Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add experimental GDCH support #1022

Merged
merged 5 commits into from
May 10, 2022
Merged

feat: add experimental GDCH support #1022

merged 5 commits into from
May 10, 2022

Conversation

arithmetic1728
Copy link
Contributor

@arithmetic1728 arithmetic1728 commented Apr 14, 2022

internal doc: go/gdch-python-auth-lib

experimental support for GDCH (Google Distributed Cloud Hosted) credentials.

Besides the constructor, a GDCH credential can be created via application default credentials.

To do so, user first creates a JSON file of the following format::

    {
        "type":"gdch_service_account",
        "format_version":"v1",
        "k8s_ca_cert_path":"<k8s ca cert pem file path>",
        "k8s_cert_path":"<k8s cert pem file path>",
        "k8s_key_path":"<k8s key pem file path>",
        "k8s_token_endpoint":"<k8s token endpoint>",
        "ais_ca_cert_path":"<AIS ca cert pem file path>",
        "ais_token_endpoint":"<AIS token endpoint>"
    }

Here "k8s_*" files are used to request a k8s token from k8s token endpoint using mutual TLS connection. The k8s token is then sent to AIS token endpoint to exchange for an AIS token. The AIS token will be used to talk to Google API services.

"k8s_ca_cert_path" field is not needed if the k8s server uses well known CA. "ais_ca_cert_path" field is not needed if the AIS server uses well known CA. These two fields can be used for testing environments.

The "format_version" field stands for the format of the JSON file. For now it is always "v1".

After the JSON file is created, set GOOGLE_APPLICATION_CREDENTIALS environment variable to the JSON file path, then use the following code to create the credential::

    import google.auth

    credential, _ = google.auth.default()
    credential = credential.with_audience("<the audience>")

The audience denotes the scope the AIS token is requested, for example, it could be either a k8s cluster or API service.

google/auth/_default.py Show resolved Hide resolved
google/auth/_default.py Show resolved Hide resolved
google/oauth2/_client.py Outdated Show resolved Hide resolved
google/oauth2/gdch_credentials.py Outdated Show resolved Hide resolved
google/oauth2/gdch_credentials.py Outdated Show resolved Hide resolved
google/oauth2/gdch_credentials.py Show resolved Hide resolved
tests/oauth2/test__client.py Show resolved Hide resolved
tests/oauth2/test_gdch_credentials.py Outdated Show resolved Hide resolved
tests/oauth2/test_gdch_credentials.py Outdated Show resolved Hide resolved
tests/test__default.py Outdated Show resolved Hide resolved
@arithmetic1728 arithmetic1728 merged commit 5367aac into main May 10, 2022
@arithmetic1728 arithmetic1728 deleted the gdch_review branch May 10, 2022 20:10
arithmetic1728 added a commit that referenced this pull request May 13, 2022
arithmetic1728 added a commit that referenced this pull request May 13, 2022
gcf-merge-on-green bot pushed a commit that referenced this pull request Jun 7, 2022
🤖 I have created a release *beep* *boop*
---


## [2.7.0](v2.6.6...v2.7.0) (2022-06-07)


### Features

* add experimental enterprise cert support ([#1052](#1052)) ([dda7dda](dda7dda))
* add experimental GDCH support ([#1022](#1022)) ([5367aac](5367aac))
* Pluggable auth support ([#995](#995)) ([62daa73](62daa73))


### Bug Fixes

* validate urls for external accounts ([#1031](#1031)) ([61b1f15](61b1f15))


### Reverts

* pluggable auth support [#995](#995) ([#1039](#1039)) ([513d999](513d999))
* revert experimental GDCH support ([#1022](#1022)) ([#1042](#1042)) ([c720995](c720995))


### Documentation

* fix changelog header to consistent size ([#1046](#1046)) ([e64d084](e64d084))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants