http_timeout_seconds }}
+    {
+      "name": "http_timeout_seconds",
+      "value": "{{ .http_timeout_seconds | toJson }}"
+    },
+    {{- end }}
     {{- if .aws.aws_region }}
     {
       "name": "aws_region",
@@ -111,7 +117,7 @@ data:
     },
     {
       "name": "secret_ttl_seconds",
-      "value": {{- if .aws.secret_ttl_seconds }}{{ .aws.secret_ttl_seconds | toJson }}{{ else }}"14400"{{ end }}
+      "value": {{- if .aws.secret_ttl_seconds }}{{ .aws.secret_ttl_seconds | toString | quote }}{{ else }}"14400"{{ end }}
     }
     ]
     }
@@ -130,6 +136,10 @@ data:
       value: "{{ .gcp.jfrog_oidc_provider_name }}"
     - name: disable_provider_autoupdate
       value: "{{ not $.Values.autoUpgrade }}"
+    {{- if .http_timeout_seconds }}
+    - name: http_timeout_seconds
+      value: "{{ .http_timeout_seconds }}"
+    {{- end }}
     {{- end }}
 
     {{- if eq $cloudProvider "azure" }}
@@ -148,6 +158,10 @@ data:
       value: "{{ .azure.jfrog_oidc_provider_name }}"
     - name: disable_provider_autoupdate
       value: "{{ not $.Values.autoUpgrade }}"
+    {{- if .http_timeout_seconds }}
+    - name: http_timeout_seconds
+      value: "{{ .http_timeout_seconds }}"
+    {{- end }}
     {{- end }}
     {{- end }}
 
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -67,6 +67,7 @@ additionalResources: |
 providerConfig:
   - name: jfrog-credentials-provider
     artifactoryUrl: your-org.jfrog.io
+    # http_timeout_seconds: 30
     matchImages:
       - "*.jfrog.io"
     defaultCacheDuration: 15m
diff --git a/internal/sign/signer.go b/internal/sign/signer.go
@@ -427,5 +427,9 @@ func SignV4a(method string, url string, service string, awsCreds AwsCredentials)
 	if err != nil {
 		return nil, err
 	}
+	// removing host only from the headers to avoid 403 Forbidden error
+	// It does exist in CanonicalSignature, Artifactory adds this themseleves so we don't need to add it
+	// specifically to the headers in the request.
+	req.Header.Del("Host")
 	return req, nil
 }
diff --git a/main.go b/main.go
@@ -21,6 +21,7 @@ import (
 	"jfrog-credential-provider/internal/provider"
 	"log"
 	"os"
+	"strconv"
 	"time"
 )
 
@@ -71,8 +72,13 @@ func main() {
 		return
 
 	default:
-		// Default behavior
-		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		httpTimeout := 30 * time.Second
+		if v := os.Getenv("http_timeout_seconds"); v != "" {
+			if n, err := strconv.Atoi(v); err == nil && n > 0 {
+				httpTimeout = time.Duration(n) * time.Second
+			}
+		}
+		ctx, cancel := context.WithTimeout(context.Background(), httpTimeout)
 		defer cancel()
 		provider.StartProvider(ctx, Version)
 	}

Original file line number	Diff line number	Diff line change
`@@ -427,5 +427,9 @@ func SignV4a(method string, url string, service string, awsCreds AwsCredentials)`
`427`	`427`	`if err != nil {`
`428`	`428`	`return nil, err`
`429`	`429`	`}`
	`430`	`+ // removing host only from the headers to avoid 403 Forbidden error`
	`431`	`+ // It does exist in CanonicalSignature, Artifactory adds this themseleves so we don't need to add it`
	`432`	`+ // specifically to the headers in the request.`
	`433`	`+ req.Header.Del("Host")`
`430`	`434`	`return req, nil`
`431`	`435`	`}`