Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new package auth for various authentication scenarios #664

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add new package auth for various authentication scenarios #664

wants to merge 10 commits into from

Conversation

aryan9600
Copy link
Member

@aryan9600 aryan9600 commented Oct 13, 2023
edited
Loading

Add a new package auth which handles multiple authentication use cases for various cloud providers and SaaS. It inculdes the following sub packages:

  • aws: For AWS and ECR auth
  • gcp: For GCP and GAR auth
  • azure: For Azure and ACR auth
  • github: For GitHub Apps auth
  • registry: For OCI registry auth
  • git: For auth against Git providers

The packages auth/registry and auth/git also support caching the authentication credentials via AuthOptions.CacheOptions.Key. Caching needs to explicitly enabled by either calling auth.InitCache() or specifying a cache via AuthOptions.CacheOptions.Cache.

Fixes #642

@aryan9600 aryan9600 requested a review from a team as a code owner October 13, 2023 11:26
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 13, 2023
View reviewed changes
auth/git/credentials.go Dismissed Show dismissed Hide dismissed
auth/git/credentials.go Dismissed Show dismissed Hide dismissed
hiddeco
hiddeco reviewed Oct 13, 2023
View reviewed changes
auth/cache.go Outdated Show resolved Hide resolved
hiddeco
hiddeco reviewed Oct 13, 2023
View reviewed changes
auth/options.go Outdated Show resolved Hide resolved
@aryan9600
add new package auth and auth/azure
803eed9 
Add package `auth` along with `auth/azure`. The package `auth` will
contain authentication related methods and APIs for multiple scenarios.
The package `auth/azure` contains an authentication provider for Azure
Resource Manager and ACR.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600
auth: add auth/aws package for AWS authentication
1bcd4be 
Add package `auth/aws` containing an authentication provider for AWS and
ECR.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600
auth: add auth/gcp package for GCP authentication
5a6728e 
Add package `auth/gcp` which contains an authentication provider for GCP
Service Accounts and GAR.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600
auth: add auth/github package for GitHub authentication
0234d33 
Add `auth/github` package that contains an authentication provider for
GitHub Apps. The provider returns a token to authenticate as a GitHub
App installation.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600
auth: add auth/registry package for OCI registry auth
fd8f529 
Add package `auth/registry` which provides a package level method
`GetAuthenticator()` that returns an authenticator for a specific OCI
registry.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600
auth: add auth/git package for Git provider auth
cc3a2eb 
Add package `auth/git` that provides a package level method
`GetCredentials()` which returns credentials to authenticate against a
Git provider.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600
auth: allow specifying custom cache
b6693ef 
Modify `auth.AuthOptions` to accept a custom cache which takes
precedence over the global cache.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@darkowlzz
Copy link
Contributor

I tried reviewing this but it's hard to review properly with any certainty without any test actually running against the providers.
We have most of the test setup needed for testing registry auth in the OCI integration test package. The whole test setup can be copied to this package or temporarily, the OCI integration test's test app can be modified to also use new auth via a flag and verify that it continues to work against all the providers.

For git, flux2 repo has azure devops and google source repository test infrastructure code. The OCI integration test and flux2 integration test setup are very similar. I think both of them can be combined.

I see that this PR resolves #642 . I think there's a lot of things to be done before that can be resolved. Maybe the tests can be in a separate branch against this PR branch. I think running tests against the providers will be very helpful in reviewing these changes properly. Without that, I don't know how to review this without any certainty about the implementation.

@aryan9600 aryan9600 mentioned this pull request Nov 17, 2023
Closed
5 tasks
@aryan9600
auth/azure: fix token exchange url construction
a7cc163 
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600
auth/registry: add integration tests
c6842fe 
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600
ci: switch running dir to new auth pkg for OCI e2e
70ea10f 
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@Poltergeisen
Copy link

Is this still planned for the next minor release of flux? I'm looking forward to using this soon if possible to connect to Azure Devops Git.

@b-rand
Copy link

b-rand commented Feb 6, 2024

Is this still planned for the next minor release of flux? I'm looking forward to using this soon if possible to connect to Azure Devops Git.

Also awaiting this functionality, any updates?

@ageisen2000
Copy link

Will this work with the flux bootstrap command when implemented?

@stefanprodan
Copy link
Member

Also awaiting this functionality, any updates?

We used to have an Azure account to test all of this but MSFT has canceled our subscription. Also fluxcd/flux2#4544

@evandam
Copy link

evandam commented Feb 15, 2024
edited
Loading

I'm just wondering if it would be easier/more manageable if this was broken down a bit? For example it would probably be easier to test GitHub App auth and making related changes to the GitHub provider without worrying about AWS/Azure/GCP mixed in too?

Granted I'm a bit biased since I opened fluxcd/flux2#4356 and would love to see it implemented. No worries though and appreciate the effort everyone puts in to make Flux awesome!

@souleb souleb mentioned this pull request Feb 22, 2024
Closed
@AdrianBalcan
Copy link

Hi guys, this feature can be a solution differentiator for FluxCD over other solutions. It could bring full automation IaC between terraform AKS deployment and FluxCD which would populate the Kubernetes cluster and removing manual steps.

@yashwanth-l
Copy link

Hello!

Any updates further on this issue?

This feature could be really help in avoiding using PAT and SSH Keys (GH doesn't even allow the same keys in multiple repos)

@iamandymcinnes
Copy link

Would also love to see this, it would be so nice not to have manage tokens like a neanderthal :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiddeco hiddeco hiddeco left review comments

@darkowlzz darkowlzz Awaiting requested review from darkowlzz

@stefanprodan stefanprodan Awaiting requested review from stefanprodan

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
Maintainers' Focus
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cache registry credentials for cloud providers