reedk-au
commented
3 years ago Implementing the same on in and out, moved into draft status until completed. Comments and recommendations welcome in the meantime.
Open reedk-au opened 3 years ago
reedk-au
commented
3 years ago Implementing the same on in and out, moved into draft status until completed. Comments and recommendations welcome in the meantime.
chenbh
commented
3 years ago Hey, sorry for the late response.
I don't think this PR can be accepted in the current form, the reasoning is the same as the one in https://github.com/concourse/concourse/issues/3023 and Aidan's comment in https://github.com/concourse/registry-image-resource/pull/287#issuecomment-876483708.
The tldr is that Concourse differentiates resources based on their source, and automagic metadata servers breaks this assumption. With this PR, if I have 2 worker nodes with different credentials, it is now possible for a check step to return different versions depending on which worker it was run on (if each VM's creds can see different GCR repos).
As an alternative, I would be open to something like the current AWS flow, where the authenticated session is constructed from credentials passed in from the source:
https://github.com/concourse/registry-image-resource/blob/4372334d66d137cf536ef5c1ce2cd6944b0c5506/types.go#L288-L291
Maybe you can do something similar by using google.CredentialsFromJSON and taking the TokenSource from there?
reedk-au
commented
3 years ago No worries, thanks for the review @chenbh and this makes sense. Will see if we can get this to work and move this PR to a draft in the meantime.
michaelpporter
commented
4 weeks ago What is needed to get this active again?
Fixes #280
Add a flag to source that will look for and use GCP application default credentials instead of using AWS credentials 0