Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try Google Application Default Credentials for GCR (gcr.io) auth #1902

Merged
merged 18 commits into from
Aug 14, 2019
Merged

Try Google Application Default Credentials for GCR (gcr.io) auth #1902

merged 18 commits into from
Aug 14, 2019

Conversation

chanseokoh
Copy link
Member

@chanseokoh chanseokoh commented Aug 12, 2019
edited
Loading

Fixes #1903.

Closes #1500.

ADC from Cloud SDK

Jib can get ADC set through gcloud auth application-default login. ADC in this case are "end user credentials".

WARNING: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/.
[DEBUG] Google ADC found
[DEBUG] Using Google Application Default Credentials for gcr.io
...
[INFO] Built and pushed image as gcr.io/<redacted>/test
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

ADC from Service Account

The current implementation for a service account is to generate a short-lived OAuth2 access token from the service account and use it for GCR auth.

$ GOOGLE_APPLICATION_CREDENTIALS=my-service-account-key.json mvn -X jib:build
...
[DEBUG] Google ADC found
[DEBUG] ADC is a service account. Set GCS read-write scope
[DEBUG] Using Google Application Default Credentials for gcr.io
...
[INFO] Built and pushed image as gcr.io/<redacted>/test
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

ADC on Google Cloud Build (GCB)

ADC are available on GCB and have the permission to push to GCR.

[DEBUG] Google ADC found
[DEBUG] Using Google Application Default Credentials for gcr.io
...
[INFO] Built and pushed image as gcr.io/<redacted>/gcb-test
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
...
PUSH
DONE
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ID                                    CREATE_TIME                DURATION  SOURCE                                                                                             IMAGES  STATUS
0b9e0bb2-3cdb-4e7d-8954-86d5ba0b7e72  2019-08-12T21:08:27+00:00  1M55S     gs://<redacted>_cloudbuild/source/1565644104.23-97f5c662bd70409186821171c3a06db0.tgz  -       SUCCESS

ADC on Google Compute Engine (GCE)

Tested on Linux and Windows:

[DEBUG] Google ADC found
[DEBUG] Using Google Application Default Credentials for gcr.io
...
[INFO] Built and pushed image as gcr.io/<redacted>/adc-gce
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

ADC on Google Kubernetes Engine (GKE)

See #1903 for details.

ADC on Cloud Shell

Confirmed it works. However, Cloud Shell has docker-credential-gcloud, docker-credential-gcr, and ~/.docker/config.json, so it's already working pretty well without this ADC support.

[DEBUG] Google ADC found
[DEBUG] Using Google Application Default Credentials for gcr.io

@chanseokoh chanseokoh mentioned this pull request Aug 12, 2019
Closed
@chanseokoh chanseokoh changed the title [Draft] Trty Google Application Default Credentials for GCR (gcr.io) auth Try Google Application Default Credentials for GCR (gcr.io) auth Aug 13, 2019
@chanseokoh chanseokoh marked this pull request as ready for review August 13, 2019 17:36
@chanseokoh chanseokoh requested a review from a team August 13, 2019 17:36
@chanseokoh
Copy link
Member Author

Out of the draft status. Ready for review.

briandealwis
briandealwis reviewed Aug 13, 2019
View reviewed changes
jib-core/src/main/java/com/google/cloud/tools/jib/frontend/CredentialRetrieverFactory.java Outdated Show resolved Hide resolved
jib-core/src/main/java/com/google/cloud/tools/jib/frontend/CredentialRetrieverFactory.java Outdated Show resolved Hide resolved
jib-core/src/main/java/com/google/cloud/tools/jib/frontend/CredentialRetrieverFactory.java Outdated Show resolved Hide resolved
...re/src/main/java/com/google/cloud/tools/jib/registry/credentials/DockerCredentialHelper.java
@@ -65,7 +63,7 @@ public DockerCredentialHelper(String serverUrl, Path credentialHelper) {
}

DockerCredentialHelper(String registry, String credentialHelperSuffix) {
this(registry, Paths.get(CREDENTIAL_HELPER_PREFIX + credentialHelperSuffix));
this(registry, Paths.get("docker-credential-" + credentialHelperSuffix));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should get rid of this method and push knowledge of the docker-credential- prefix to the callers/creators?

Copy link
Member Author

@chanseokoh chanseokoh Aug 13, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me take care of this in a separate PR. (#1920)

jib-core/src/main/java/com/google/cloud/tools/jib/frontend/CredentialRetrieverFactory.java Show resolved Hide resolved
...mon/src/main/java/com/google/cloud/tools/jib/plugins/common/DefaultCredentialRetrievers.java Show resolved Hide resolved
@loosebazooka loosebazooka mentioned this pull request Aug 13, 2019
Merged
5 tasks
@chanseokoh chanseokoh merged commit 05601cf into master Aug 14, 2019
@chanseokoh chanseokoh deleted the google-ADC-auth branch August 14, 2019 21:22
@chanseokoh chanseokoh mentioned this pull request Aug 20, 2019
Merged
@drohwer89 drohwer89 mentioned this pull request Jul 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandealwis briandealwis briandealwis approved these changes

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
3 participants
@chanseokoh @briandealwis @googlebot