-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow OCI credentials expiration/refresh #2938
Comments
Hey @thepabloaguilar. Could you please tell us more about your AWS configuration. ECS, EKS, EC2, Fargate? Ideally this should be done by attaching role with permissions to pull from ECR on AWS. |
Sure @erka, that's true! When you attach a role to a Container/POD we have the permissions but the permissions is not granted automatically when not using the AWS CLI o SDK like this case because Flipt uses "oras" which is not related to AWS stuffs so it doesn't auto resolve the credentials! Essentially I'm using IRSA with EKS which exposes the environment variables inside the container: "AWS_ROLE_ARN" and "AWS_WEB_IDENTITY_TOKEN_FILE"! When executing any AWS CLI command like And that's the problem, as Flipt uses Oras for that the auth is not resolved by it (which is the expected behavior) so we're going need to update the password environment variable every 12 hours |
Thanks for the explanation @thepabloaguilar ! If we do add an expiration, the Flipt container will still not be able to resolve a new auth correct? How do you invision that working? |
Hey @markphelps, that's my point, when the expiration is reached we reload the configuration! And what I thought was to keep the current behavior, like, in this case I'm having when the token expire what will be the Flipt behavior? I guess it'll break But this expiration is just an idea, another will be letting the user set an auth_file: storage:
type: "oci"
oci:
authentication:
file: "/example/file" The behavior will be: Flipt starts and check if file exists and if the credentials are working, every time later Flipt will read the file again and again. And the file could be something like this two lines:
WDYT? |
Or we can even combine both together: storage:
type: "oci"
oci:
authentication:
file: "/example/file"
file_refresh_rate: "1h" |
If y'all think/understand it's not a great addition to Flipt I completely understand and I'll try to maybe switch from OCI to S3 because it'll use the AWS SDK which auto resolve the credentials stuff! But AFAIK the other cloud provider also put some expiration time in the tokens |
All of those options are possible but I think the native support will be much better. There could be an auth function like awsCredentialFunc = func(ctx context.Context, hostport string) (auth.Credential, error) {
var client *ecr.Client
response, err := client.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})
if err != nil {
return auth.EmptyCredential, err
}
token := response.AuthorizationData[0].AuthorizationToken
output, err := base64.StdEncoding.DecodeString(*token)
if err != nil {
return auth.EmptyCredential, err
}
split := strings.SplitN(string(output), ":", 2)
if len(split) != 2 {
return auth.EmptyCredential, err
}
return auth.Credential{
Username: split[0],
Password: split[1],
}, nil
} and Configuration could have extra wdyt? |
Great improvement suggestions. I think what @erka suggests here is a good shout and ultimately more portable, without extra steps in your environment. i.e. add a |
Thanks @GeorgeMac and @erka! I think what you both suggested is a good option But @erka I just like to suggest one change in your approach, the So to avoid everytime calling an external service (ECR) to get de credentials will be good Btw, I can implement it! |
@thepabloaguilar From code |
@erka that's true if we're setting the Putting the cache in there should be enough!
I can test it locally to see what the behavior will be |
@thepabloaguilar Yep, we could adjust it like here |
Hey guys, just a heads up! It worked like a charm, thanks a lot @erka! |
Problem
Now we can provide the credentials using even the configuration file or from environments variables but this become a problem when dealing with a more dynamic environment!
Example: You're using some cloud provider (AWS, GCP, Azure) to store the OCI Artifacts but don't want to hard code a forever password or even you don't have access to this kind of password like what happens when using the AWS CLI command aws ecr get-login-password which generates only a 12h valid token
Ideal Solution
Allow setting an expiration time for the authentication:
Every hour or every usage after 1h from the last sync should parse/get the credentials again!
Search
Additional Context
No response
The text was updated successfully, but these errors were encountered: