Skip to content

fix(credentialshelper): correct GCR OAuth scope and enforce deterministic helper ordering#855

Open
vovinacci wants to merge 2 commits intokeel-hq:masterfrom
vovinacci:fix/gcr-wi-artifact-registry-scope
Open

fix(credentialshelper): correct GCR OAuth scope and enforce deterministic helper ordering#855
vovinacci wants to merge 2 commits intokeel-hq:masterfrom
vovinacci:fix/gcr-wi-artifact-registry-scope

Conversation

@vovinacci
Copy link
Copy Markdown

@vovinacci vovinacci commented Apr 1, 2026
edited
Loading

Summary of the changes:

  • OAuth scope: replace storage.ScopeReadOnly (devstorage.read_only) with cloud-platform in google.DefaultTokenSource so workload-identity tokens can authenticate against Artifact Registry (*.docker.pkg.dev) Docker Registry HTTP API v2 endpoints. The narrower scope causes HTTP 403 on HEAD .../manifests/<ref> during poll triggers.
  • Helper ordering: iterate credential helpers in a fixed priority (secrets => aws => gcr) instead of random Go map order. Without this, workload-identity tokens from the gcr helper can win over explicit imagePullSecrets resolved by the secrets helper, causing flaky 403 responses against private registries.
  • Hardening: extract HelperNameSecrets, HelperNameAWS, HelperNameGCR constants so helper names are compile-time checked; add jsonKeyUsername constant alongside oauth2TokenUsername. Warn on GOOGLE_APPLICATION_CREDENTIALS only when the env var is set but the file is unreadable (silent on the normal workload-identity path); use errors.Is for sentinel error comparison.

Resolves #854.

Note: go fmt reformatted indentation in gcr.go and a spacing fix in aws.go to conform to Go coding standards.

@vovinacci
fix(gcr): use cloud-platform OAuth scope for workload identity agains…
7d0b211 
…t GAR

`google.DefaultTokenSource` with `storage.ScopeReadOnly` yields a token that
cannot access Artifact Registry (`docker.pkg.dev`) Docker Registry v2 APIs,
causing HTTP **403** on HEAD `.../manifests/<ref>` during poll triggers.

Request cloud-platform scope so default/GKE workload identity credentials
can authenticate to private Artifact Registry repositories.
@vovinacci vovinacci mentioned this pull request Apr 1, 2026
Open
@vovinacci vovinacci marked this pull request as draft April 2, 2026 05:56
@vovinacci vovinacci changed the title fix(gcr): Use cloud-platform OAuth scope for Workload Identity against GAR fix(credentialshelper): correct GCR OAuth scope and enforce deterministic helper ordering Apr 2, 2026
@vovinacci vovinacci marked this pull request as ready for review April 2, 2026 10:20
@vovinacci
Copy link
Copy Markdown
Author

vovinacci commented Apr 15, 2026

@rusenask Sorry for tagging, we need this to keep upgrading. This change is battle tested - we use it for two weeks already. Many thanks in advance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Workload Identity: devstorage.read_only OAuth scope breaks private Google Artifact Registry (docker.pkg.dev) manifest polling on Keel 0.21.x

1 participant

@vovinacci