Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Ever since kubernetes/k8s.io#655, this job should already run with an authenticated GCP SA (before the job's code even runs). This means there is no need to use the keyfile to authenticate (again), as it is redundant. We still keep the `-use-service-account` flag for now because the promoter currently still tries to extract OAUTH tokens as the GCP account at the very beginning of its run. It's a nice sanity check. Once we confirm that the OAUTH tokens do still get populated in the business logic of the job, we don't need to keep this flag any more because the GCRs that the promoter deals with today are all public (the promoter was designed to deal with private repos), and so the very first "read GCR" API calls do not need the OAUTH tokens for just reading the repos. That takes care of the GCR read API calls. As for the GCR write calls, the gcrane.Copy() method that perform the GCR writes do their own authentication dance, but that is separate and automatic as long as the GCP account is authenticated before that function call. This is why the `-use-service-account` flag is marked for future deprecation in this commit.
- Loading branch information