Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for GCP Service Account with Workload Identity for GCR Artifact Registry #220

Open
mcsmgs opened this issue Jul 4, 2024 · 3 comments
Assignees
Labels
enhancement New feature or request

Comments

@mcsmgs
Copy link

mcsmgs commented Jul 4, 2024

Currently, version-checker only supports basic authentication, which limits the available methods for authenticating against GCR/GAR.

Deploying version-checker on GKE clusters would be significantly more secure if it could leverage Google ADC. This would allow us to stop using static service account keys in production environments, enabling deployments to use cluster metadata for accessing Google private registries.

If version-checker could support GCP Service Accounts with Workload Identity on GKE and GKE Enterprise (Fleet Workload Identity), the Helm chart would just need the required annotations, similar to the existing ECR iamRoleArn annotation.


Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.

@mcsmgs mcsmgs added the enhancement New feature or request label Jul 4, 2024
@ribbybibby
Copy link
Member

We could probably replace our GCR implementation with the google package in ggcr: https://github.com/google/go-containerregistry/tree/main/pkg/v1/google. This uses a custom keychain which can fetch credentials from ADC.

@davidcollom
Copy link
Collaborator

@mcsmgs Thanks for raising this issue, I actually hadn't realised this was the case.. (its been a while, since I looked at the gcr code)

I agree with @ribbybibby on this, using Google's SDK would be a better/stronger move here.. I'm actually in the process of updating most of the clients and will take a look at this in the coming days/weeks - right now I'm looking at the ACR Client for exactly the same reason of static tokens.

@davidcollom davidcollom self-assigned this Jul 4, 2024
@mcsmgs
Copy link
Author

mcsmgs commented Jul 4, 2024

Thanks, @davidcollom and @ribbybibby. That seems like the more native approach. For apps that don't fully support ADC, the fallback is to use Docker/credhelpers, which is currently the documented method for GKE Enterprise with Fleet Workload Identity (source). This approach uses the GOOGLE_APPLICATION_CREDENTIALS in the environment path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants