Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sre oidc provider to the trusted issuers. #12562

Merged
merged 1 commit into from
Jan 17, 2025
Merged

Add sre oidc provider to the trusted issuers. #12562

merged 1 commit into from
Jan 17, 2025

Conversation

dekiel
Copy link
Contributor

@dekiel dekiel commented Jan 16, 2025
edited
Loading

Description

SRE is running an image-builder in Jenkins. The Jenkins and its OIDC provider does not provide a claim with Jenkins pipeline reference. It's SRE team responsibility to restrict access to oidc provider and allow only certain pipeline to build images. The SRE issuer does not provide job workflow ref and this calim is not validated when oidc token is verified.

Changes proposed in this pull request:

  • Disable job workflow ref claim verification is it's not defined in trusted issuer.
  • Added SRE issuer to the trusted issuers.

@dekiel
Add sre oidc provider to the trusted issuers.
395eb4a 
Disable job workflow ref claim verification is it's not defined in trusted issuer.
@kyma-bot kyma-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cla: yes Indicates the PR's author has signed the CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 16, 2025
@dekiel dekiel marked this pull request as ready for review January 16, 2025 19:53
@dekiel dekiel requested review from neighbors-dev-bot and a team as code owners January 16, 2025 19:53
@dekiel dekiel requested review from akiioto and szumejker January 16, 2025 19:53
@kyma-bot kyma-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 16, 2025
@kyma-bot kyma-bot added the lgtm Looks good to me! label Jan 17, 2025
@kyma-bot kyma-bot merged commit 6d8c276 into kyma-project:main Jan 17, 2025
80 checks passed
@dekiel dekiel deleted the Add-sre-provided-as-trusted branch January 17, 2025 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sawthis Sawthis Sawthis approved these changes

@neighbors-dev-bot neighbors-dev-bot Awaiting requested review from neighbors-dev-bot neighbors-dev-bot is a code owner

@akiioto akiioto Awaiting requested review from akiioto akiioto is a code owner automatically assigned from kyma-project/prow

@szumejker szumejker Awaiting requested review from szumejker szumejker is a code owner automatically assigned from kyma-project/prow

Assignees

@Sawthis Sawthis

Labels
cla: yes Indicates the PR's author has signed the CLA. image-builder lgtm Looks good to me! size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dekiel @Sawthis @kyma-bot