Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[🙏] Add (document) support for Google Artifact Registry #1314

Open
jdomeracki opened this issue May 22, 2023 · 2 comments
Open

[🙏] Add (document) support for Google Artifact Registry #1314

jdomeracki opened this issue May 22, 2023 · 2 comments

Comments

@jdomeracki
Copy link

Describe the user need
Hi Team, as GCR recently got deprecated it might be high time to start officially supporting Google Artifact Registry.

Describe expected behaviour
The following section of the documentation should include a snippet showcasing a sample configuration of the dockercfg.json including credHelpers set for GAR: https://github.com/snyk/kubernetes-monitor/tree/staging/snyk-monitor#installing

Example:

❯ cat dockercfg.json | jq
{
  "credHelpers": {
    "us-central1-docker.pkg.dev": "gcloud",
    "europe-west1-docker.pkg.dev": "gcloud"
  }
}

Of course some unit and/or integration test cases would be welcome as well.

Additional context
We've actually tested this in our environment and the proposed addition works as intended.

NOTE: The underlying GCP Service Account mapped via Workload Identity needs to have a proper IAM binding ie. the Artifact Registry Reader role bound to the Registry in scope.

Reference: https://cloud.google.com/artifact-registry/docs/access-control#roles

@kat1906
Copy link
Contributor

kat1906 commented May 23, 2023

Hi @jdomeracki , thank you very much for raising this issue. I have added this item to our triage backlog and brought it to the team's attention.

Of course, we're more than willing to accept PRs if this is something you might be interested in assisting with, but rest assured we're going to look into this! 😄

@ivanstanev
Copy link
Contributor

Hey @jdomeracki did you need to add any additional steps e.g. add a label or annotation to the ServiceAccount of the snyk-monitor, so that it is provisioned with the correct workload identity?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants