feat: add SSM as a gitprovider #1768
Conversation
|
Skipping CI for Draft Pull Request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @Camila-B, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request significantly expands our end-to-end testing capabilities by integrating Secure Source Manager (SSM) as a new Git provider. It introduces the necessary infrastructure to interact with SSM repositories, including a dedicated client and authentication mechanisms, and adds a foundational test case to ensure Config Sync can successfully synchronize configurations from SSM using Workload Identity.
Highlights
- Secure Source Manager (SSM) Integration: Added Secure Source Manager (SSM) as a new supported Git provider for end-to-end (E2E) tests, enabling Config Sync to pull configurations from SSM repositories.
- New E2E Test for SSM: Introduced a dedicated E2E test case (
TestWorkloadIdentity_GitSourceSSM) to validate Config Sync's ability to sync from an SSM repository using Workload Identity, covering repository creation, pushing, syncing, and deletion. - E2E Test Infrastructure Enhancements: Extended the E2E test framework to include a new
--ssm-instanceflag, aRequireSecureSourceManagerRepositorytest option, and validation for required environment variables when SSM is used. - Code Refactoring: Centralized the repository name sanitization logic into a new
utilpackage, improving code reusability and maintainability across different Git provider implementations.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request adds support for Google Cloud Secure Source Manager (SSM) as a Git provider for the E2E tests. The changes include adding a new test case for SSM, updating flags, and creating a new client for interacting with SSM. The refactoring of sanitizeRepoName into a shared utility is a good improvement.
I've identified a few critical issues, such as the use of an interactive gcloud command that will fail in CI and a missing required flag in a cleanup command. There are also several medium-severity issues related to hardcoded values, copy-paste errors in comments, and misleading naming that should be addressed to improve code quality and maintainability. Overall, this is a good start for adding SSM support, and addressing the feedback will make it robust.
| } | ||
|
|
||
| func (c *SSMClient) login() error { | ||
| _, err := c.shell.ExecWithDebug("gcloud", "init") |
There was a problem hiding this comment.
The gcloud init command is interactive and is intended for first-time setup of a gcloud configuration. It will hang in a non-interactive environment like a CI/CD pipeline, causing tests to fail or time out.
If the goal is to ensure authentication, the test environment should already be authenticated (e.g., via Workload Identity or a service account key). If authentication is already handled, this login function may not be necessary. If it is, a non-interactive command like gcloud auth activate-service-account should be used. Given this is a pre-existing pattern from the CSR client, it should be fixed in both places.
Camila-B
force-pushed
the
feat/ssm-validation
branch
5 times, most recently
from
af42c00 to
1e285d4
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces support for Secure Source Manager (SSM) as a Git provider for the E2E tests. The changes include adding new flags for SSM configuration, implementing an SSM client, and adding an initial test case for workload identity with SSM. The refactoring of sanitizeRepoName into a shared utility is a nice improvement for code reuse.
| } | ||
|
|
||
| func (c *SSMClient) login() error { | ||
| _, err := c.shell.ExecWithDebug("gcloud", "init") |
There was a problem hiding this comment.
gcloud init is an interactive command and may cause tests to hang in a non-interactive CI environment. Consider a non-interactive approach, or rely on the gcloud.sh credential helper to manage authentication implicitly. Since CSRClient uses the same login implementation, this could be a good opportunity to refactor both.
Camila-B
force-pushed
the
feat/ssm-validation
branch
from
1e285d4 to
31bcf69
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces support for Secure Source Manager (SSM) as a Git provider in the E2E test suite. The changes are well-structured. I've identified a few issues related to the use of an interactive command in an automated script, granting excessive permissions to the service account, and a suggestion to improve maintainability by avoiding a hardcoded value.
| _, err := c.shell.ExecWithDebug("gcloud", "init") | ||
| if err != nil { | ||
| return fmt.Errorf("authorizing gcloud: %w", err) | ||
| } |
There was a problem hiding this comment.
The gcloud init command is designed for interactive use and is not suitable for automated scripts, as it may hang waiting for user input. The test environment should be pre-authenticated.
| _, err = c.shell.ExecWithDebug("gcloud", "beta", "source-manager", "repos", | ||
| "add-iam-policy-binding", fullName, "--region", c.region, | ||
| "--member", fmt.Sprintf("serviceAccount:%s", SSMServiceAccountEmail()), | ||
| "--role", "roles/securesourcemanager.repoWriter", |
There was a problem hiding this comment.
The service account used by Config Sync is being granted the roles/securesourcemanager.repoWriter role. This grants write access, but Config Sync only needs read access. Consider using roles/securesourcemanager.repoReader to adhere to the principle of least privilege.
| "--role", "roles/securesourcemanager.repoWriter", | |
| "--role", "roles/securesourcemanager.repoReader", |
Camila-B
force-pushed
the
feat/ssm-validation
branch
from
0d92a7b to
81bf694
Compare
Camila-B
force-pushed
the
feat/ssm-validation
branch
from
e21d4da to
48c34af
Compare
Camila-B
changed the title
Camila-B
force-pushed
the
feat/ssm-validation
branch
from
f0b9814 to
c533978
Compare
| name: "Authenticate to Git repo on SSM with GKE WI", | ||
| fleetWITest: false, | ||
| rootSrcCfg: sourceConfig{pkg: "hydration/kustomize-components", dir: "kustomize-components", commitFn: nomostest.RootRepoSha1Fn}, | ||
| nsSrcCfg: sourceConfig{pkg: "hydration/namespace-repo", dir: "namespace-repo", commitFn: nomostest.NsRepoSha1Fn}, |
There was a problem hiding this comment.
nit: consider adding the following snippet to updateRSyncWithGitSourceConfig:
meta := rsyncValidateMeta{rsID: id, syncDir: sc.dir}
switch id.Kind {
case configsync.RootSyncKind:
meta.sha1Func = nomostest.DefaultRootSha1Fn
case configsync.RepoSyncKind:
meta.sha1Func = nomostest.DefaultRepoSha1Fn
default:
nt.T.Fatalf("unrecognized RSync kind: %s", id.Kind)
}
return metaThen the commitFn doesn't need to be declared here for CSR and SSM
Camila-B
force-pushed
the
feat/ssm-validation
branch
from
c533978 to
9c6c972
Compare
Camila-B
force-pushed
the
feat/ssm-validation
branch
2 times, most recently
from
e749eb6 to
5a6db0c
Compare
Camila-B
force-pushed
the
feat/ssm-validation
branch
2 times, most recently
from
bb8b13b to
d2c58b8
Compare
|
/retest |
Camila-B
force-pushed
the
feat/ssm-validation
branch
from
c17af0e to
2bc1629
Compare
* Adds SSM gitprovider * Adds tests to test basic flow of fetching from a SSM repo
Camila-B
force-pushed
the
feat/ssm-validation
branch
from
2bc1629 to
0f8d447
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sdowell The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
1 similar comment
|
/retest |
google-oss-prow
bot
merged commit d728b5e
into
GoogleContainerTools:main
https://www.googleapis.com/auth/userinfo.emailscope to the askpass credential provider as tokens used by SSM require it