lifecycle icon indicating copy to clipboard operation
lifecycle copied to clipboard

Published 20 hours ago verified publisher icon buildpacks

Support Node-identity-based authentication

Open ekcasey opened this issue 4 years ago • 6 comments

Use ggcr k8schain package to provide workload identity based authentication in the lifecycle. The keychain returned by NewNoClient should allow us to provide credential-helper-like authentication when the lifecycle runs in-cluster on a public cloud provider without requiring that cred-helper executables are actually installed on the image.

ekcasey avatar Oct 05 '20 20:10 ekcasey

Does this have implications for the work described here? https://github.com/buildpacks/lifecycle/issues/339#issuecomment-685110074

natalieparellano avatar Oct 05 '20 21:10 natalieparellano

@natalieparellano Assuming we made the changes described in #339, I think we would want to add this additional keychain to the end of our MultiKeychain.

ekcasey avatar Oct 05 '20 21:10 ekcasey

kubelet image credential provider docs: https://kubernetes.io/docs/tasks/kubelet-credential-provider/kubelet-credential-provider/

(Edit: actually these docs expect the plugin to be installed on nodes... I'm not sure about the other case)

natalieparellano avatar Mar 16 '21 16:03 natalieparellano

Blocked on https://github.com/kubernetes/kubernetes/issues/86245

natalieparellano avatar Mar 31 '21 21:03 natalieparellano

The linked issue is still open, but we can at least add an amazonKeychain and azureKeychain to our MultiKeychain to help users of those platforms.

natalieparellano avatar May 04 '22 16:05 natalieparellano

Didn't mean to close this

natalieparellano avatar Jul 26 '22 17:07 natalieparellano