-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow env vars to skip vendor specific keychain #1315
Conversation
1c42b78
to
945fa8e
Compare
Vendor keychains can be slow or fail. This allows platform operators to skip them entirely. Signed-off-by: Jesse Brown <jabrown85@gmail.com>
945fa8e
to
5128c13
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1315 +/- ##
==========================================
- Coverage 64.60% 64.53% -0.06%
==========================================
Files 101 101
Lines 7007 7016 +9
==========================================
+ Hits 4526 4527 +1
- Misses 2069 2077 +8
Partials 412 412
Flags with carried forward coverage won't be shown. Click here to find out more. |
@jabrown85 I think this makes a lot of sense - and, this would allow us to merge #887 with less trepidation that it could break certain environments (I think the original underlying issue there was fixed, and we just forgot about the PR, but still...). |
Signed-off-by: Jesse Brown <jabrown85@gmail.com> Signed-off-by: Jesse Brown <jabrown85@gmail.com>
keychains := []authn.Keychain{envKeychain, authn.DefaultKeychain} | ||
|
||
if vendorKeychainEnabled("amazon") { | ||
keychains = append(keychains, amazonKeychain) | ||
} | ||
if vendorKeychainEnabled("azure") { | ||
keychains = append(keychains, azureKeychain) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Were the calls to NewResolvedKeychain()
omitted deliberately?
Prior to #1315, all keychains passed to NewMultiKeychain were resolved keychains, which prevented the credentials from becoming inaccessible after the lifecycle dropped privileges. Signed-off-by: Natalie Arellano <narellano@vmware.com>
Prior to #1315, all keychains passed to NewMultiKeychain were resolved keychains, which prevented the credentials from becoming inaccessible after the lifecycle dropped privileges. Signed-off-by: Natalie Arellano <narellano@vmware.com>
Summary
Vendor keychains can be slow or fail. This allows platform operators to skip them entirely.
Release notes
Allow platform operators the ability to skip vendor specific keychain implementations by setting
CNB_REGISTRY_AUTH_KEYCHAIN_SKIP_AMAZON
orCNB_REGISTRY_AUTH_KEYCHAIN_SKIP_AZURE
.Related
Resolves #1007 (comment)
Context
The Amazon/ECR one is terribly inefficient. It tries to query the metadata service and eventually fails after a few tries. This is not needed if the platform is providing the credentials via Default/Env. Selectively disabling seemed liked a decent enough idea.