-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement ServiceAccountKey managed resource support #298
Comments
I think we need a separate managed resource called |
Hi, |
I did some experiments for provisioning Google Cloud IAM service account keys. It seems to be the case that GCP does not persist the provisioned private key [1], thus provides no APIs to get the private key after it's provisioned. The provisioning API, however, does allow uploading public keys for service accounts [2]. Thus my proposal would be to:
|
It seems like I'd like to step back and think about why we need this. Seems like we're worried about the case where we create the key successfully but fail to save the returned private key to the connection I'd say let's keep the implementation simple now, rely on crossplane-runtime's handling of the connection secrets and open an issue there to solve this for all resources (even if it can never be a 100% guaranteed solution). |
Thanks for mentioning the high-fidelity requirements. As we discussed, we can keep the
Yes, exactly. Potentially we will leak keys for a service account. No security concerns though because we can assume the associated private keys will be gone forever in case we lose them. Just from a resource consumption point of view. For instance, if I remember correctly, there is 10 key/SA limit on GCP. And because we cannot put provisioning of the SA key and the K8s secret inside the same transaction boundary, we cannot guarantee that we won't leak as we have discussed. But this is a compromise we can make.
Agreed. I believe we should have encountered similar situations in the past and I wanted to learn which direction we have chosen so far in those similar cases. Thanks for sharing insights @muvaf. |
@muvaf I had a good chat with @ulucinar this morning and I think a simple solution for trying to ensure the connection |
Sounds good to me but I think it should happen in the implementation of the publisher, rather than the managed reconciler. Because supposedly, the underlying publishing mechanism might not be Kubernetes secret, hence we can't know the error type. |
What problem are you facing?
Crossplane create a service account alright, but there is no option to generate a credentials key. The yaml has a writeConnectionSecretToRef attribute, but it does not write anything into the secret.
How could Crossplane help solve your problem?
By creating an option for storing service accounts credential in a secret, be it via service account atributtes or another managed resource.
The text was updated successfully, but these errors were encountered: