A Zuul authorization helper for Google Cloud
a5d075df27
This should have minimal impact on this repo, but will allow OpenDev to eventually drop image builds for Bullseye. Change-Id: I65582dc7607a9c64579000a23a54707ff78b6292 |
||
---|---|---|
.gitreview | ||
.zuul.yaml | ||
authdaemon.py | ||
Dockerfile | ||
LICENSE | ||
README |
An authorization daemon for Google Cloud. This repo builds a container image which runs a special-purpose authorization daemon. It is intended to be run in Google Cloud (particularly in Google Kubernetes Engine). The daemon periodically fetches a bearer token from the Google Cloud metadata service and writes it to a location on disk. Running Zuul in GKE with access to service account credentials can be complicated because the executor does not limit access to the URLs from which they are fetched. This means that, without a solution such as this, even untrusted jobs may be able to access these credentials. However, with this daemon, Zuul may be configured to run in GKE with Workload Identity enabled so that the executor does not have access to service account credentials. This daemon may be run with access to credentials and will fetch them write them to a shared volume that may then be exposed by the executor to trusted (but not untrusted) jobs.