-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: ECR credential integration into Finch #462
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments. You'll also need to sign your commit with the DCO by using the -s
flag when you run git commit
(more info)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few minor comments. Overall looks good. Suggest adding a note in the README similar to additional_directories
explaining what the user experience is going to be like.
Signed-off-by: kiryl1 <kirylkul@gmail.com>
Signed-off-by: kiryl1 <kirylkul@gmail.com>
Signed-off-by: kiryl1 <kirylkul@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just a few things. Also think we have to update the GitHub workflow files and Makefile to actually add the Registry option, right?
…ting config.json in integration test, changed binares struct to credhelperbin Signed-off-by: kiryl1 <kirylkul@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good to me. Lets take it out of draft and work on configuring the integration tests to run with the correct registry by adding the secret value and then using it in ci.yaml?
We use conventional commits for creating finch release based on semantic versioning. We should probably prefix the PR title as |
Signed-off-by: kiryl1 <kirylkul@gmail.com>
Signed-off-by: kiryl1 <kirylkul@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still need the changes to actually use the remote registry unless I'm missing something, otherwise LGTM
Yeah, I think it may be worth exporting the aws credentials like how we export COSIGN_PASSWORD if users wish to use env vs file. Might also simply the e2e test which will rely on https://github.com/aws-actions/configure-aws-credentials which exports the credentials as env variables. |
Signed-off-by: kiryl1 <kirylkul@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, we can merge once the linter check passes. https://github.com/runfinch/finch/actions/runs/5526370034/jobs/10097740941?pr=462#step:4:18795
Signed-off-by: kiryl1 <kirylkul@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Wanted to callout an unexpected behavior which we have options to resolve. Consider this non-blocking for the PR but follow up work. I follow these steps after successfully configured the credential helper and verifying that push and pull work with my ECR repo:
I no longer have finch configured with a I can turn this comment into an issue if you folks agree @kiryl1 @pendo324 @vsiravar |
+1 for turning this into an issue. I think the expected behavior to remove the feature is probably to just edit the same config file again, not also have to edit |
+1 for this, it'll end up confusing the user if the config is missing in |
…cs to README, changed data type of credential helper to a slice instead of just string Signed-off-by: kiryl1 <kirylkul@gmail.com>
Signed-off-by: kiryl1 <kirylkul@gmail.com>
Signed-off-by: kiryl1 <kirylkul@gmail.com>
Signed-off-by: kiryl1 <kirylkul@gmail.com>
Are e2e tests using the credential helper? For example in build 1018
And
Also, looks like each e2e step is running twice? e.g.. there are two occurrences of |
No the existing e2e tests are not using the Credential Helper, Since the existing e2e tests are using finch login the tests would fail if the credential helper was enabled. Im also not exactly sure why it appears to run in duplicates. |
🤖 I have created a release *beep* *boop* --- ## [0.7.0](v0.6.2...v0.7.0) (2023-07-18) ### Features * ECR credential integration into Finch ([#462](#462)) ([d3514b3](d3514b3)) ### Bug Fixes * Add cleanup script to Makefile ([#444](#444)) ([da91f87](da91f87)) ### Build System or External Dependencies * **deps:** Bump github.com/docker/docker from 24.0.2+incompatible to 24.0.4+incompatible ([#469](#469)) ([ad37f4f](ad37f4f)) * **deps:** Bump github.com/docker/docker from 24.0.2+incompatible to 24.0.4+incompatible ([#481](#481)) ([15d2a4b](15d2a4b)) * **deps:** Bump github.com/onsi/ginkgo/v2 from 2.10.0 to 2.11.0 ([#456](#456)) ([f7e0916](f7e0916)) * **deps:** Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 ([#449](#449)) ([a415e3e](a415e3e)) * **deps:** Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 ([#448](#448)) ([96fc8d0](96fc8d0)) * **deps:** Bump github.com/runfinch/common-tests from 0.7.0 to 0.7.1 ([#477](#477)) ([54c03bb](54c03bb)) * **deps:** Bump github.com/shirou/gopsutil/v3 from 3.23.5 to 3.23.6 ([#464](#464)) ([43a6720](43a6720)) * **deps:** Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 ([#446](#446)) ([1823677](1823677)) * **deps:** Bump golang.org/x/crypto from 0.10.0 to 0.11.0 ([#465](#465)) ([dc5a3e7](dc5a3e7)) * **deps:** Bump golang.org/x/crypto from 0.9.0 to 0.10.0 ([#451](#451)) ([fef6e77](fef6e77)) * **deps:** Bump golang.org/x/tools from 0.10.0 to 0.11.0 ([#466](#466)) ([a8b32f9](a8b32f9)) * **deps:** Bump golang.org/x/tools from 0.9.3 to 0.10.0 ([#455](#455)) ([e321f1d](e321f1d)) * **deps:** Bump k8s.io/apimachinery from 0.27.2 to 0.27.3 ([#454](#454)) ([d6746a4](d6746a4)) * **deps:** Bump lima version ([#476](#476)) ([7b330d3](7b330d3)) * **deps:** Bump submodules ([#482](#482)) ([92f2494](92f2494)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Issue #, if available: 116
Description of changes:
Integrating ECR credential helper into Finch.
To Install the Credential Helper
The ECR credential helper can be setup with minimal configuration by setting the
creds_helpers
option infinch.yaml
with the value- ecr-login
.Once the option has been set the credential helper will be installed on either
finch vm init
orfinch vm start
. The binary will be downloaded on the host machine and aconfig.json
will be created and populated in the~/.finch/
folder if it doesn't already exist. If it already exists, the value ofcredsStore
will be overwritten toecr-login
.How to stop using the credential helper with Finch
config.json
needs to be either deleted, or thecredsStore
parameter needs to have the valueecr-login
removed. Additionally the creds_helper option in the finch.yaml needs to be removed.To fully remove the credential helper from the host machine, this can be done by deleting it from the
~/.finch/cred-helpers
folder.The credential helper will support credentials from both the aws credentials file and those that are stored as environment variables.
Testing done:
Added Unit Tests
Added Integration Test
License Acceptance
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.