-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use workload identity for all prow integrations #180
Comments
/cc @fejta |
Do you know anywhere that you are explicitly requiring a secret.json file? If not then we can just remove it and validate things work |
Here are the promoter's Prow jobs that use volume-mounted creds: |
What happens when this flag is missing? |
Then the service account creds are never loaded. This means go-containerregistry will have to fall back to some other auth mechanism (presumably). I am not sure how WI interacts with go-containnerregistry's Copy() function which the promoter uses to push images. |
That loads credentials from the docker config file. I don't have much context for this issue but assuming you're doing something like:
... to wire up gcloud as a config helper, this might work? I'm not sure if gcloud's credential helper actually works with workload identity. Here's a primer on docker auth: https://github.com/google/go-containerregistry/blob/master/pkg/authn/README.md If you can get a shell in one of these pods where you haven't activated a secret.json file, you could try:
to see if that returns valid credentials. You should get an access token as the This will check the token you get back:
If that doesn't work there are definitely things we can do to work around this, let me know. |
Can you point me to the code that does this? I've mostly just had to do:
Example: kubernetes/test-infra@966711a#diff-9f51d141e18f12470d41311d7ced5631 |
The crane package uses Which is just a thin wrapper around github.com/docker/cli/cli/config, which fetches credentials based on your config file as you would expect (i.e. it works with From the linked diff things should just work, assuming gcloud has been set up appropriately. |
Linus, do you have opinions about the way you want these jobs to run It isn't obvious to me that {
"credHelpers": {
"gcr.io": "gcloud",
"us.gcr.io": "gcloud",
"eu.gcr.io": "gcloud",
"asia.gcr.io": "gcloud",
"staging-k8s.gcr.io": "gcloud",
"marketplace.gcr.io": "gcloud"
}
} I can send a PR to do that, or I can do something else you'd prefer |
Actually I don't even think that's necessary, this should just work as expected: https://github.com/kubernetes-sigs/k8s-container-image-promoter/blob/b7378030785b6cf6da2cde095eb68ff06483712b/pkg/filepromoter/token.go#L40 |
/assign |
FWIW I already set up a json like that in the Prow jobs. E.g. https://github.com/kubernetes-sigs/k8s-container-image-promoter/blob/90a75d7781a432cd5e9b56446af4d49747ff986b/test-e2e/cip/e2e-entrypoint-from-container.sh#L31-L34 |
The kubernetes/test-infra#16724 PR reverted kubernetes/test-infra#16463, because we saw permissions issues like this:
This was most likely caused by the lack of a WI permission binding that needed to be actuated in the k8s-artifacts-prod project for the Prow bot account, like so:
I need to add this binding into the infra scripts set up here. |
Pasting from kubernetes/k8s.io#655 (comment):
/cc @thockin |
Once kubernetes/test-infra#16917 merges I will have a much better understanding of WI, enabling me to port the remaining Prow jobs to WI systematically. The concept is simple but it's a bit of grunt work to get all the details right. |
Since kubernetes/k8s.io#695 and kubernetes/test-infra#16948, the ci-k8sio-cip job is working! I have some other more urgent matters to attend to (need to fixup #199), but I now understand the pattern to apply to workload-identity-ize the rest of the jobs. |
/unassign Awesome! |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Rotten issues close after 30d of inactivity. Send feedback to sig-contributor-experience at kubernetes/community. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This way, we don't have to give service account creds to Prow admins.
The text was updated successfully, but these errors were encountered: