ROX-20100: Add machine to machine auth api#8145
Conversation
|
Skipping CI for Draft Pull Request. |
|
Current dependencies on/for this PR:
This comment was auto-generated by Graphite. |
|
Images are ready for the commit at b1b0bf2. To use with deploy scripts, first |
9fd67f7 to
c02655f
Compare
c02655f to
f8f01fb
Compare
acf1c82 to
09b4eee
Compare
msugakov
left a comment
There was a problem hiding this comment.
Overall looks very good.
I made the first pass, will re-review after you check my comments from this round.
c4c3867 to
fa3c7b4
Compare
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
FYI: force-pushing breaks ability to see only what's changed since my last review. I understand that you have a workflow with Graphite that's convenient for you but it's not convenient to review especially for bigger PRs. |
md2119
left a comment
There was a problem hiding this comment.
Do not import storage protos into the api proto.
82fb93a to
d038085
Compare
There is no predecessor, this is a tech preview feature intended for 4.3. |
md2119
left a comment
There was a problem hiding this comment.
Unblocking on author's request.
|
@dhaus67: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
d038085 to
b1b0bf2
Compare
Description
This is the first PR in a series of PRs for ROX-20100.
The goal of ROX-20100 is to provide users with the ability to exchange their identity tokens from third-party OIDC providers for a Central access token, without requiring to create an API token integration.
The most prevalent use-case we currently have in mind is for things like Continuous integration environments (e.g. GitHub actions). For more details on the overall feature, its envisioned use-cases and scope, see the ticket.
The first PR in the series establishes the proto API spec, as well as the service, datastore, and store layer. The name of the API is now
/v1/auth/m2m, wherem2mstands formachine to machine, as this is in theory the auth flow being used (since we envision this to be used primarily by non-interactive flows, machine to machine fits).The configuration currently consists of:
The reason why a dedicated type for GitHub actions was used is: simplicity. This somewhat mirrors what we have for the
Image integrations, where there isDocker genericbut also all different types of image integrations.This makes it easier to later on create this configuration from the API, without knowning e.g. the issuer for GitHub actions by searching through the docs.
The current scope of the PR is limited to establishing the API, datastore, service layer without actually implementing the token exchange yet, this will be done in the follow-up PR.
Checklist
If any of these don't apply, please comment below.
Testing Performed
Here I tell how I validated my change
Reminder for reviewers
In addition to reviewing code here, reviewers must also review testing and request further testing in case the
performed one does not seem sufficient. As a reviewer, you must not approve the change until you understand the
performed testing and you are satisfied with it.