Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default to empty secret path for Kaniko to use Workload Identity credentials #5730

Merged
merged 1 commit into from
May 6, 2021
Merged

Default to empty secret path for Kaniko to use Workload Identity credentials #5730

merged 1 commit into from
May 6, 2021

Conversation

chtcvl
Copy link
Contributor

@chtcvl chtcvl commented Apr 27, 2021

Fixes: #3468

Description
If GOOGLE_APPLICATION_CREDENTIALS is set, Kaniko doesn't opt for using Workload Identity. Current setup always forces non-empty GOOGLE_APPLICATION_CREDENTIALS value. Proposed change make empty value default for pullSecretPath, unless MountPath is specified in the config. This in turn prevents GOOGLE_APPLICATION_CREDENTIALS from being set.

@google-cla
Copy link

google-cla bot commented Apr 27, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added the cla: no label Apr 27, 2021
@chtcvl chtcvl force-pushed the kaniko-defaults-allow-workload-identity branch from d243bdc to 390948c Compare April 27, 2021 10:47
@google-cla
Copy link

google-cla bot commented Apr 27, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@chtcvl chtcvl force-pushed the kaniko-defaults-allow-workload-identity branch from 390948c to d29c19f Compare April 28, 2021 02:53
@google-cla
Copy link

google-cla bot commented Apr 28, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@chtcvl
Copy link
Contributor Author

chtcvl commented Apr 28, 2021

@googlebot I signed it!

@google-cla
Copy link

google-cla bot commented Apr 28, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@chtcvl
Copy link
Contributor Author

chtcvl commented Apr 29, 2021

@googlebot I signed it!

@google-cla google-cla bot added cla: yes and removed cla: no labels Apr 29, 2021
@chtcvl chtcvl force-pushed the kaniko-defaults-allow-workload-identity branch from d29c19f to dd2dc87 Compare April 30, 2021 09:59
@chtcvl chtcvl marked this pull request as ready for review May 3, 2021 03:54
@chtcvl chtcvl requested a review from a team as a code owner May 3, 2021 03:54
@chtcvl chtcvl requested a review from briandealwis May 3, 2021 03:54
@tejal29 tejal29 added the kokoro:run runs the kokoro jobs on a PR label May 6, 2021
tejal29
tejal29 approved these changes May 6, 2021
View reviewed changes
Copy link
Contributor

@tejal29 tejal29 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase!

@kokoro-team kokoro-team removed the kokoro:run runs the kokoro jobs on a PR label May 6, 2021
@chtcvl
Default to empty secret path for Kaniko to use Workload Identity cred…
cbcc43c 
…entials

Signed-off-by: Vladimir Ivanov <vladimir.ivanov@grasshopperasia.com>
@chtcvl chtcvl force-pushed the kaniko-defaults-allow-workload-identity branch from dd2dc87 to cbcc43c Compare May 6, 2021 04:49
@codecov
Copy link

codecov bot commented May 6, 2021

Codecov Report

Merging #5730 (cbcc43c) into master (ce34201) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #5730   +/-   ##
=======================================
  Coverage   70.95%   70.95%           
=======================================
  Files         439      439           
  Lines       16408    16410    +2     
=======================================
+ Hits        11642    11644    +2     
  Misses       3913     3913           
  Partials      853      853
Impacted Files Coverage Δ
pkg/skaffold/build/cluster/pod.go 86.76% <100.00%> (+0.19%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ce34201...cbcc43c. Read the comment docs.

@tejal29 tejal29 enabled auto-merge (squash) May 6, 2021 20:18
@tejal29 tejal29 added the kokoro:run runs the kokoro jobs on a PR label May 6, 2021
@kokoro-team kokoro-team removed the kokoro:run runs the kokoro jobs on a PR label May 6, 2021
@tejal29 tejal29 merged commit d4bdf6b into GoogleContainerTools:master May 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tejal29 tejal29 tejal29 approved these changes

@briandealwis briandealwis Awaiting requested review from briandealwis

Assignees
No one assigned
Labels
cla: yes size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kaniko builds should work with GKE workload identity
3 participants
@chtcvl @tejal29 @kokoro-team