Add Kubernetes-friendly OCI authentication methods#1
Open
sanjaynagi wants to merge 2 commits into
Open
Conversation
The plugin previously only supported inline API key credentials (SimpleAuthenticationDetailsProvider) and the local ~/.oci/config file, neither of which is suitable for Kubernetes where shipping long-lived API keys into pods is undesirable. Add the credential-less providers OCI offers for Kubernetes/OKE: - workload_identity: OKE Workload Identity (pod-level, recommended for K8s) - instance_principal: Instance Principals (OKE worker nodes / OCI VMs) - resource_principal: Resource Principals (Functions etc.) Changes: - New `oci.authType` config option (and OCI_AUTH_TYPE env) selecting the method, with an `auto` default that detects the environment and prefers credential-less methods (inline -> workload identity -> resource principal -> config file). - New optional `oci.tokenPath` for the OKE service account token. - OciClient now derives the region from the provider (RegionProvider) when none is explicitly configured, so K8s deployments need no region. - Add oci-java-sdk-addons-oke-workload-identity dependency. - Tests for auth-type normalization/selection and config resolution. - Document the auth methods, with an OKE Workload Identity guide. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
hey there @incsteps Made this PR as we would like to use nf-oci on K8s but currently auth is a bit tricky. Please review if you can! thank you! |
- Drop the reimplemented instance_principal/resource_principal methods and env auto-detection; keep the original auto behaviour (inline credentials, then ~/.oci/config) and add only the new workload_identity method. - Make the service account token path customisable via oci.tokenPath, relying on the OKE SDK default instead of a hardcoded constant. - Simplify normalizeAuthType to accept one canonical name per type. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The plugin previously supported only two authentication methods:
SimpleAuthenticationDetailsProvider) — inlinetenantId/userId/fingerprint/privateKeyConfigFileAuthenticationDetailsProvider) —~/.oci/configBoth require placing long-lived API keys / private keys into the runtime, which is undesirable in Kubernetes where you don't want to ship credentials into pods. This PR adds OKE Workload Identity, the credential-less method OCI provides for pods running in an Oracle Kubernetes Engine (enhanced) cluster.
What's added
A new
oci.authTypeconfig option (andOCI_AUTH_TYPEenv var) selects the method:authTypeworkload_identitysimple/config_fileauto(default)~/.oci/configThe existing
autobehavior is unchanged and backward-compatible: inline credentials if present, otherwise the local config file. Workload Identity is opt-in viaauthType = 'workload_identity'.Changes
AuthentificationDetailProvider— adds theworkload_identitymethod alongside the existingsimple/config_file/autopaths, with a simple auth-type switch and clear errors for unknown/misconfigured types.OciConfig— newauthTypeandtokenPathconfig options with env-var fallback;getConfiguredRegion()accessor.OciClient— derives the region from the provider (RegionProvider) when none is configured, so OKE deployments need no explicit region.build.gradle— addscom.oracle.oci.sdk:oci-java-sdk-addons-oke-workload-identity:3.80.3.The service account token is read from the OKE SDK's default pod mount path and is customisable via
oci.tokenPath.Example (OKE Workload Identity)
oci { authType = 'workload_identity' region = 'us-ashburn-1' }🤖 Generated with Claude Code