Design doc for private bicep registries #53
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
rynowak
reviewed
Jun 25, 2024
There was a problem hiding this comment.
Thanks @vishwahiremat - looks like this is off to a good start.
|
|
||
| ## Design | ||
| ### Design details | ||
| Currently, OCI-compliant registries are used to store Bicep recipes, with the ORAS client facilitating operations like publish and pull these recipes from the registries. ORAS provides package auth, enabling secure client authentication to remote registries. Private Registry credentials information i.e username and password must be stored in a Application.Core/secretStores resource and the secret resource ID is added to the recipe configuration. |
There was a problem hiding this comment.
Suggested change
| Currently, OCI-compliant registries are used to store Bicep recipes, with the ORAS client facilitating operations like publish and pull these recipes from the registries. ORAS provides package auth, enabling secure client authentication to remote registries. Private Registry credentials information i.e username and password must be stored in a Application.Core/secretStores resource and the secret resource ID is added to the recipe configuration. | |
| Currently, OCI-compliant registries are used to store Bicep recipes, with the ORAS client facilitating operations like publish and pull these recipes from the registries. ORAS provides package auth, enabling secure client authentication to remote registries. Private Registry credentials information i.e username and password must be stored in an `Application.Core/secretStores` resource and the secret resource ID is added to the recipe configuration. |
| ### Error Handling | ||
| <!-- | ||
| Describe the error scenarios that may occur and the corresponding recovery/error handling and user experience. | ||
| --> |
There was a problem hiding this comment.
This is an important section for a feature like this. Any thoughts?
There was a problem hiding this comment.
Updated this section
| - Deploy the recipe as part of the functional test using github app token to authenticate ghcr. | ||
|
|
||
| ## Security | ||
| With this design we enable username-password based authentication for OCI compliant registries, we let the users manage secrets. For secret rotation users need to re deploy the Applications.Core/secretStore resource with updated credentials. |
There was a problem hiding this comment.
Suggested change
| With this design we enable username-password based authentication for OCI compliant registries, we let the users manage secrets. For secret rotation users need to re deploy the Applications.Core/secretStore resource with updated credentials. | |
| With this design we enable username-password based authentication for OCI compliant registries, we let the users manage secrets. For secret rotation users need to re deploy the `Applications.Core/secretStores` resource with updated credentials. |
|
/cc @ytimocin |
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
rynowak
reviewed
Jul 1, 2024
sk593
reviewed
Jul 1, 2024
rynowak
reviewed
Jul 1, 2024
rynowak
reviewed
Jul 1, 2024
kachawla
reviewed
Jul 1, 2024
rynowak
reviewed
Jul 1, 2024
kachawla
reviewed
Jul 1, 2024
rynowak
reviewed
Jul 1, 2024
willtsai
reviewed
Jul 1, 2024
rynowak
reviewed
Jul 1, 2024
kachawla
reviewed
Jul 1, 2024
kachawla
reviewed
Jul 1, 2024
willtsai
reviewed
Jul 1, 2024
kachawla
reviewed
Jul 2, 2024
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
rynowak
reviewed
Jul 8, 2024
rynowak
reviewed
Jul 8, 2024
rynowak
reviewed
Jul 8, 2024
ytimocin
reviewed
Jul 8, 2024
ytimocin
reviewed
Jul 8, 2024
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
ytimocin
reviewed
Jul 22, 2024
kachawla
reviewed
Jul 22, 2024
Comment on lines
162
to
175
| - Retrieve the Azure Active Directory (AAD) token for the client ID configured with Azure Federated Identity. | ||
| - Get refresh token from ACR by exchanging for the above AAD access token | ||
| ``` | ||
| formData := url.Values{ | ||
| "grant_type": {"access_token"}, | ||
| "service": <acr-url>, | ||
| "tenant": <tenant-id>, | ||
| "access_token": <aad-token>, | ||
| } | ||
|
|
||
| // jsonResponse contains the refresh token from ACR. | ||
| jsonResponse, err := http.PostForm("https://<acr-url>/oauth2/exchange", formData) | ||
| ``` | ||
| - Use `RefreshToken` in ORAS auth client to authenticate private ACR. |
There was a problem hiding this comment.
Which component will be responsible for these steps?
There was a problem hiding this comment.
as discussed in the meeting, Driver(ReadFromRegistry) will be responsible for getting the AAD and acr refresh tokens and creating ORAS auth client.
There was a problem hiding this comment.
Can you please update the doc to make it explicit and the architecture diagram to reflect this call flow?
willtsai
reviewed
Jul 22, 2024
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
|
This pull request is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
|
This pull request has been closed due to inactivity. Feel free to reopen if you are still working on it. |
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
ytimocin
force-pushed
the
vishwahiremat/private-bicep-registry
branch
from
e1efb0b
to
34bd19d
Compare
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
ytimocin
approved these changes
Sep 16, 2024
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
lakshmimsft
reviewed
Sep 18, 2024
lakshmimsft
reviewed
Sep 18, 2024
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
lakshmimsft
approved these changes
Sep 18, 2024
Reshrahim
pushed a commit
to Reshrahim/design-notes
that referenced
this pull request
Sep 20, 2024
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com> Signed-off-by: Reshma Abdul Rahim <reshmarahim.abdul@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.