CC-7948 Update wrangler CLI to support GAR#14311
Conversation
Adds Google Artifact Registry to Wrangler's external registry configuration flow. GAR credentials differ from ECR and DockerHub because the public credential comes from the service-account key itself, so Wrangler now parses the key, derives `client_email`, and stores/sends the key as base64 for Cloudchamber. The command also accepts an optional GAR-specific `--google-service-account-email` flag.
🦋 Changeset detectedLatest commit: efb175e The changes in this PR will be included in the next version bump. This PR includes changesets to release 4 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
workers-devprod
requested review from
a team and
emily-shen
and removed request for
a team
|
Codeowners approval required for this PR:
Show detailed file reviewers
|
create-cloudflare
@cloudflare/deploy-helpers
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-auth
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
|
Can we also accept a filename for the service key? We shouldn't require a user to paste the JSON object if they've already downloaded the file from GCP |
Yes great point let me add that! |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
- Add the --gar-service-account-key flag, accepting the service-account key as a file path, raw JSON, or base64 (resolved in that order). Mutually exclusive with credential flags from other providers. If the flag is not provided, accept the key (raw JSON or base64) via stdin - Removed the --google-service-account-email flag since it was redundant with the email field in the service account key. - Surface targeted errors for unreadable key files, stray PEM private keys, and missing/empty key fields instead of a generic "invalid key" message. - Updated tests and changeset.
sherryliu-lsy
force-pushed
the
sherryliu/cc-7948-update-wrangler-cli-to-support-gar
branch
from
5351a0d to
a5afd87
Compare
nikitassharma
left a comment
nikitassharma
left a comment
There was a problem hiding this comment.
The more I think about it, the more I think we should disallow the base64 or raw json secrets in the cli flag. That should only accept a filename. We can accept base64 or raw json through stdin, but in general we shouldn't encourage pasting a secret value into the terminal where it would remain visible in shell history.
…alFlagConflicts logic
- wrangler now only accepts a file path for the GAR service account key, and no longer
accepts raw JSON or base64 input for security considerations.
- Handling provider-specific credential flag conflicts simplified to provider map rather
than hardcoding
- Updated tests and changeset.
sherryliu-lsy
force-pushed
the
sherryliu/cc-7948-update-wrangler-cli-to-support-gar
branch
from
c718e6e to
efb175e
Compare
| await expect( | ||
| runWrangler(`containers registries configure ${garDomain}`) | ||
| ).rejects.toThrowErrorMatchingInlineSnapshot( | ||
| `[Error: Missing required argument: gar-service-account-key. Provide the path to the Google service account key file.]` |
There was a problem hiding this comment.
Let's not require this. We should be able to accept credentials through stdin the way we do for other registries.
like all of these should be valid (or entering secret through the interactive prompt)
wrangler containers registries configure --gar-service-account-key=path/to/key.json
echo $BASE64_PRIVATE_KEY | wrangler containers registries configure
cat path/to/key.json | wrangler containers registries configure
There was a problem hiding this comment.
Trying to think through what makes the most sense from a ux perspective, what are your thoughts on this:
CLI flag:
- file path
stdin:
- base 64 encoded json
- raw json
- file path (unsure ?)
interactive prompt:
- file path
- raw json
4 participants
CC-7948
Adds Google Artifact Registry to Wrangler's external registry configuration flow. GAR credentials differ from ECR and DockerHub because the public credential comes from the service-account key JSON file itself, so Wrangler now parses the key, derives
client_emailfrom the key as the public credential, and stores/sends the key as base64 for Cloudchamber.Provide the Google service-account key as a path to the key file via
--gar-service-account-key.Follows CC-7866 Add Google Artifact Registry (GAR) support as an external registry provider