POC for trying out ksa support as 3rd party idP

GoogleContainerTools · Dec 5, 2023 · c0cc4fd · c0cc4fd
1 parent 5e9c295
commit c0cc4fd
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 10 deletions.
diff --git a/build/all/Dockerfile b/build/all/Dockerfile
@@ -71,7 +71,8 @@ USER nonroot:nonroot
 ENTRYPOINT ["/hydration-controller"]
 
 # OCI-sync image
-FROM gcr.io/distroless/static:latest as oci-sync
+#FROM gcr.io/distroless/static:latest as oci-sync
+FROM google/cloud-sdk:slim as oci-sync
 # Setting HOME ensures that whatever UID this ultimately runs as can write files.
 ENV HOME=/tmp
 WORKDIR /

diff --git a/pkg/api/configsync/register.go b/pkg/api/configsync/register.go
@@ -106,6 +106,9 @@ const (
 	// AuthGCPServiceAccount indicates using a GCP service account to authenticate to
 	// Git or OCI or Helm, when GKE Workload Identity or Fleet Workload Identity is enabled.
 	AuthGCPServiceAccount AuthType = "gcpserviceaccount"
+	// AuthGCPKSA indicates using the kubernetes service account as the third party identity provider
+	// for accessing the artifacts stored in GCP services.
+	AuthGCPKSA AuthType = "gcpksa"
 )
 
 // NamespaceStrategy specifies the strategy used by the reconciler for undeclared

diff --git a/pkg/reconcilermanager/controllers/reconciler_base.go b/pkg/reconcilermanager/controllers/reconciler_base.go
@@ -128,9 +128,9 @@ func (r *reconcilerBase) upsertServiceAccount(
 		// Update annotation when Workload Identity is enabled on a GKE cluster.
 		// In case, Workload Identity is not enabled on a cluster and spec.git.auth: gcpserviceaccount,
 		// the added annotation will be a no-op.
-		if auth == configsync.AuthGCPServiceAccount {
-			core.SetAnnotation(childSA, GCPSAAnnotationKey, email)
-		}
+		// if auth == configsync.AuthGCPServiceAccount {
+		// 	core.SetAnnotation(childSA, GCPSAAnnotationKey, email)
+		// }
 		return nil
 	})
 	if err != nil {

diff --git a/pkg/validate/raw/validate/source_spec_validator.go b/pkg/validate/raw/validate/source_spec_validator.go
@@ -143,12 +143,12 @@ func OciSpec(oci *v1beta1.Oci, rs client.Object) status.Error {
 	switch oci.Auth {
 	case configsync.AuthGCENode, configsync.AuthNone:
 	case configsync.AuthGCPServiceAccount:
-		if oci.GCPServiceAccountEmail == "" {
-			return MissingGCPSAEmail(rs)
-		}
-		if !validGCPServiceAccountEmail(oci.GCPServiceAccountEmail) {
-			return InvalidGCPSAEmail(rs)
-		}
+		// if oci.GCPServiceAccountEmail == "" {
+		// 	return MissingGCPSAEmail(rs)
+		// }
+		// if !validGCPServiceAccountEmail(oci.GCPServiceAccountEmail) {
+		// 	return InvalidGCPSAEmail(rs)
+		// }
 	default:
 		return InvalidOciAuthType(rs)
 	}