-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cmd/auth) New command to support Workload Identity on GKE #288
Conversation
Welcome @MickaelFontes! It looks like this is your first PR to falcosecurity/falcoctl 🎉 |
Hey @MickaelFontes Thank you for this PR! Could you sign off your commits, please? |
/milestone 0.6.0 |
@leogr: The provided milestone is not valid for this repository. Milestones in this repository: [ Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/milestone v0.6.0 |
Woops sorry for the forgotten sign off @leogr , it is done now! Just for the record, this PR might not move for the coming days, since a refactor is needed before the actual add of workload identity support. |
Thanks @MickaelFontes ! Don't worry, we will wait for the refactor, but I'm seeing what I was expecting in NewClient() :) seems like it will be a good solution! |
b6c7819
to
4105621
Compare
Signed-off-by: Mickaël Fontès <[email protected]>
Hi all!
|
I think it makes the most sense to use
With app default credentials (i.e., what.
Thats exactly the type of application logic I was expecting. This is also exactly how google implemented the logic in their own go-containerregistry lib (see https://github.com/google/go-containerregistry/blob/v0.15.2/pkg/v1/google/auth.go#L49-L61). If we want to add more functionality we could also add support for gcloud as configurable source for dev environments (though you can always run
It looks fine to me as long as you added it with |
* confirm use of GCE and ApplicationDefault token sources * change tokenSource cache logic Signed-off-by: Mickaël Fontès <[email protected]>
Rename from gke to gcp, since it supports out of gke authentication. Signed-off-by: Mickaël Fontès <[email protected]>
Hi @MickaelFontes, could you please look at the linting issue? |
Signed-off-by: Mickaël Fontès <[email protected]>
Hi @alacuku it's done! I think everything should be good now. What should I do next to ensure everything is correct? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @MickaelFontes, nice job!
I left some minor comments!
pkg/oci/authn/gcp.go
Outdated
} | ||
|
||
return auth.Credential{ | ||
Username: "oauth2accesstoken", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make it a constant and add a comment/link to the docs?
// strings to string slices, when the target type is DotSeparatedStringList. | ||
// when passed as env should be in the following format: | ||
// "registry;registry1". | ||
func gcpAuthListHookFunc() mapstructure.DecodeHookFuncType { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to add the new ENV variable to the README.md: https://github.com/falcosecurity/falcoctl#falcoctl-environment-variables.
} | ||
|
||
// NewGcpCmd returns the gcp command. | ||
func NewGcpCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to add the new command to the README.md: https://github.com/falcosecurity/falcoctl#falcoctl-registry.
Feel free to add examples too.
Could you please rephrase the commit messages following this convention: https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md#commit-convention? |
Thanks for the feedback I'll work on it! |
Yeah, squashing the commits it's fine! Thanks! |
Co-authored-by: Aldo Lacuku <[email protected]> Signed-off-by: MickaelFontes <[email protected]>
* Update README.md with examples * Update gcp command help * Set registry username as constant for GCP auth Signed-off-by: Mickaël Fontès <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/LGTM
LGTM label has been added. Git tree hash: 36c5fc4a69cd9372488651c5e6f53c5f2796db1a
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alacuku, FedeDP, MickaelFontes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hey @alacuku! I think the PR was not squashed and merged but simply merged 😬 |
Unfortunately, we can do nothing. I thought the commits were already squashed, my bad that I did not check. |
To add support of workload identity to authenticate to a Artifact Registry.
In this PR, I chose to add a
auth gcp
command, which is a mix of both existingbasic
andoauth
commands.Some context:
auth oauth
command (with uses theoauth2/clientcredentials
but it can be possible using theoauth2/google
: this is the goal of this PR.What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area library
/area cli
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #277
Special notes for your reviewer:
go.mod
file not on purpose when adding the imports 😬auth gcp
command, but I don't know if you if it is a good choice or not.