Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support authentication methods for blobs #1616

Merged
merged 5 commits into from
May 30, 2024
Merged

Support authentication methods for blobs #1616

merged 5 commits into from
May 30, 2024

Conversation

chenbh
Copy link
Contributor

@chenbh chenbh commented May 17, 2024

closes #1503 and #1594

Introduce a .spec.source.blob.auth field with 3 options:

  • "": no auth performed
  • "secret": find all secrets with kpack.io/blob annotation (with same domain matching rules as git secret). And use it for basic auth username/password, oauth2 bearer token, or arbitrary Authorization header.
  • "helper": use IaaS specific IAM mechanisms (i.e. mapping IaaS service accounts/IDs/roles to k8s ServiceAccount) to retrieve an oauth2 token. This PR only implements it for GCP and Azure as those are the 2 envs I have easy access to, but the general interface and registration is simple enough for anyone to contribute.

@chenbh
stop using github.com/pkg/errors
5f47866 
since it's been archived

Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh chenbh requested a review from a team as a code owner May 17, 2024 19:37
yilims
yilims suggested changes May 27, 2024
View reviewed changes
pkg/blob/file_keychain.go Outdated Show resolved Hide resolved
chenbh added 4 commits May 29, 2024 16:55
@chenbh
introduce keychains to blob fetcher
ff457d2 
similar to image keychains, the blob keychain is an interface to resolve
a url to an auth string, and potentially other headers.

while it's true the auth string can be embeded in the header, i felt
separating them is more convenient as most keychains won't have to make
use of the additional headers part.

there's no aws keychain since i couldn't figure out how aws-sdk-go-v2
handles eks's oidc flow. And i don't have easy access to an aws
environment to test this out on

Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh
hook up blob auth to the build reconciler
717f709 
Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh
run codegen
2a51389 
Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh
add docs for blob auth
9d9bc14 
Signed-off-by: Bohan Chen <bohanc@vmware.com>
@chenbh chenbh merged commit bc42d51 into main May 30, 2024
3 checks passed
@chenbh chenbh deleted the blob-creds branch May 30, 2024 15:43
@chenbh chenbh mentioned this pull request Jun 6, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@zhoufenqin zhoufenqin zhoufenqin left review comments

@yilims yilims yilims requested changes

@tomkennedy513 tomkennedy513 tomkennedy513 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Download Blob with Basic Auth Secret
4 participants
@chenbh @zhoufenqin @tomkennedy513 @yilims