-
Notifications
You must be signed in to change notification settings - Fork 467
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for GCR default credentials #1120
Add support for GCR default credentials #1120
Conversation
4273a29
to
45a5340
Compare
@@ -52,6 +55,9 @@ func init() { | |||
|
|||
// Adapted from https://github.com/awslabs/amazon-ecr-credential-helper/blob/master/ecr-login/api/client.go#L34 | |||
ecrHostPattern = regexp.MustCompile(`([a-zA-Z0-9][a-zA-Z0-9-_]*)\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.amazonaws\.com(\.cn)?`) | |||
|
|||
// From https://cloud.google.com/container-registry/docs/overview | |||
gcrHostPattern = regexp.MustCompile(`((us|eu|asia)\.)?gcr.io`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code scanning just gave some hints here about the unescaped dot, which is highly unlikely to cause any issues, but we probably should escape it ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, other than the small code scanning hint. Thank you @viktorradnai !
Once this gets merged, we should add it to the docs, that this works automatically for GCR as well here: https://github.com/banzaicloud/bank-vaults-docs/blob/12b992e5262acad355767a72371d3449a408960a/docs/mutating-webhook/_index.md#registry-access |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
What's in this PR?
This PR adds support for authenticating against Google Container Registry without explicit username / password.
It works similarly to the already present Amazon ECR support: If there are no username / password / imagePullSecrets specified, then it checks the registry hostname against the known GCR hotsts. If the pattern matches then it tries to obtain an auth token from the metadata service endpoint when running inside Google Cloud (which also works with workload identity if running in GKE).
Why?
Using default credentials avoids the need for pre-shared credentials (passwords or manually generated service account tokens) which would need to be managed.
Additional context
Checklist
To Do
This PR does not address authenticating with an user supplied Google service account token (although that may be possible using the username/password mechanism but was not tested).