add begin of gke in other missing parts

need to wait for auth config refactor to fix current state and go further Signed-off-by: Mickaël Fontès <[email protected]>
falcosecurity · May 25, 2023 · b6c7819 · b6c7819
1 parent 0bf0ffa
commit b6c7819
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 22 deletions.
diff --git a/cmd/artifact/artifact.go b/cmd/artifact/artifact.go
@@ -44,6 +44,7 @@ func NewArtifactCmd(ctx context.Context, opt *commonoptions.CommonOptions) *cobr
 			var indexCache *cache.Cache
 			var basicAuths []config.BasicAuth
 			var oauthAuths []config.OauthAuth
+			var gkeAuths []config.GkeAuth
 			var err error
 
 			opt.Initialize()
@@ -82,6 +83,15 @@ func NewArtifactCmd(ctx context.Context, opt *commonoptions.CommonOptions) *cobr
 				if err = login.PerformOauthAuths(ctx, opt, oauthAuths); err != nil {
 					return err
 				}
+
+				// Gke
+				if gkeAuths, err = config.GkeAuths(); err != nil {
+					return err
+				}
+
+				if err = login.PerformGkeAuths(ctx, opt, gkeAuths); err != nil {
+					return err
+				}
 			}
 
 			return nil

diff --git a/cmd/registry/auth/gke/gke.go b/cmd/registry/auth/gke/gke.go
@@ -20,9 +20,7 @@ import (
 
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2/google"
-	"oras.land/oras-go/v2/registry/remote/auth"
 
-	"github.com/falcosecurity/falcoctl/cmd/registry/auth/basic"
 	"github.com/falcosecurity/falcoctl/internal/config"
 	"github.com/falcosecurity/falcoctl/pkg/options"
 )
@@ -70,21 +68,10 @@ func (o *RegistryGkeOptions) RunGke(ctx context.Context, args []string) error {
 	reg := args[0]
 
 	// Check that we can retrieve token.
-	var source = google.ComputeTokenSource("")
-	token_object, err := source.Token()
-	if err != nil {
-		return fmt.Errorf("unable to retrieve token using workload identity: %w", err)
-	}
+	ts := google.ComputeTokenSource("")
 
-	var user = "oauth2accesstoken"
-	var token = token_object.AccessToken
-	cred := &auth.Credential{
-		Username: user,
-		Password: token,
-	}
-
-	if err = basic.DoLogin(ctx, reg, cred); err != nil {
-		return err
+	if _, err := ts.Token(); err != nil {
+		return fmt.Errorf("unable to retrieve token using workload identity: %w", err)
 	}
 
 	currentAuths, err := config.GkeAuths()
@@ -106,9 +93,8 @@ func (o *RegistryGkeOptions) RunGke(ctx context.Context, args []string) error {
 	if err := config.UpdateConfigFile(config.RegistryAuthGkeKey, currentAuths, o.ConfigFile); err != nil {
 		return fmt.Errorf("unable to update gke auths credential list in the config file %q: %w", config.ConfigPath, err)
 	}
-	o.Printer.Verbosef("credentials added to config file %q", config.ConfigPath)
-
-	o.Printer.Success.Printfln("gke credentials correctly saved in %q", config.ClientCredentialsFile)
+	o.Printer.Verbosef("workload identity config added to config file %q", config.ConfigPath)
 
+	o.Printer.Success.Println("gke config has been saved")
 	return nil
 }
diff --git a/cmd/registry/pull/pull.go b/cmd/registry/pull/pull.go
@@ -84,6 +84,7 @@ func NewPullCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			var basicAuths []config.BasicAuth
 			var oauthAuths []config.OauthAuth
+			var gkeAuths []config.GkeAuth
 			var err error
 
 			if err := o.Validate(); err != nil {
@@ -98,6 +99,15 @@ func NewPullCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command
 				return err
 			}
 
+			// Gke
+			if gkeAuths, err = config.GkeAuths(); err != nil {
+				return err
+			}
+
+			if err = login.PerformGkeAuths(ctx, o.CommonOptions, gkeAuths); err != nil {
+				return err
+			}
+
 			// Perform authentications using oauth auth.
 			if oauthAuths, err = config.OauthAuths(); err != nil {
 				return err

diff --git a/cmd/registry/push/push.go b/cmd/registry/push/push.go
@@ -96,6 +96,7 @@ func NewPushCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			var basicAuths []config.BasicAuth
 			var oauthAuths []config.OauthAuth
+			var gkeAuths []config.GkeAuth
 			var err error
 
 			if err := o.validate(); err != nil {
@@ -110,6 +111,15 @@ func NewPushCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command
 				return err
 			}
 
+			// Gke
+			if gkeAuths, err = config.GkeAuths(); err != nil {
+				return err
+			}
+
+			if err = login.PerformGkeAuths(ctx, o.CommonOptions, gkeAuths); err != nil {
+				return err
+			}
+
 			// Perform authentications using oauth auth.
 			if oauthAuths, err = config.OauthAuths(); err != nil {
 				return err

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -72,7 +72,7 @@ const (
 	RegistryAuthOauthKey = "registry.auth.oauth"
 	// RegistryAuthBasicKey is the Viper key for basic authentication configuration.
 	RegistryAuthBasicKey = "registry.auth.basic"
-	// RegistryAuthBasicKey is the Viper key for basic authentication configuration.
+	// RegistryAuthBasicKey is the Viper key for gke workload identity authentication configuration.
 	RegistryAuthGkeKey = "registry.auth.gke"
 	// IndexesKey is the Viper key for indexes configuration.
 	IndexesKey = "indexes"
@@ -123,7 +123,7 @@ type BasicAuth struct {
 	Password string `mapstructure:"password"`
 }
 
-// GkeAuth represents a Basic credential.
+// GkeAuth represents a Gke credential.
 type GkeAuth struct {
 	Registry string `mapstructure:"registry"`
 }
@@ -387,7 +387,7 @@ func oathAuthListHookFunc() mapstructure.DecodeHookFuncType {
 	}
 }
 
-// OauthAuths retrieves the oauthAuths section of the config file.
+// GkeAuths retrieves the gkeAuths section of the config file.
 func GkeAuths() ([]GkeAuth, error) {
 	var auths []GkeAuth
 

diff --git a/pkg/oci/authn/client.go b/pkg/oci/authn/client.go
@@ -20,6 +20,9 @@ import (
 	"net/http"
 	"time"
 
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+
 	"golang.org/x/oauth2/clientcredentials"
 	"oras.land/oras-go/v2/registry/remote"
 	"oras.land/oras-go/v2/registry/remote/auth"
@@ -35,6 +38,7 @@ type Options struct {
 	Credentials       *auth.Credential
 	Oauth             bool
 	ClientCredentials *clientcredentials.Config
+	Gke               bool
 }
 
 // NewClient creates a new authenticated client to interact with a remote registry.
@@ -45,6 +49,11 @@ func NewClient(options ...func(*Options)) remote.Client {
 		o(opt)
 	}
 
+	if opt.Gke {
+		ts := google.ComputeTokenSource("")
+		return oauth2.NewClient(opt.Ctx, ts)
+	}
+
 	if opt.Oauth && opt.ClientCredentials != nil {
 		return opt.ClientCredentials.Client(opt.Ctx)
 	} else {
@@ -76,6 +85,13 @@ func NewClient(options ...func(*Options)) remote.Client {
 	}
 }
 
+// WithCredentials sets the credentials for the client.
+func WithGke(gke bool) func(c *Options) {
+	return func(c *Options) {
+		c.Gke = gke
+	}
+}
+
 // WithCredentials sets the credentials for the client.
 func WithCredentials(cred *auth.Credential) func(c *Options) {
 	return func(c *Options) {