Skip to content

Add support for impersonation chain to GKEStartPodOperator in deferrable mode #37486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
potiuk merged 4 commits into from
Feb 22, 2024
Merged

Add support for impersonation chain to GKEStartPodOperator in deferrable mode #37486

potiuk merged 4 commits into from
Feb 22, 2024

Conversation

@m1racoli
Copy link
Contributor

@m1racoli m1racoli commented Feb 16, 2024

We utilize the existing implementation of _CredentialsToken by using the async hook's get_token method. This implementation allows us to leverage several features of the Google connection from Keyfile Path or Keyfile JSON (see #37081) to impersonation chain on hook or connection level. We therefore do not need to rely on the async hook's service_file_as_context method, which does not support impersonation chain.

With this change we effectively gain support for impersonation chain in GKEStartPodOperator in deferrable mode.

related: #37081

Adding @Lee-W for visibility.

feat(GKEPodAsyncHook): use async credentials token implementation
37b8acf 
We utilize the existing implementation of `_CredentialsToken` by using
the async hook's `get_token` method. This implementation allows us to
leverage several features of the Google connection from `Keyfile Path`
or `Keyfile JSON` (see apache#37081) to impersonation chain on hook or
connection level. We therefore do not need to rely on the async hook's
`service_file_as_context` method, which does not support impersonation
chain.

With this change we effectively gain support for impersonation chain in
GKEStartPodOperator in deferrable mode.
@boring-cyborg boring-cyborg bot added area:providers provider:cncf-kubernetes Kubernetes (k8s) provider related issues provider:google Google (including GCP) related issues labels Feb 16, 2024
@m1racoli m1racoli changed the title feat(GKEPodAsyncHook): use async credentials token implementation Add support for impersonation chain to GKEStartPodOperator in deferrable mode Feb 16, 2024
@potiuk
Copy link
Member

potiuk commented Feb 21, 2024

LGTM: @Lee-W ?

Lee-W
Lee-W approved these changes Feb 22, 2024
View reviewed changes
Copy link
Member

@Lee-W Lee-W left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for late reply. LGTM. 👍

@potiuk potiuk merged commit 810fb5f into apache:main Feb 22, 2024
@m1racoli m1racoli deleted the gke-start-pod-deferrable-impersonation branch February 22, 2024 12:32
@eladkal eladkal mentioned this pull request Mar 4, 2024
Closed
79 tasks
@thomasLeclaire
Copy link

thomasLeclaire commented Sep 27, 2024

Hello! Is there any reason to not also add such mechanism for the equivalent GKEStartJobOperator?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk potiuk approved these changes

@Lee-W Lee-W Lee-W approved these changes

Assignees

No one assigned

Labels

area:providers provider:cncf-kubernetes Kubernetes (k8s) provider related issues provider:google Google (including GCP) related issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@m1racoli @potiuk @thomasLeclaire @Lee-W