[ROB-1896] Irsa cross platform

[Avi-Robusta]

• Needs new holmes release in this pr before merge

[coderabbitai]

Walkthrough

Adds cross-account assume-role support for AWS Managed Prometheus: reads AWS_ASSUME_ROLE env var into AWSPrometheusConfig and passes it to KRR via a new --eks-assume-role flag. Updates docs to mention the env/assume-role options. Bumps versions: holmes chart (0.13.3) and prometrix (0.2.3). Updates KRR image to v1.26.1.

Changes

Cohort / File(s)	Summary
Docs: AWS AMP configuration docs/configuration/metric-providers-aws.rst	Removed sample cluster label; added commented guidance for cross-account assume-role via assume_role_arn and AWS_ASSUME_ROLE env var in examples.
Helm chart dependency bump helm/robusta/Chart.yaml	Updated holmes chart dependency version from 0.13.1 to 0.13.3.
KRR image and CLI args playbooks/robusta_playbooks/krr.py	Updated IMAGE to v1.26.1; when using AWSPrometheusConfig with assume_role_arn, append --eks-assume-role to KRR command-line.
Prometheus AWS config env src/robusta/integrations/prometheus/utils.py	Added AWS_ASSUME_ROLE env var; pass assume_role_arn=AWS_ASSUME_ROLE when creating AWSPrometheusConfig if AWS_REGION is set.
Dependency bump pyproject.toml	Bumped prometrix from 0.2.2 to 0.2.3.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User as Operator
  participant Env as Environment
  participant Utils as Prometheus Utils
  participant AWSP as AWSPrometheusConfig
  participant KRR as KRR Runner

  User->>Env: Set AWS_REGION, (optional) AWS_ASSUME_ROLE
  User->>Utils: generate_prometheus_config()
  Env-->>Utils: AWS_REGION, AWS_ASSUME_ROLE
  Utils->>AWSP: Create with region, service, assume_role_arn (if provided)
  AWSP-->>Utils: Config object
  Utils-->>KRR: Prometheus config (AWSPrometheusConfig)

  KRR->>KRR: Build cmd args
  alt assume_role_arn present
    KRR->>KRR: Add --eks-assume-role <arn>
  else
    KRR->>KRR: Use existing AMP flags only
  end
  KRR-->>User: Final command-line arguments

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10–15 minutes

Possibly related PRs

• [ROB-1923] amp irsa support #1907 — Adjusts AMP auth paths in Prometheus/KRR; closely related to adding assume-role handling.
• Upgrade holmes version to 0.13.0 #1900 — Changes holmes version in helm/robusta/Chart.yaml; overlaps the same dependency.
• ROB-1415 update new prometrix version #1841 — Bumps prometrix in pyproject.toml; same dependency updated here.

Suggested reviewers

• arikalon1
• moshemorad
• nherment

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch irsa-cross-platform

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

playbooks/robusta_playbooks/krr.py (5)

5-5: Import error: from pickle import NONE will crash on import

pickle.NONE isn’t a public symbol. This raises ImportError before any action runs.

-from pickle import NONE

All usages should be plain None (see Line 451 fix below).

---

408-428: Fix type hints and defaults for _publish_krr_finding; ensure start_time is datetime

• timeout should be Optional[int], not str.
• config_json = Optional[str] sets a wrong default value.
• start_time is used as a datetime in the report; make it a datetime and convert at the caller.

-def _publish_krr_finding(event: ExecutionBaseEvent, krr_json: Dict[str, Any],scan_id: str, start_time: str, metadata: Dict[str, Any], timeout: Optional[str] = None, config_json = Optional[str]):
+def _publish_krr_finding(
+    event: ExecutionBaseEvent,
+    krr_json: Dict[str, Any],
+    scan_id: str,
+    start_time: datetime,
+    metadata: Dict[str, Any],
+    timeout: Optional[int] = None,
+    config_json: Optional[str] = None,
+):
@@
-    scan_block = _generate_krr_report_block(
-        scan_id, start_time, krr_scan, metadata, config_json
-    )
+    scan_block = _generate_krr_report_block(scan_id, start_time, krr_scan, metadata, config_json)

Follow-ups in callers are below.

---

451-452: Use None and pass a datetime to match the fixed signature

Replace NONE and parse the ISO start-time string.

-    _publish_krr_finding(event=event,krr_json=params.result, scan_id=params.scan_id, start_time=params.start_time, metadata=metadata, timeout=None, config_json=NONE)
+    _publish_krr_finding(
+        event=event,
+        krr_json=params.result,
+        scan_id=params.scan_id,
+        start_time=datetime.fromisoformat(params.start_time),
+        metadata=metadata,
+        timeout=None,
+        config_json=None,
+    )

---

550-551: Store start-time as ISO 8601 so it round-trips cleanly

This ensures the process_scan path can parse it reliably.

-        krr_annotations = {"scan-id": scan_id, "start-time": start_time}
+        krr_annotations = {"scan-id": scan_id, "start-time": start_time.isoformat()}

---

548-589: Guard against UnboundLocalError on logs in the except path

If an exception is thrown before logs is assigned, referencing it in the except block raises a new error.

-    try:
+    logs = ""
+    try:
@@
-        _emit_failed_scan_event(event, scan_id, start_time, metadata, msg, e, logs)
+        _emit_failed_scan_event(event, scan_id, start_time, metadata, msg, e, logs)

(Initialize logs = "" before the try.)

🧹 Nitpick comments (3)

docs/configuration/metric-providers-aws.rst (2)

81-85: Doc nit: quote ARN and add trust-policy note for cross-account

• Quote the example ARN to avoid YAML surprises.
• Add a one-liner that the target account role must trust the source IRSA role (sts:AssumeRole).

-# assume_role_arn: arn:aws:iam::<ACCOUNT_ID>:role/<AMP_IAM_ROLE>
+# assume_role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<AMP_IAM_ROLE>"

---

102-107: Doc nit: keep env var example consistent with quoted ARN

Good call showing it under runner env; keep the ARN quoted consistently.

-#   value: "arn:aws:iam::<ACCOUNT_ID>:role/<AMP_IAM_ROLE>"
+#   value: "arn:aws:iam::<ACCOUNT_ID>:role/<AMP_IAM_ROLE>"

playbooks/robusta_playbooks/krr.py (1)

242-244: Appending --eks-assume-role only when set is correct; minor quoting nit

Functional change looks good. To be extra-safe, quote the ARN even though ARNs don’t contain spaces.

-        if prom_config.assume_role_arn:
-            additional_cmd_line_args += f" --eks-assume-role {prom_config.assume_role_arn}"
+        if prom_config.assume_role_arn:
+            additional_cmd_line_args += f" --eks-assume-role {shlex.quote(prom_config.assume_role_arn)}"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 033b25a and c746272.

⛔ Files ignored due to path filters (2)

• helm/robusta/Chart.lock is excluded by !**/*.lock
• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• docs/configuration/metric-providers-aws.rst (2 hunks)
• helm/robusta/Chart.yaml (1 hunks)
• playbooks/robusta_playbooks/krr.py (2 hunks)
• pyproject.toml (1 hunks)
• src/robusta/integrations/prometheus/utils.py (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: run_tests
• GitHub Check: run_tests

🔇 Additional comments (2)

pyproject.toml (1)

62-62: Confirmed assume_role_arn present in AWSPrometheusConfig: in prometrix 0.2.3’s prometrix/models/prometheus_config.py, class AWSPrometheusConfig defines assume_role_arn: Optional[str] = None, matching the parameter passed from utils.py.

src/robusta/integrations/prometheus/utils.py (1)

32-33: Could you fetch and paste the AWSPrometheusConfig constructor signature from prometrix v0.2.3 (the exact parameter list) so we can confirm it uses assume_role_arn?

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

docs/configuration/metric-providers-aws.rst (1)

102-107: Runner env var example: ensure list indentation

Make sure the commented AWS_ASSUME_ROLE example is correctly indented as a list item under runner.additional_env_vars so users can copy/paste.

-        # Optional: Configure cross-account role assumption for AMP
-        # Set this if your Prometheus workspace is in a different AWS account
-        # than the one running your Kubernetes service account.
-        # - name: AWS_ASSUME_ROLE
-        #   value: "arn:aws:iam::<ACCOUNT_ID>:role/<AMP_IAM_ROLE>"
+        # Optional: Configure cross-account role assumption for AMP
+        # Set this if your Prometheus workspace is in a different AWS account
+        # than the one running your Kubernetes service account.
+        # - name: AWS_ASSUME_ROLE
+        #   value: "arn:aws:iam::<ACCOUNT_ID>:role/<AMP_IAM_ROLE>"

Also note: this env is only consumed when AWS_REGION is set.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 033b25a and c746272.

⛔ Files ignored due to path filters (2)

• helm/robusta/Chart.lock is excluded by !**/*.lock
• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• docs/configuration/metric-providers-aws.rst (2 hunks)
• helm/robusta/Chart.yaml (1 hunks)
• playbooks/robusta_playbooks/krr.py (2 hunks)
• pyproject.toml (1 hunks)
• src/robusta/integrations/prometheus/utils.py (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build images

🔇 Additional comments (5)

pyproject.toml (1)

62-62: Assume-role support present in prometrix 0.2.3 AWSPrometheusConfig now exposes assume_role_arn and get_custom_prometheus_connect forwards it to the AWS connector, ensuring the new KRR assume-role path is reachable.

helm/robusta/Chart.yaml (1)

18-18: Gate merge until Chart repo is updated
Could not verify holmes v0.13.3 in the Robusta charts index (index.yaml unreachable) or find a matching release changelog. Please publish version 0.13.3 to the chart repository and confirm the index entry before merging to avoid CI/helm dependency failures.

src/robusta/integrations/prometheus/utils.py (2)

32-32: AWS_ASSUME_ROLE env wiring — LGTM

Reading AWS_ASSUME_ROLE from env is straightforward and non-breaking.

---

61-69: Propagate assume_role_arn is safe – AWSPrometheusConfig in prometrix 0.2.3 includes an assume_role_arn parameter, so this code path won’t raise at runtime.

playbooks/robusta_playbooks/krr.py (1)

39-39: KRR image bump to v1.26.1 — LGTM