-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #6921: Unbreak compute engine url signing #158
Conversation
Codecov Report
@@ Coverage Diff @@
## main #158 +/- ##
==========================================
- Coverage 29.26% 29.15% -0.12%
==========================================
Files 3 3
Lines 516 518 +2
==========================================
Hits 151 151
- Misses 353 355 +2
Partials 12 12
|
1f164ca
to
6bd3fba
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as bug reporter, can confirm this fixes the issues around workload identities.
Thanks a lot! 🚀
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> Remove doc assumptions that `GKE Workload Identity` = `Workload Identity Federation` and cannot generate signed URLs Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
4961cda
to
6dfc7c1
Compare
@@ -175,8 +175,6 @@ This involves creating an external credential file and using it as `--secret-fil | |||
|
|||
#### Option 3: Using GKE Workload Identity | |||
|
|||
Keep in mind that [Workforce Identity Federation Users cannot generate signed URLs](https://cloud.google.com/iam/docs/federated-identity-supported-services#:~:text=workforce%20identity%20federation%20users%20cannot%20generate%20signed%20URLs.). This means, if you are using Workforce Identity Federation, you will not be able to run `velero backup logs`, `velero backup download`, `velero backup describe` and `velero restore describe`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per the conversation in issue vmware-tanzu/velero#6921, I think this information is still true for most Workload Identity scenarios, especially for the programmatic way, so I think we still need to keep this line, and we just need to add a note for the exception scenario.
By the way, the scenario mentioned in the issue vmware-tanzu/velero#6921 looks like not a Workload Identity one, it's more like a file-less authentication scenario.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's workload identities, typical use case of trust relationship between k8s SA and IAM SA and they can indeed create signed URLs etc. . With workload identities we could always do backups, snapshots, describe, download, logs, restore, everything you expect to be able to do with Velero.
We have been using workload identities with Velero since v1.5.2 and v1.1.0 for the GCP plugin and on multiple clusters and never had an issue up until now with the regression due to workforce support.
Fix vmware-tanzu/velero#6921
Signed-off-by: Tiger Kaovilai tkaovila@redhat.com