Refactor GCR Credentials Handling to Support Workload Identity authentification #755
Conversation
This commit updates the GCR (Google Container Registry) credentials handling in Keel's GCR extension to add support for Google Cloud's Workload Identity, while maintaining compatibility with the existing authentication method via the GOOGLE_APPLICATION_CREDENTIALS environment variable. Changes include: - Removed the `credentials` string field from the CredentialsHelper struct. Credentials are now determined dynamically based on the runtime environment. - Added `readCredentialsFromFile()` and `getWorkloadIdentityTokenCredentials()` functions to abstract the credential reading and token obtaining processes. - Updated `GetCredentials` method to try reading the GOOGLE_APPLICATION_CREDENTIALS file first, falling back to Workload Identity if necessary. - Extended registry URL check in `GetCredentials` to support Google Container Registry (`gcr.io`) and Google Artifact Registry URLs (`pkg.dev`). - Adding pubSub boolean check for activating pubSub. These changes allow for the use of both JSON key files and Workload Identity for GCP authentication when polling instead of using pubSub.
refactor indentation
|
The addition of Workload Identity compatibility extends its utility to Pub/Sub users as well. This feature was developed with the intent to utilize Workload Identity for authentication in polling scenarios, yet it inherently facilitates a similar authentication flow for Pub/Sub interactions. With this update, the requirement to manage a secret containing the service account's JSON file for GCP authentication is eliminated. This approach streamlines credential management and utilizes GCP's managed identity infrastructure for a more integrated and straightforward authentication method for cloud services. Integration of Workload Identity for GCP AuthenticationThis update integrates Workload Identity for GCP authentication, simplifying the process for both polling and Pub/Sub. To use this feature:
For gcr:
enabled: true # Enable GCR integration
projectId: "your-gcp-project-id" # Your GCP project ID, not needed if you don't use pub/sub
gcpServiceAccount: "your-gcp-sa-email@gcp-sa.iam.gserviceaccount.com" # GCP service account email
# Optional: Configure Pub/Sub
pubSub:
enabled: true # Enable Pub/Sub if needed
|
|
Thank you, I will review, merge and release this in the next few days! |
This commit updates the GCR (Google Container Registry) credentials handling in Keel's GCR extension to add support for Google Cloud's Workload Identity, while maintaining compatibility with the existing authentication method via the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Changes include:
credentialsstring field from the CredentialsHelper struct. Credentials are now determined dynamically based on the runtime environment.readCredentialsFromFile()andgetWorkloadIdentityTokenCredentials()functions to abstract the credential reading and token obtaining processes.GetCredentialsmethod to try reading the GOOGLE_APPLICATION_CREDENTIALS file first, falling back to Workload Identity if necessary.GetCredentialsto support Google Container Registry (gcr.io) and Google Artifact Registry URLs (pkg.dev).These changes allow for the use of both JSON key files and Workload Identity for GCP authentication when polling (instead of using pubSub).