search

GoogleContainerTools / skaffold

Easy and Repeatable Kubernetes Development
https://skaffold.dev/
Apache License 2.0
14.82k stars 1.61k forks source link

CloudRun Triggers Configuration #8107

Open thekoma opened 1 year ago

thekoma commented 1 year ago

Expected behavior

Should be possible to specify the service policy and define at lease the Authentication methods (id Required or Anonymous)

Actual behavior

The service is created as default with no configuration (AKA auth on)

aaron-prindle commented 1 year ago

@bskaplan @qwerjkl112

bskaplan commented 1 year ago

Service authorization is controlled by IAM which isn't part of the k8s-like Service API. The best option is probably copying Config Connector's format for IAM policies, which we'll have to look into the feasibility of replicating inside Skaffold.

thekoma commented 1 year ago

Wouldn't an option in the deploy section suffice? Like 

deploy:
  cloudrun:
    projectid: my-gcp-project
    region: us-central1
    policy:
      - anonymous

Or 

policy:
  - group:authenticated.group@domain.contoso
  - user:user01@domain.contoso

It need to be defined in the skaffold.yaml not in the knative manifest imho.

gsquared94 commented 1 year ago

@bskaplan did you have any answer for @thekoma's follow up question?

bskaplan commented 1 year ago

It's possible to do, I'm just not sure if it's something we want in the Skaffold config. We support multiple Cloud Run Services in a single Skaffold deploy, so we'd want to be able to specify the service name in the policy. That means it would end up looking more like this:

deploy:
  cloudrun:
    projectid: my-gcp-project
    region: us-central1
    policy:
      - serviceName: my-service
        members:
        - allUsers
     - serviceName: my-internal-service
       members:
         - serviceAccount:my-service-identity@my-gcp-project.iam.gserviceaccount.com

I'll defer to the core team about whether this is something appropriate for the Skaffold config or not.

thekoma commented 1 year ago

Imho makes a lot of sense.

Andrea Cervesato

Phone: +39.392.23.80.611 Mail: @.***

On Mon, Apr 3, 2023, 19:28 Benjamin Kaplan @.***> wrote:

It's possible to do, I'm just not sure if it's something we want in the Skaffold config. We support multiple Cloud Run Services in a single Skaffold deploy, so we'd want to be able to specify the service name in the policy. That means it would end up looking more like this:

deploy: cloudrun: projectid: my-gcp-project region: us-central1 policy:

  • serviceName: my-service members:
    • allUsers
      • serviceName: my-internal-service members:
        • @.***

I'll defer to the core team about whether this is something appropriate for the Skaffold config or not.

— Reply to this email directly, view it on GitHub https://github.com/GoogleContainerTools/skaffold/issues/8107#issuecomment-1494709300, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB4LASSQUU5QYQRAAW63RLW7MCFBANCNFSM6AAAAAASDVU7BI . You are receiving this because you were mentioned.Message ID: @.***>