Issue #6921: Unbreak compute engine url signing #158
Conversation
kaovilai
changed the title
Codecov Report
@@ Coverage Diff @@
## main #158 +/- ##
==========================================
- Coverage 29.26% 29.15% -0.12%
==========================================
Files 3 3
Lines 516 518 +2
==========================================
Hits 151 151
- Misses 353 355 +2
Partials 12 12
|
kaovilai
force-pushed
the
alwaysSignUrl
branch
from
1f164ca
to
6bd3fba
Compare
kaovilai
changed the title
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> Remove doc assumptions that `GKE Workload Identity` = `Workload Identity Federation` and cannot generate signed URLs Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
kaovilai
force-pushed
the
alwaysSignUrl
branch
from
4961cda
to
6dfc7c1
Compare
| @@ -175,8 +175,6 @@ This involves creating an external credential file and using it as `--secret-fil | |||
|
|
|||
| #### Option 3: Using GKE Workload Identity | |||
|
|
|||
| Keep in mind that [Workforce Identity Federation Users cannot generate signed URLs](https://cloud.google.com/iam/docs/federated-identity-supported-services#:~:text=workforce%20identity%20federation%20users%20cannot%20generate%20signed%20URLs.). This means, if you are using Workforce Identity Federation, you will not be able to run `velero backup logs`, `velero backup download`, `velero backup describe` and `velero restore describe`. | |||
There was a problem hiding this comment.
Per the conversation in issue vmware-tanzu/velero#6921, I think this information is still true for most Workload Identity scenarios, especially for the programmatic way, so I think we still need to keep this line, and we just need to add a note for the exception scenario.
By the way, the scenario mentioned in the issue vmware-tanzu/velero#6921 looks like not a Workload Identity one, it's more like a file-less authentication scenario.
There was a problem hiding this comment.
it's workload identities, typical use case of trust relationship between k8s SA and IAM SA and they can indeed create signed URLs etc. . With workload identities we could always do backups, snapshots, describe, download, logs, restore, everything you expect to be able to do with Velero.
We have been using workload identities with Velero since v1.5.2 and v1.1.0 for the GCP plugin and on multiple clusters and never had an issue up until now with the regression due to workforce support.
Fix vmware-tanzu/velero#6921
Signed-off-by: Tiger Kaovilai tkaovila@redhat.com