A Zuul authorization helper for Google Cloud
Go to file
Clark Boylan a5d075df27 Convert container image to Bookworm
This should have minimal impact on this repo, but will allow OpenDev to
eventually drop image builds for Bullseye.

Change-Id: I65582dc7607a9c64579000a23a54707ff78b6292
2023-09-21 08:43:55 -07:00
.gitreview Added .gitreview 2020-02-10 22:48:51 +00:00
.zuul.yaml Publish container images to quay.io 2023-04-21 10:13:36 -07:00
Dockerfile Convert container image to Bookworm 2023-09-21 08:43:55 -07:00
LICENSE Initial commit 2020-02-12 09:41:07 -08:00
README Initial commit 2020-02-12 09:41:07 -08:00
authdaemon.py Initial commit 2020-02-12 09:41:07 -08:00

README

An authorization daemon for Google Cloud.

This repo builds a container image which runs a special-purpose
authorization daemon.  It is intended to be run in Google Cloud
(particularly in Google Kubernetes Engine).  The daemon periodically
fetches a bearer token from the Google Cloud metadata service and
writes it to a location on disk.

Running Zuul in GKE with access to service account credentials can be
complicated because the executor does not limit access to the URLs
from which they are fetched.  This means that, without a solution such
as this, even untrusted jobs may be able to access these credentials.

However, with this daemon, Zuul may be configured to run in GKE with
Workload Identity enabled so that the executor does not have access to
service account credentials.  This daemon may be run with access to
credentials and will fetch them write them to a shared volume that may
then be exposed by the executor to trusted (but not untrusted) jobs.