-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Bicep private registry support using basic auth, Azure workload identity and AWS IRSA #7850
Adding Bicep private registry support using basic auth, Azure workload identity and AWS IRSA #7850
Conversation
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7850 +/- ##
==========================================
- Coverage 61.18% 60.99% -0.19%
==========================================
Files 523 527 +4
Lines 27683 27844 +161
==========================================
+ Hits 16938 16984 +46
- Misses 9252 9366 +114
- Partials 1493 1494 +1 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
pkg/corerp/datamodel/recipe_types.go
Outdated
@@ -21,6 +21,9 @@ type RecipeConfigProperties struct { | |||
// Configuration for Terraform Recipes. Controls how Terraform plans and applies templates as part of Recipe deployment. | |||
Terraform TerraformConfigProperties `json:"terraform,omitempty"` | |||
|
|||
//Configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
//Configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. | |
// Configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. |
pkg/corerp/datamodel/recipe_types.go
Outdated
// RegistrySecretConfig - Registry Secret Configuration used to authenticate to private bicep registries. | ||
type RegistrySecretConfig struct { | ||
// The ID of an Applications.Core/SecretStore resource containing credential information used to authenticate private container | ||
// registry.The keys in the secretstore depends on the type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// registry.The keys in the secretstore depends on the type. | |
// registry. The keys in the secretstore depends on the type. |
|
||
func (d *bicepDriver) FindSecretIDs(ctx context.Context, envConfig recipes.Configuration, definition recipes.EnvironmentDefinition) (secretStoreIDResourceKeys map[string][]string, err error) { | ||
secretStoreIDResourceKeys = make(map[string][]string) | ||
if envConfig.RecipeConfig.Bicep.Authentication != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might want to consider nil-checking this in case Authentication, Bicep, or RecipeConfig are nil
@@ -403,3 +434,28 @@ func (d *bicepDriver) getGCOutputResources(current []string, previous []string) | |||
|
|||
return diff, nil | |||
} | |||
|
|||
func (d *bicepDriver) FindSecretIDs(ctx context.Context, envConfig recipes.Configuration, definition recipes.EnvironmentDefinition) (secretStoreIDResourceKeys map[string][]string, err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this function get called?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it is called from recipe Engine
, we dont have to make any changes in Engine as we are just implementing a DriverWithSecret interface here , it automatically does the part of calling this function
pkg/rp/util/authClient/awsIRSA.go
Outdated
} | ||
|
||
func (b *awsIRSA) GetAuthClient(ctx context.Context, templatePath string) (remote.Client, error) { | ||
// To Do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's put an issue number here to track the work
|
||
func (b *azureWorkloadIdentity) GetAuthClient(ctx context.Context, templatePath string) (remote.Client, error) { | ||
c := azcontainerregistry.AuthenticationClientOptions{ | ||
azcore.ClientOptions{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason we need to change the defaults? what's the max retry default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
makes sense, keeping the defaults for client options
return nil, err | ||
} | ||
|
||
rt, err := ac.ExchangeAADAccessTokenForACRRefreshToken(ctx, "access_token", registryHost, &azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did you reference this from a docs page somewhere? if so, maybe we should link it here so that future work here will take less ramp-up time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
azure container registry team have not released it yet, its part of their main repo. I will add the referent once the next release of azcontainerregistry is out
tenantID string | ||
} | ||
|
||
func NewAzureWorkloadIdentity(clientID string, tenantID string) AuthClient { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this difficult to add a functional test for or does it seem feasible?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah it is not straight forward, i am creating a different github issue for that.
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
@@ -238,6 +250,17 @@ func fromRecipeConfigDatamodel(config datamodel.RecipeConfigProperties) *RecipeC | |||
|
|||
recipeConfig.Terraform.Providers = fromRecipeConfigTerraformProvidersDatamodel(config) | |||
} | |||
if !reflect.DeepEqual(config.Bicep, datamodel.BicepConfigProperties{}) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: new line before this
for k, v := range config.Bicep.Authentication { | ||
authConfig[k] = datamodel.RegistrySecretConfig{ | ||
Secret: to.String(v.Secret), | ||
} | ||
} | ||
recipeConfig.Bicep.Authentication = authConfig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason why we are not doing it this way like you did below?
for k, v := range config.Bicep.Authentication { | |
authConfig[k] = datamodel.RegistrySecretConfig{ | |
Secret: to.String(v.Secret), | |
} | |
} | |
recipeConfig.Bicep.Authentication = authConfig | |
for k, v := range config.Bicep.Authentication { | |
recipeConfig.Bicep.Authentication[k] = datamodel.RegistrySecretConfig{ | |
Secret: to.String(v.Secret), | |
} | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because recipeConfig.Bicep.Authentication
value would be nil
and it will throw nil pointer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can do recipeConfig.Bicep.Authentication := map[string]datamodel.RegistrySecretConfig{}
before the loop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can do that, but we will be using the recipeConfig.Bicep.Authentication
multiple times , i thought its better to use authConfig variable
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
folder and file names shouldn't have capital letters
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
for k, v := range config.Bicep.Authentication { | ||
authConfig[k] = datamodel.RegistrySecretConfig{ | ||
Secret: to.String(v.Secret), | ||
} | ||
} | ||
recipeConfig.Bicep.Authentication = authConfig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can do recipeConfig.Bicep.Authentication := map[string]datamodel.RegistrySecretConfig{}
before the loop.
pkg/corerp/datamodel/recipe_types.go
Outdated
@@ -21,6 +21,9 @@ type RecipeConfigProperties struct { | |||
// Configuration for Terraform Recipes. Controls how Terraform plans and applies templates as part of Recipe deployment. | |||
Terraform TerraformConfigProperties `json:"terraform,omitempty"` | |||
|
|||
// BicepConfigProperties represent configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// BicepConfigProperties represent configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. | |
// BicepConfigProperties represents configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name should be changed
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
return &awsIRSA{roleARN: roleARN} | ||
} | ||
|
||
func (b *awsIRSA) GetAuthClient(ctx context.Context, templatePath string) (remote.Client, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pls add comment for IRSA implementation. it was added for Azure WI, BasicAuth
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated it
exp: recipes.SecretData{}, | ||
}, | ||
} | ||
for _, tc := range testset { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to add test verify returning error when say templatePath passed is not a valid path
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added a test
@@ -133,3 +135,12 @@ func parsePath(path string) (repository string, tag string, err error) { | |||
tag = reference.Tag() | |||
return | |||
} | |||
|
|||
func GetRegistrySecrets(definition recipes.Configuration, templatePath string, secrets map[string]recipes.SecretData) (recipes.SecretData, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pls add comment for public function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated it
@@ -72,10 +72,10 @@ enum SecretStoreDataType { | |||
@doc("basicAuthentication type is used to represent username and password based authentication and the secretstore resource is expected to have the keys 'username' and 'password'.") | |||
basicAuthentication, | |||
|
|||
@doc("azureWorkloadIdentity type is used to represent registry authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") | |||
@doc("azureWorkloadIdentity type is used to represent authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 thank u!
Signed-off-by: Vishwanath Hiremath <[email protected]>
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
Description
Type of change
#6917