-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new package auth
for various authentication scenarios
#664
Conversation
d0dc0ad
to
a1a1d63
Compare
Add package `auth` along with `auth/azure`. The package `auth` will contain authentication related methods and APIs for multiple scenarios. The package `auth/azure` contains an authentication provider for Azure Resource Manager and ACR. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add package `auth/aws` containing an authentication provider for AWS and ECR. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add package `auth/gcp` which contains an authentication provider for GCP Service Accounts and GAR. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add `auth/github` package that contains an authentication provider for GitHub Apps. The provider returns a token to authenticate as a GitHub App installation. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add package `auth/registry` which provides a package level method `GetAuthenticator()` that returns an authenticator for a specific OCI registry. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add package `auth/git` that provides a package level method `GetCredentials()` which returns credentials to authenticate against a Git provider. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Modify `auth.AuthOptions` to accept a custom cache which takes precedence over the global cache. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
a1a1d63
to
b6693ef
Compare
I tried reviewing this but it's hard to review properly with any certainty without any test actually running against the providers. For git, flux2 repo has azure devops and google source repository test infrastructure code. The OCI integration test and flux2 integration test setup are very similar. I think both of them can be combined. I see that this PR resolves #642 . I think there's a lot of things to be done before that can be resolved. Maybe the tests can be in a separate branch against this PR branch. I think running tests against the providers will be very helpful in reviewing these changes properly. Without that, I don't know how to review this without any certainty about the implementation. |
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
8d264b8
to
70ea10f
Compare
Is this still planned for the next minor release of flux? I'm looking forward to using this soon if possible to connect to Azure Devops Git. |
Also awaiting this functionality, any updates? |
Will this work with the flux bootstrap command when implemented? |
We used to have an Azure account to test all of this but MSFT has canceled our subscription. Also fluxcd/flux2#4544 |
I'm just wondering if it would be easier/more manageable if this was broken down a bit? For example it would probably be easier to test GitHub App auth and making related changes to the GitHub provider without worrying about AWS/Azure/GCP mixed in too? Granted I'm a bit biased since I opened fluxcd/flux2#4356 and would love to see it implemented. No worries though and appreciate the effort everyone puts in to make Flux awesome! |
Hi guys, this feature can be a solution differentiator for FluxCD over other solutions. It could bring full automation IaC between terraform AKS deployment and FluxCD which would populate the Kubernetes cluster and removing manual steps. |
Hello! Any updates further on this issue? This feature could be really help in avoiding using PAT and SSH Keys (GH doesn't even allow the same keys in multiple repos) |
Would also love to see this, it would be so nice not to have manage tokens like a neanderthal :) |
Closing, this is being implemented in stages in https://github.com/fluxcd/pkg/tree/main/auth |
Is there an issue in this new repository to track workload identity auth for azure DevOps? |
@Poltergeisen the Azure DevOps OIDC-auth was released back in September. I suggest you subscribe to the Flux releases in the flux2 repo. Here is the blog post announcing Azure DevOps OIDC Authentication https://fluxcd.io/blog/2024/09/flux-v2.4.0/ |
Add a new package
auth
which handles multiple authentication use cases for various cloud providers and SaaS. It inculdes the following sub packages:aws
: For AWS and ECR authgcp
: For GCP and GAR authazure
: For Azure and ACR authgithub
: For GitHub Apps authregistry
: For OCI registry authgit
: For auth against Git providersThe packages
auth/registry
andauth/git
also support caching the authentication credentials viaAuthOptions.CacheOptions.Key
. Caching needs to explicitly enabled by either callingauth.InitCache()
or specifying a cache viaAuthOptions.CacheOptions.Cache
.Fixes #642