nan-yu
commented
1 month ago My browser crashed a few times after trying to leave inline comments.
One comment about the getGoogleAccessToken function in test/docker/presync-webhook-server/oci-signature-verification-server.go: it uses the go IAM credentials API library, which is specifically for impersonating service accounts. That requires explicitly specifying the service account you want to impersonate, e2e-test-ar-reader@peip-monitor.iam.gserviceaccount.com and using its credentials to generate an access token. This is not flexible enough, especially with the support of BYOID in OCI, which doesn't need to impersonate a GSA.
A more common and recommended approach is to use google.FindDefaultCredentials, which implements Google's Application Default Credentials (ADC) strategy. It automatically searches for credentials in a predefined order:
- Environment variable (GOOGLE_APPLICATION_CREDENTIALS)
- Google Cloud CLI credentials
- Metadata server (when running on Google Cloud)
This makes the code more portable and allows it to run in different environements.
ts, err := googauth.DefaultTokenSource(context.Background(), cloudPlatformScope)
if err != nil {
return nil, err
}
token, err := ts.Token()
if err != nil {
return nil, err
}
return &tokenSourceAuth{oauth2.ReuseTokenSource(token, ts)}, nilThe go-containerregistry library wraps it with a NewEnvAuthenticator function. You can use it in your webhook implementation by replacing remote.WithAuthFromKeychain(keychain) with remote.WithAuthFromKeychain(google.NewEnvAuthenticator()).
tiffanny29631
google-oss-prow[bot]
Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with
/test all