Support authentication methods for blobs #1616
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
since it's been archived Signed-off-by: Bohan Chen <bohanc@vmware.com>
zhoufenqin
reviewed
May 20, 2024
tomkennedy513
approved these changes
May 22, 2024
yilims
suggested changes
May 27, 2024
similar to image keychains, the blob keychain is an interface to resolve a url to an auth string, and potentially other headers. while it's true the auth string can be embeded in the header, i felt separating them is more convenient as most keychains won't have to make use of the additional headers part. there's no aws keychain since i couldn't figure out how aws-sdk-go-v2 handles eks's oidc flow. And i don't have easy access to an aws environment to test this out on Signed-off-by: Bohan Chen <bohanc@vmware.com>
Signed-off-by: Bohan Chen <bohanc@vmware.com>
Signed-off-by: Bohan Chen <bohanc@vmware.com>
Signed-off-by: Bohan Chen <bohanc@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #1503 and #1594
Introduce a
.spec.source.blob.authfield with 3 options:"": no auth performed"secret": find all secrets withkpack.io/blobannotation (with same domain matching rules as git secret). And use it for basic auth username/password, oauth2 bearer token, or arbitraryAuthorizationheader."helper": use IaaS specific IAM mechanisms (i.e. mapping IaaS service accounts/IDs/roles to k8s ServiceAccount) to retrieve an oauth2 token. This PR only implements it for GCP and Azure as those are the 2 envs I have easy access to, but the general interface and registration is simple enough for anyone to contribute.