diff --git a/.bumpversion.toml b/.bumpversion.toml index 97280cf4..7aabd625 100644 --- a/.bumpversion.toml +++ b/.bumpversion.toml @@ -1,5 +1,5 @@ [tool.bumpversion] -current_version = "5.18.6" +current_version = "5.19.0" commit = true message = "Update version {current_version} -> {new_version} [skip ci]" diff --git a/Authentication.md b/Authentication.md index d5638b9c..ddc2a021 100644 --- a/Authentication.md +++ b/Authentication.md @@ -452,10 +452,10 @@ if err != nil { ## Container Authentication The `ContainerAuthenticator` is intended to be used by application code running inside a compute resource managed by the IBM Kubernetes Service (IKS) -in which a secure compute resource token (CR token) has been stored in a file -within the compute resource's local file system. +or IBM Cloud Code Engine in which a secure compute resource token (CR token) +has been stored in a file within the compute resource's local file system. The CR token is similar to an IAM apikey except that it is managed automatically by -the compute resource provider (IKS). +the compute resource provider (IKS or Code Engine). This allows the application developer to: - avoid storing credentials in application code, configuration files or a password vault - avoid managing or rotating credentials @@ -475,7 +475,9 @@ The IAM access token is added to each outbound request in the `Authorization` he - CRTokenFilename: (optional) the name of the file containing the injected CR token value. If not specified, then the authenticator will first try `/var/run/secrets/tokens/vault-token` -and then `/var/run/secrets/tokens/sa-token` as the default value (first file found is used). +and then `/var/run/secrets/tokens/sa-token` and finally +`/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token` as the default value +(first file found is used). The application must have `read` permissions on the file containing the CR token value. - IAMProfileName: (optional) the name of the linked trusted IAM profile to be used when obtaining the diff --git a/CHANGELOG.md b/CHANGELOG.md index 61727e3e..e27ade02 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# [5.19.0](https://github.com/IBM/go-sdk-core/compare/v5.18.6...v5.19.0) (2025-03-07) + + +### Features + +* **ContainerAuthenticator:** add support for code engine workload ([#244](https://github.com/IBM/go-sdk-core/issues/244)) ([80518d2](https://github.com/IBM/go-sdk-core/commit/80518d281b258af9f7fd4da3555f06fa0b48bfdd)) + ## [5.18.6](https://github.com/IBM/go-sdk-core/compare/v5.18.5...v5.18.6) (2025-03-07) diff --git a/README.md b/README.md index cd75b094..8062bf25 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ [![CLA assistant](https://cla-assistant.io/readme/badge/ibm/go-sdk-core)](https://cla-assistant.io/ibm/go-sdk-core) -# IBM Go SDK Core Version 5.18.6 +# IBM Go SDK Core Version 5.19.0 This project contains core functionality required by Go code generated by the IBM Cloud OpenAPI SDK Generator (openapi-sdkgen). diff --git a/core/container_authenticator.go b/core/container_authenticator.go index ebb6e4ed..651ae078 100644 --- a/core/container_authenticator.go +++ b/core/container_authenticator.go @@ -1,6 +1,6 @@ package core -// (C) Copyright IBM Corp. 2021, 2024. +// (C) Copyright IBM Corp. 2021, 2025. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -29,7 +29,7 @@ import ( ) // ContainerAuthenticator implements an IAM-based authentication schema whereby it -// retrieves a "compute resource token" from the local compute resource (VM) +// retrieves a "compute resource token" from the local compute resource (IKS pod, or Code Engine application, function, or job) // and uses that to obtain an IAM access token by invoking the IAM "get token" operation with grant-type=cr-token. // The resulting IAM access token is then added to outbound requests in an Authorization header // of the form: @@ -37,8 +37,8 @@ import ( // Authorization: Bearer type ContainerAuthenticator struct { // [optional] The name of the file containing the injected CR token value (applies to - // IKS-managed compute resources). - // Default value: (1) "/var/run/secrets/tokens/vault-token" or (2) "/var/run/secrets/tokens/sa-token", + // IKS-managed compute resources, a Code Engine compute resource always uses the third default from below). + // Default value: (1) "/var/run/secrets/tokens/vault-token" or (2) "/var/run/secrets/tokens/sa-token" or (3) "/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token", // whichever is found first. CRTokenFilename string @@ -98,9 +98,10 @@ type ContainerAuthenticator struct { } const ( - defaultCRTokenFilename1 = "/var/run/secrets/tokens/vault-token" // #nosec G101 - defaultCRTokenFilename2 = "/var/run/secrets/tokens/sa-token" // #nosec G101 - iamGrantTypeCRToken = "urn:ibm:params:oauth:grant-type:cr-token" // #nosec G101 + defaultCRTokenFilename1 = "/var/run/secrets/tokens/vault-token" // #nosec G101 + defaultCRTokenFilename2 = "/var/run/secrets/tokens/sa-token" // #nosec G101 + defaultCRTokenFilename3 = "/var/run/secrets/codeengine.cloud.ibm.com/compute-resource-token/token" // #nosec G101 + iamGrantTypeCRToken = "urn:ibm:params:oauth:grant-type:cr-token" // #nosec G101 ) var craRequestTokenMutex sync.Mutex @@ -504,6 +505,9 @@ func (authenticator *ContainerAuthenticator) retrieveCRToken() (crToken string, crToken, err = authenticator.readFile(defaultCRTokenFilename1) if err != nil { crToken, err = authenticator.readFile(defaultCRTokenFilename2) + if err != nil { + crToken, err = authenticator.readFile(defaultCRTokenFilename3) + } } } diff --git a/core/version.go b/core/version.go index cd8527b6..a0e94d3d 100644 --- a/core/version.go +++ b/core/version.go @@ -15,4 +15,4 @@ package core // limitations under the License. // Version of the SDK -const __VERSION__ = "5.18.6" +const __VERSION__ = "5.19.0"