zuul/gcp-authdaemon
Code Issues Proposed changes
A Zuul authorization helper for Google Cloud
3 Commits 1 Branch 0 Tags 62 KiB
Python 96%
Dockerfile 4%
bce6c41bbf
Go to file
James E. Blair bce6c41bbf Publish container images to quay.io 
Change-Id: If15a747a05a3ae6f1b5864e333aa63a42f000c65
2023-04-21 10:13:36 -07:00
.gitreview Added .gitreview 2020-02-10 22:48:51 +00:00
.zuul.yaml Publish container images to quay.io 2023-04-21 10:13:36 -07:00
authdaemon.py Initial commit 2020-02-12 09:41:07 -08:00
Dockerfile Initial commit 2020-02-12 09:41:07 -08:00
LICENSE Initial commit 2020-02-12 09:41:07 -08:00
README Initial commit 2020-02-12 09:41:07 -08:00

README 

An authorization daemon for Google Cloud.

This repo builds a container image which runs a special-purpose
authorization daemon.  It is intended to be run in Google Cloud
(particularly in Google Kubernetes Engine).  The daemon periodically
fetches a bearer token from the Google Cloud metadata service and
writes it to a location on disk.

Running Zuul in GKE with access to service account credentials can be
complicated because the executor does not limit access to the URLs
from which they are fetched.  This means that, without a solution such
as this, even untrusted jobs may be able to access these credentials.

However, with this daemon, Zuul may be configured to run in GKE with
Workload Identity enabled so that the executor does not have access to
service account credentials.  This daemon may be run with access to
credentials and will fetch them write them to a shared volume that may
then be exposed by the executor to trusted (but not untrusted) jobs.