-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reconcile service account call SCI #189
Conversation
samos123
commented
Aug 11, 2023
•
edited
edited
- Call sci.BindIdentity to allow a K8s Service account to impersonate an identity
- Created a FakeSCIControllerClient to be able to run tests easily
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
overall lgtm. I'll give another pass later when I have more cycles
Let's make sure tests pass before merging |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the right solution. Requested a few changes.
internal/cloud/common.go
Outdated
) | ||
|
||
type Common struct { | ||
ClusterName string `env:"CLUSTER_NAME" validate:"required"` | ||
ArtifactBucketURL *BucketURL `env:"ARTIFACT_BUCKET_URL,noinit" validate:"required"` | ||
RegistryURL string `env:"REGISTRY_URL" validate:"required"` | ||
Principal string `env:"PRINCIPAL"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be required (validate:"required"
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the reason I made this optional is because that would require us to always set it, even when you use something like kind or when you run the tests. I had it as validate:"required"
at first but after running tests, I thought it would be better to make it optional.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After refactoring the PR, I think this could be changed back to required. Do you think that's the right move here? Even though Kind won't need it? There might be other environments where workload identity isn't available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the benefit of requiring this (production environments need it) outweighing the negatives… dev envs needing to pass a stub value… alternative would be to have some custom validation logic, but prob not worth the effort there
ca9b16d
to
d8d2017
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🍗
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work on these!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep 👍