Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new package auth for various authentication scenarios #664

Closed
wants to merge 10 commits into from

Conversation

aryan9600
Copy link
Member

@aryan9600 aryan9600 commented Oct 13, 2023

Add a new package auth which handles multiple authentication use cases for various cloud providers and SaaS. It inculdes the following sub packages:

  • aws: For AWS and ECR auth
  • gcp: For GCP and GAR auth
  • azure: For Azure and ACR auth
  • github: For GitHub Apps auth
  • registry: For OCI registry auth
  • git: For auth against Git providers

The packages auth/registry and auth/git also support caching the authentication credentials via AuthOptions.CacheOptions.Key. Caching needs to explicitly enabled by either calling auth.InitCache() or specifying a cache via AuthOptions.CacheOptions.Cache.

Fixes #642

@aryan9600 aryan9600 requested a review from a team as a code owner October 13, 2023 11:26
auth/git/credentials.go Dismissed Show dismissed Hide dismissed
auth/git/credentials.go Dismissed Show dismissed Hide dismissed
auth/cache.go Outdated Show resolved Hide resolved
auth/options.go Outdated Show resolved Hide resolved
Add package `auth` along with `auth/azure`. The package `auth` will
contain authentication related methods and APIs for multiple scenarios.
The package `auth/azure` contains an authentication provider for Azure
Resource Manager and ACR.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add package `auth/aws` containing an authentication provider for AWS and
ECR.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add package `auth/gcp` which contains an authentication provider for GCP
Service Accounts and GAR.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add `auth/github` package that contains an authentication provider for
GitHub Apps. The provider returns a token to authenticate as a GitHub
App installation.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add package `auth/registry` which provides a package level method
`GetAuthenticator()` that returns an authenticator for a specific OCI
registry.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add package `auth/git` that provides a package level method
`GetCredentials()` which returns credentials to authenticate against a
Git provider.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Modify `auth.AuthOptions` to accept a custom cache which takes
precedence over the global cache.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@darkowlzz
Copy link
Contributor

I tried reviewing this but it's hard to review properly with any certainty without any test actually running against the providers.
We have most of the test setup needed for testing registry auth in the OCI integration test package. The whole test setup can be copied to this package or temporarily, the OCI integration test's test app can be modified to also use new auth via a flag and verify that it continues to work against all the providers.

For git, flux2 repo has azure devops and google source repository test infrastructure code. The OCI integration test and flux2 integration test setup are very similar. I think both of them can be combined.

I see that this PR resolves #642 . I think there's a lot of things to be done before that can be resolved. Maybe the tests can be in a separate branch against this PR branch. I think running tests against the providers will be very helpful in reviewing these changes properly. Without that, I don't know how to review this without any certainty about the implementation.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@Poltergeisen
Copy link

Is this still planned for the next minor release of flux? I'm looking forward to using this soon if possible to connect to Azure Devops Git.

@b-rand
Copy link

b-rand commented Feb 6, 2024

Is this still planned for the next minor release of flux? I'm looking forward to using this soon if possible to connect to Azure Devops Git.

Also awaiting this functionality, any updates?

@ageisen2000
Copy link

Will this work with the flux bootstrap command when implemented?

@stefanprodan
Copy link
Member

Also awaiting this functionality, any updates?

We used to have an Azure account to test all of this but MSFT has canceled our subscription. Also fluxcd/flux2#4544

@evandam
Copy link

evandam commented Feb 15, 2024

I'm just wondering if it would be easier/more manageable if this was broken down a bit? For example it would probably be easier to test GitHub App auth and making related changes to the GitHub provider without worrying about AWS/Azure/GCP mixed in too?

Granted I'm a bit biased since I opened fluxcd/flux2#4356 and would love to see it implemented. No worries though and appreciate the effort everyone puts in to make Flux awesome!

@AdrianBalcan
Copy link

Hi guys, this feature can be a solution differentiator for FluxCD over other solutions. It could bring full automation IaC between terraform AKS deployment and FluxCD which would populate the Kubernetes cluster and removing manual steps.

@yashwanth-l
Copy link

Hello!

Any updates further on this issue?

This feature could be really help in avoiding using PAT and SSH Keys (GH doesn't even allow the same keys in multiple repos)

@iamandymcinnes
Copy link

Would also love to see this, it would be so nice not to have manage tokens like a neanderthal :)

@stefanprodan
Copy link
Member

Closing, this is being implemented in stages in https://github.com/fluxcd/pkg/tree/main/auth

@Poltergeisen
Copy link

Is there an issue in this new repository to track workload identity auth for azure DevOps?

@stefanprodan
Copy link
Member

stefanprodan commented Dec 5, 2024

@Poltergeisen the Azure DevOps OIDC-auth was released back in September. I suggest you subscribe to the Flux releases in the flux2 repo. Here is the blog post announcing Azure DevOps OIDC Authentication https://fluxcd.io/blog/2024/09/flux-v2.4.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Since Last Dev Meeting
Development

Successfully merging this pull request may close these issues.

Cache registry credentials for cloud providers