Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support using workload identity to bake cookies #15807

Merged
merged 1 commit into from
Jan 8, 2020
Merged

Support using workload identity to bake cookies #15807

merged 1 commit into from
Jan 8, 2020

Conversation

fejta
Copy link
Contributor

@fejta fejta commented Jan 7, 2020
edited
Loading

ref #15806

/assign @BenTheElder @clarketm

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_workload_identity_on_an_existing_cluster

When workload identity is configured, the pod's service account is automatically bound to a GCP service account. Therefore we do not need to send it a secret.json file (which cannot be stolen since it doesn't exist)

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 7, 2020
@k8s-ci-robot k8s-ci-robot added area/prow Issues or PRs related to prow sig/testing Categorizes an issue or PR as relevant to SIG Testing. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 7, 2020
@BenTheElder
Copy link
Member

A+ PR title

fejta
fejta commented Jan 7, 2020
View reviewed changes
prow/cmd/grandmatriarch/bake.sh

user="$(grep -o -E '[^"]+@[^"]+' "$creds")"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing uses this, so dropped

clarketm
clarketm approved these changes Jan 7, 2020
View reviewed changes
Copy link
Contributor

@clarketm clarketm left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to consider making this a Go program or leveraging something like Authentikos moving forward for issuing Oauth tokens?

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 7, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clarketm, fejta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@clarketm
Copy link
Contributor

clarketm commented Jan 7, 2020

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 7, 2020
@fejta
Copy link
Contributor Author

fejta commented Jan 8, 2020

Thanks!

consider making this a Go program

test-infra/prow/cmd/grandmatriarch/bake.sh

Line 16 in 98b6e60

# TODO(fejta): make this a good program, not bash

leveraging something like Authentikos

SGTM, especially if we move the tool to our common tooling repo (kubernetes/test-infra).

Given the zero maintenance burden I don't consider either of these a pressing issue: https://github.com/kubernetes/test-infra/commits/master/prow/cmd/grandmatriarch

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 8, 2020
@k8s-ci-robot k8s-ci-robot merged commit 7af1bf6 into kubernetes:master Jan 8, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Jan 8, 2020
@fejta fejta deleted the bake branch January 8, 2020 00:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clarketm clarketm clarketm approved these changes

@michelle192837 michelle192837 Awaiting requested review from michelle192837

@stevekuznetsov stevekuznetsov Awaiting requested review from stevekuznetsov

Assignees

@BenTheElder BenTheElder

@clarketm clarketm

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/prow Issues or PRs related to prow cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.18
Development

Successfully merging this pull request may close these issues.
4 participants
@fejta @BenTheElder @k8s-ci-robot @clarketm