kubernetes-monitor
kubernetes-monitor copied to clipboard
snyk
[🙏] Add (document) support for Google Artifact Registry
Describe the user need Hi Team, as GCR recently got deprecated it might be high time to start officially supporting Google Artifact Registry.
Describe expected behaviour
The following section of the documentation should include a snippet showcasing a sample configuration of the dockercfg.json including credHelpers set for GAR: https://github.com/snyk/kubernetes-monitor/tree/staging/snyk-monitor#installing
Example:
❯ cat dockercfg.json | jq
{
"credHelpers": {
"us-central1-docker.pkg.dev": "gcloud",
"europe-west1-docker.pkg.dev": "gcloud"
}
}
Of course some unit and/or integration test cases would be welcome as well.
Additional context We've actually tested this in our environment and the proposed addition works as intended.
NOTE: The underlying GCP Service Account mapped via Workload Identity needs to have a proper IAM binding ie. the Artifact Registry Reader role bound to the Registry in scope.
Reference: https://cloud.google.com/artifact-registry/docs/access-control#roles
Hi @jdomeracki , thank you very much for raising this issue. I have added this item to our triage backlog and brought it to the team's attention.
Of course, we're more than willing to accept PRs if this is something you might be interested in assisting with, but rest assured we're going to look into this! 😄
Hey @jdomeracki did you need to add any additional steps e.g. add a label or annotation to the ServiceAccount of the snyk-monitor, so that it is provisioned with the correct workload identity?
