-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCI: OKE Workload Identity support #64
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
I needs a rebase though
if err := config.validateConfig(); err != nil { | ||
return nil, errors.Wrapf(err, "invalid oci configurations") | ||
} | ||
configurationProvider = common.NewRawConfigurationProvider(config.Tenancy, config.User, config.Region, | ||
config.Fingerprint, config.PrivateKey, &config.Passphrase) | ||
case okeWorkloadIdentityConfigProvider: | ||
if err := os.Setenv(auth.ResourcePrincipalVersionEnvVar, auth.ResourcePrincipalVersion2_2); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even though it makes me feel weird to set environment variables to configure the configuration provider, as far as I can understand from glancing at the SDK code, this is the only way :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed
6edc991
to
9927596
Compare
@kakkoyun I have rebased. Thanks for the review. |
Signed-off-by: Fred Tibbitts <fred.tibbitts@oracle.com>
Signed-off-by: Fred Tibbitts <fred.tibbitts@oracle.com>
Signed-off-by: Fred Tibbitts <fred.tibbitts@oracle.com>
Signed-off-by: Fred Tibbitts <fred.tibbitts@oracle.com>
9927596
to
fbccb22
Compare
@kakkoyun any chance you could merge this please? Thanks in advance. |
Changes
This PR adds OKE Workload Identity support to the Oracle OCI provider. OKE Workload Identities allow finer-grained access to Oracle OCI resources from OKE workloads. For example, access to object storage buckets can be granted to specific Kubernetes service accounts.
For more information on OKE Workload Identities, see https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm.
Verification
I tested this on an OKE 1.25 cluster, using the following provider configuration:
Store Gateway logs: