-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Design doc for private bicep registries #53
Design doc for private bicep registries #53
Conversation
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @vishwahiremat - looks like this is off to a good start.
|
||
## Design | ||
### Design details | ||
Currently, OCI-compliant registries are used to store Bicep recipes, with the ORAS client facilitating operations like publish and pull these recipes from the registries. ORAS provides package auth, enabling secure client authentication to remote registries. Private Registry credentials information i.e username and password must be stored in a Application.Core/secretStores resource and the secret resource ID is added to the recipe configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, OCI-compliant registries are used to store Bicep recipes, with the ORAS client facilitating operations like publish and pull these recipes from the registries. ORAS provides package auth, enabling secure client authentication to remote registries. Private Registry credentials information i.e username and password must be stored in a Application.Core/secretStores resource and the secret resource ID is added to the recipe configuration. | |
Currently, OCI-compliant registries are used to store Bicep recipes, with the ORAS client facilitating operations like publish and pull these recipes from the registries. ORAS provides package auth, enabling secure client authentication to remote registries. Private Registry credentials information i.e username and password must be stored in an `Application.Core/secretStores` resource and the secret resource ID is added to the recipe configuration. |
### Error Handling | ||
<!-- | ||
Describe the error scenarios that may occur and the corresponding recovery/error handling and user experience. | ||
--> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an important section for a feature like this. Any thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated this section
- Deploy the recipe as part of the functional test using github app token to authenticate ghcr. | ||
|
||
## Security | ||
With this design we enable username-password based authentication for OCI compliant registries, we let the users manage secrets. For secret rotation users need to re deploy the Applications.Core/secretStore resource with updated credentials. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this design we enable username-password based authentication for OCI compliant registries, we let the users manage secrets. For secret rotation users need to re deploy the Applications.Core/secretStore resource with updated credentials. | |
With this design we enable username-password based authentication for OCI compliant registries, we let the users manage secrets. For secret rotation users need to re deploy the `Applications.Core/secretStores` resource with updated credentials. |
/cc @ytimocin |
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
- Retrieve the Azure Active Directory (AAD) token for the client ID configured with Azure Federated Identity. | ||
- Get refresh token from ACR by exchanging for the above AAD access token | ||
``` | ||
formData := url.Values{ | ||
"grant_type": {"access_token"}, | ||
"service": <acr-url>, | ||
"tenant": <tenant-id>, | ||
"access_token": <aad-token>, | ||
} | ||
|
||
// jsonResponse contains the refresh token from ACR. | ||
jsonResponse, err := http.PostForm("https://<acr-url>/oauth2/exchange", formData) | ||
``` | ||
- Use `RefreshToken` in ORAS auth client to authenticate private ACR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which component will be responsible for these steps?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as discussed in the meeting, Driver(ReadFromRegistry) will be responsible for getting the AAD and acr refresh tokens and creating ORAS auth client.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please update the doc to make it explicit and the architecture diagram to reflect this call flow?
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
This pull request is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
This pull request has been closed due to inactivity. Feel free to reopen if you are still working on it. |
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
e1efb0b
to
34bd19d
Compare
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com> Signed-off-by: Reshma Abdul Rahim <reshmarahim.abdul@microsoft.com>
No description provided.