feat(cmd/auth) New command to support Workload Identity on GKE

[MickaelFontes]

To add support of workload identity to authenticate to a Artifact Registry.

In this PR, I chose to add a auth gcp command, which is a mix of both existing basic and oauth commands.
Some context:

• to authenticate to Artifact Registry, you have to use a short or long-term token as a password
• to avoid to use long term tokens (service account keys), GCP allow you to get your pod inside a GKE cluster authenticated to retrieve a short-term oauth2 access token (see Workload Identity)
• this is not possible using the auth oauth command (with uses the oauth2/clientcredentials but it can be possible using the oauth2/google : this is the goal of this PR.

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind flaky-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area library

/area cli

/area tests

/area examples

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #277

Special notes for your reviewer:

• I have not extensively tested it for now (only a few pull), it's the beginning.
• I edited the go.mod file not on purpose when adding the imports 😬
• I had to make a choice on how to add Workload Identity support for Artifact Registry and decided to go for the auth gcp command, but I don't know if you if it is a good choice or not.
• It's my first Go project (hence the previous point I think 😅) so guidance/help and review is appreciated 😄

[poiana]

Welcome @MickaelFontes! It looks like this is your first PR to falcosecurity/falcoctl 🎉

[leogr]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

memo Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• eaa6086 feat(registry/auth): Beginning of Workload Identity for falcoctl

Hey @MickaelFontes

Thank you for this PR! Could you sign off your commits, please?
It is required by our policy 🙏

[leogr]

/milestone 0.6.0

[poiana]

@leogr: The provided milestone is not valid for this repository. Milestones in this repository: [v0.6.0, v0.7.0]

Use /milestone clear to clear the milestone.

In response to this:

/milestone 0.6.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[FedeDP]

/milestone v0.6.0

[MickaelFontes]

Woops sorry for the forgotten sign off @leogr , it is done now!

Just for the record, this PR might not move for the coming days, since a refactor is needed before the actual add of workload identity support.

[loresuso]

Thanks @MickaelFontes ! Don't worry, we will wait for the refactor, but I'm seeing what I was expecting in NewClient() :) seems like it will be a good solution!

[MickaelFontes]

Hi all!
I pushed a first working version for Workload Identity support, and it opened some questions, for which any help is appreciated!
I'll list some points bothering me right now:

• using oauth/google, we can easily get a TokenSource that uses Workload Identity but we can get TokenSources using Application Default credentials or else (see here).
  Hence my question about whether I should only use the Workload Identity Token source directly, or let the google.DefaultTokenSource choose among the available sources 🤔
  (I started with the second approach initially, but the more I think about it, the more I tend to think it was a bad idea - and credential helper support with the refactor done by max makes Application Default credentials less relevant I think)
• As @max-frank highlighted, caching the token source would be irrelevant if the only source is Workload Identity/GCE metadata, but what about if it is not and Application Default credentials are supported?
• one point I wanted to mention: the oauth2/google library offers the possibility to get the authenticated HTTP client by simply giving a TokenSource as input (see here - I used that in my PoC)
  To match the current Client creation logic, I instead used the TokenSource, assumed to get an access token and used it to perform a login/password authentication, as specified in Google's documentation here. Does this seems ok for you?
• last point more about a simple technical question: here I pushed new go.mod/go.sum files since I added a new library, but I don't think I used the proper way to add them 😅. Could anyone tell me if the current state seems rights to him, and show me the proper way to edit them please 🙏 ?

[max-frank]

• using oauth/google, we can easily get a TokenSource that uses Workload Identity but we can get TokenSources using Application Default credentials or else (see here).
  Hence my question about whether I should only use the Workload Identity Token source directly, or let the google.DefaultTokenSource choose among the available sources 🤔

I think it makes the most sense to use DefaultTokenSource since thats expected behavior for most libraries supporting workload identity.

(I started with the second approach initially, but the more I think about it, the more I tend to think it was a bad idea - and credential helper support with the refactor done by max makes Application Default credentials less relevant I think)

• As @max-frank highlighted, caching the token source would be irrelevant if the only source is Workload Identity/GCE metadata, but what about if it is not and Application Default credentials are supported?

With app default credentials (i.e., what. DefaultTokenSource resolves) we also only need 1 single DefaultTokenSource instance for the whole client (since it will always resolve to the same identity). So we can just load the DefaultTokenSource once and then re-use the same instance for all registries using GKE auth.

• one point I wanted to mention: the oauth2/google library offers the possibility to get the authenticated HTTP client by simply giving a TokenSource as input (see here - I used that in my PoC)
  To match the current Client creation logic, I instead used the TokenSource, assumed to get an access token and used it to perform a login/password authentication, as specified in Google's documentation here. Does this seems ok for you?

Thats exactly the type of application logic I was expecting. This is also exactly how google implemented the logic in their own go-containerregistry lib (see https://github.com/google/go-containerregistry/blob/v0.15.2/pkg/v1/google/auth.go#L49-L61). If we want to add more functionality we could also add support for gcloud as configurable source for dev environments (though you can always run gcloud auth application-default login for dev anyway).

• last point more about a simple technical question: here I pushed new go.mod/go.sum files since I added a new library, but I don't think I used the proper way to add them 😅. Could anyone tell me if the current state seems rights to him, and show me the proper way to edit them please 🙏 ?

It looks fine to me as long as you added it with
go get <package> and then after ran go mod tidy (for cleaning the dependency tree) it should be fine. You can also run make fmt and make lint to make sure everything is as the CI/CD pipeline will expect and accepts

[alacuku]

Hi @MickaelFontes, could you please look at the linting issue?

[MickaelFontes]

Hi @alacuku it's done! I think everything should be good now.
I've been testing on my side the new command for authentification, no issue found.

What should I do next to ensure everything is correct?

[alacuku]

Hi @MickaelFontes, nice job!

I left some minor comments!

[alacuku]

Can we make it a constant and add a comment/link to the docs?

[alacuku]

We need to add the new ENV variable to the README.md: https://github.com/falcosecurity/falcoctl#falcoctl-environment-variables.

[alacuku]

We need to add the new command to the README.md: https://github.com/falcosecurity/falcoctl#falcoctl-registry.
Feel free to add examples too.

[alacuku]

Could you please rephrase the commit messages following this convention: https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md#commit-convention?

[MickaelFontes]

Thanks for the feedback I'll work on it!
About the commit messages, I thought that it would be okay if the PR is "squashed and merged" and the squashed commit follows the guidelines, right @alacuku ?
Otherwise of course I'll update the messages accordingly.

[alacuku]

About the commit messages, I thought that it would be okay if the PR is "squashed and merged" and the squashed commit follows the guidelines, right @alacuku ?

Yeah, squashing the commits it's fine! Thanks!

[MickaelFontes]

It should be all good now! @alacuku
I added inside the README.md some examples, and in particular two cases I identified as relevant for this new authentication command.

[alacuku]

/LGTM

[poiana]

LGTM label has been added.

Git tree hash: 36c5fc4a69cd9372488651c5e6f53c5f2796db1a

[FedeDP]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alacuku, FedeDP, MickaelFontes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [FedeDP]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MickaelFontes]

Hey @alacuku! I think the PR was not squashed and merged but simply merged 😬
Should I do something on my side about that?

[alacuku]

Unfortunately, we can do nothing. I thought the commits were already squashed, my bad that I did not check.