-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor GCR Credentials Handling to Support Workload Identity authentification #755
base: master
Are you sure you want to change the base?
Refactor GCR Credentials Handling to Support Workload Identity authentification #755
Conversation
This commit updates the GCR (Google Container Registry) credentials handling in Keel's GCR extension to add support for Google Cloud's Workload Identity, while maintaining compatibility with the existing authentication method via the GOOGLE_APPLICATION_CREDENTIALS environment variable. Changes include: - Removed the `credentials` string field from the CredentialsHelper struct. Credentials are now determined dynamically based on the runtime environment. - Added `readCredentialsFromFile()` and `getWorkloadIdentityTokenCredentials()` functions to abstract the credential reading and token obtaining processes. - Updated `GetCredentials` method to try reading the GOOGLE_APPLICATION_CREDENTIALS file first, falling back to Workload Identity if necessary. - Extended registry URL check in `GetCredentials` to support Google Container Registry (`gcr.io`) and Google Artifact Registry URLs (`pkg.dev`). - Adding pubSub boolean check for activating pubSub. These changes allow for the use of both JSON key files and Workload Identity for GCP authentication when polling instead of using pubSub.
refactor indentation
The addition of Workload Identity compatibility extends its utility to Pub/Sub users as well. This feature was developed with the intent to utilize Workload Identity for authentication in polling scenarios, yet it inherently facilitates a similar authentication flow for Pub/Sub interactions. With this update, the requirement to manage a secret containing the service account's JSON file for GCP authentication is eliminated. This approach streamlines credential management and utilizes GCP's managed identity infrastructure for a more integrated and straightforward authentication method for cloud services. Integration of Workload Identity for GCP AuthenticationThis update integrates Workload Identity for GCP authentication, simplifying the process for both polling and Pub/Sub. To use this feature:
For gcr:
enabled: true # Enable GCR integration
projectId: "your-gcp-project-id" # Your GCP project ID, not needed if you don't use pub/sub
gcpServiceAccount: "your-gcp-sa-email@gcp-sa.iam.gserviceaccount.com" # GCP service account email
# Optional: Configure Pub/Sub
pubSub:
enabled: true # Enable Pub/Sub if needed
|
Thank you, I will review, merge and release this in the next few days! |
This commit updates the GCR (Google Container Registry) credentials handling in Keel's GCR extension to add support for Google Cloud's Workload Identity, while maintaining compatibility with the existing authentication method via the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Changes include:
credentials
string field from the CredentialsHelper struct. Credentials are now determined dynamically based on the runtime environment.readCredentialsFromFile()
andgetWorkloadIdentityTokenCredentials()
functions to abstract the credential reading and token obtaining processes.GetCredentials
method to try reading the GOOGLE_APPLICATION_CREDENTIALS file first, falling back to Workload Identity if necessary.GetCredentials
to support Google Container Registry (gcr.io
) and Google Artifact Registry URLs (pkg.dev
).These changes allow for the use of both JSON key files and Workload Identity for GCP authentication when polling (instead of using pubSub).