Adding Bicep private registry support using basic auth, Azure workload identity and AWS IRSA #7850
Conversation
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7850 +/- ##
==========================================
- Coverage 61.18% 60.99% -0.19%
==========================================
Files 523 527 +4
Lines 27683 27844 +161
==========================================
+ Hits 16938 16984 +46
- Misses 9252 9366 +114
- Partials 1493 1494 +1 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
pkg/corerp/datamodel/recipe_types.go
Outdated
| @@ -21,6 +21,9 @@ type RecipeConfigProperties struct { | |||
| // Configuration for Terraform Recipes. Controls how Terraform plans and applies templates as part of Recipe deployment. | |||
| Terraform TerraformConfigProperties `json:"terraform,omitempty"` | |||
|
|
|||
| //Configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. | |||
There was a problem hiding this comment.
| //Configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. | |
| // Configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. |
pkg/corerp/datamodel/recipe_types.go
Outdated
| // RegistrySecretConfig - Registry Secret Configuration used to authenticate to private bicep registries. | ||
| type RegistrySecretConfig struct { | ||
| // The ID of an Applications.Core/SecretStore resource containing credential information used to authenticate private container | ||
| // registry.The keys in the secretstore depends on the type. |
There was a problem hiding this comment.
| // registry.The keys in the secretstore depends on the type. | |
| // registry. The keys in the secretstore depends on the type. |
|
|
||
| func (d *bicepDriver) FindSecretIDs(ctx context.Context, envConfig recipes.Configuration, definition recipes.EnvironmentDefinition) (secretStoreIDResourceKeys map[string][]string, err error) { | ||
| secretStoreIDResourceKeys = make(map[string][]string) | ||
| if envConfig.RecipeConfig.Bicep.Authentication != nil { |
There was a problem hiding this comment.
might want to consider nil-checking this in case Authentication, Bicep, or RecipeConfig are nil
| @@ -403,3 +434,28 @@ func (d *bicepDriver) getGCOutputResources(current []string, previous []string) | |||
|
|
|||
| return diff, nil | |||
| } | |||
|
|
|||
| func (d *bicepDriver) FindSecretIDs(ctx context.Context, envConfig recipes.Configuration, definition recipes.EnvironmentDefinition) (secretStoreIDResourceKeys map[string][]string, err error) { | |||
There was a problem hiding this comment.
does this function get called?
There was a problem hiding this comment.
yes, it is called from recipe Engine, we dont have to make any changes in Engine as we are just implementing a DriverWithSecret interface here , it automatically does the part of calling this function
pkg/rp/util/authClient/awsIRSA.go
Outdated
| } | ||
|
|
||
| func (b *awsIRSA) GetAuthClient(ctx context.Context, templatePath string) (remote.Client, error) { | ||
| // To Do |
There was a problem hiding this comment.
let's put an issue number here to track the work
|
|
||
| func (b *azureWorkloadIdentity) GetAuthClient(ctx context.Context, templatePath string) (remote.Client, error) { | ||
| c := azcontainerregistry.AuthenticationClientOptions{ | ||
| azcore.ClientOptions{ |
There was a problem hiding this comment.
is there a reason we need to change the defaults? what's the max retry default?
There was a problem hiding this comment.
makes sense, keeping the defaults for client options
| return nil, err | ||
| } | ||
|
|
||
| rt, err := ac.ExchangeAADAccessTokenForACRRefreshToken(ctx, "access_token", registryHost, &azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions{ |
There was a problem hiding this comment.
did you reference this from a docs page somewhere? if so, maybe we should link it here so that future work here will take less ramp-up time
There was a problem hiding this comment.
azure container registry team have not released it yet, its part of their main repo. I will add the referent once the next release of azcontainerregistry is out
| tenantID string | ||
| } | ||
|
|
||
| func NewAzureWorkloadIdentity(clientID string, tenantID string) AuthClient { |
There was a problem hiding this comment.
is this difficult to add a functional test for or does it seem feasible?
There was a problem hiding this comment.
yeah it is not straight forward, i am creating a different github issue for that.
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
vishwahiremat
changed the title
Signed-off-by: Vishwanath Hiremath <[email protected]>
| @@ -238,6 +250,17 @@ func fromRecipeConfigDatamodel(config datamodel.RecipeConfigProperties) *RecipeC | |||
|
|
|||
| recipeConfig.Terraform.Providers = fromRecipeConfigTerraformProvidersDatamodel(config) | |||
| } | |||
| if !reflect.DeepEqual(config.Bicep, datamodel.BicepConfigProperties{}) { | |||
| for k, v := range config.Bicep.Authentication { | ||
| authConfig[k] = datamodel.RegistrySecretConfig{ | ||
| Secret: to.String(v.Secret), | ||
| } | ||
| } | ||
| recipeConfig.Bicep.Authentication = authConfig |
There was a problem hiding this comment.
Is there a reason why we are not doing it this way like you did below?
| for k, v := range config.Bicep.Authentication { | |
| authConfig[k] = datamodel.RegistrySecretConfig{ | |
| Secret: to.String(v.Secret), | |
| } | |
| } | |
| recipeConfig.Bicep.Authentication = authConfig | |
| for k, v := range config.Bicep.Authentication { | |
| recipeConfig.Bicep.Authentication[k] = datamodel.RegistrySecretConfig{ | |
| Secret: to.String(v.Secret), | |
| } | |
| } |
There was a problem hiding this comment.
because recipeConfig.Bicep.Authentication value would be nil and it will throw nil pointer.
There was a problem hiding this comment.
We can do recipeConfig.Bicep.Authentication := map[string]datamodel.RegistrySecretConfig{} before the loop.
There was a problem hiding this comment.
We can do that, but we will be using the recipeConfig.Bicep.Authentication multiple times , i thought its better to use authConfig variable.
There was a problem hiding this comment.
folder and file names shouldn't have capital letters
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
| for k, v := range config.Bicep.Authentication { | ||
| authConfig[k] = datamodel.RegistrySecretConfig{ | ||
| Secret: to.String(v.Secret), | ||
| } | ||
| } | ||
| recipeConfig.Bicep.Authentication = authConfig |
There was a problem hiding this comment.
We can do recipeConfig.Bicep.Authentication := map[string]datamodel.RegistrySecretConfig{} before the loop.
pkg/corerp/datamodel/recipe_types.go
Outdated
| @@ -21,6 +21,9 @@ type RecipeConfigProperties struct { | |||
| // Configuration for Terraform Recipes. Controls how Terraform plans and applies templates as part of Recipe deployment. | |||
| Terraform TerraformConfigProperties `json:"terraform,omitempty"` | |||
|
|
|||
| // BicepConfigProperties represent configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. | |||
There was a problem hiding this comment.
| // BicepConfigProperties represent configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. | |
| // BicepConfigProperties represents configuration for Bicep Recipes. Controls how Bicep plans and applies templates as part of Recipe deployment. |
Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Vishwanath Hiremath <[email protected]>
vishwahiremat
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
| return &awsIRSA{roleARN: roleARN} | ||
| } | ||
|
|
||
| func (b *awsIRSA) GetAuthClient(ctx context.Context, templatePath string) (remote.Client, error) { |
There was a problem hiding this comment.
Pls add comment for IRSA implementation. it was added for Azure WI, BasicAuth
| exp: recipes.SecretData{}, | ||
| }, | ||
| } | ||
| for _, tc := range testset { |
There was a problem hiding this comment.
We need to add test verify returning error when say templatePath passed is not a valid path
| @@ -133,3 +135,12 @@ func parsePath(path string) (repository string, tag string, err error) { | |||
| tag = reference.Tag() | |||
| return | |||
| } | |||
|
|
|||
| func GetRegistrySecrets(definition recipes.Configuration, templatePath string, secrets map[string]recipes.SecretData) (recipes.SecretData, error) { | |||
There was a problem hiding this comment.
Pls add comment for public function
| @@ -72,10 +72,10 @@ enum SecretStoreDataType { | |||
| @doc("basicAuthentication type is used to represent username and password based authentication and the secretstore resource is expected to have the keys 'username' and 'password'.") | |||
| basicAuthentication, | |||
|
|
|||
| @doc("azureWorkloadIdentity type is used to represent registry authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") | |||
| @doc("azureWorkloadIdentity type is used to represent authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") | |||
Signed-off-by: Vishwanath Hiremath <[email protected]>
vishwahiremat
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
Description
Type of change
#6917