hanishi commented on PR #1494:
URL:
https://github.com/apache/pekko-connectors/pull/1494#issuecomment-4090218594
@pjfanning
All new files are completely new. No code was copied or moved from existing
Akka-derived files.
The standard Apache license header is appropriate for these.
- AckDeadlineDistribution.scala - completely new, inspired by Google's
`gax.core.Distribution` (not Akka)
The algorithm is based on Google's `com.google.api.gax.core.Distribution`
class, which is BSD 3-Clause licensed.
No code was copied; It's an independent Scala implementation of the same
nearest-rank percentile approach.
BSD 3-Clause is compatible with Apache 2.0, and I'd say it's OK to draw
inspiration from how Google implements
its own client library.
- FlowControl.scala - completely new
- FlowControlGateStage.scala - completely new (standard Pekko GraphStage
pattern, but no copied code)
- GoogleApplicationDefaultCredentials.scala - completely new
- ProvidedCredentials.scala - completely new
- CredentialsSpec.scala - completely new
- ProvidedCredentialsSpec.scala - completely new
- GkeAuthTest.scala - completely new
The k8s/ directory exists because credential resolution (especially
google-application-default with GKE Workload Identity) cannot be tested against
the Pub/Sub emulator. The emulator accepts unauthenticated requests, so it
never exercises the real auth path.
`GkeAuthTest.scala` is not a unit test. It's a standalone verification app
to run as a K8s Job on GKE. It validates that
`GoogleCredentials.getApplicationDefault()` correctly resolves credentials via
Workload Identity, and that authenticated StreamingPull and Publish requests
succeed end-to-end against real Pub/Sub.
The k8s/ files provide the infrastructure to reproduce this verification:
- GkeAuthTest.scala: the app that runs publish → subscribe → verify
- application.conf: configures google-application-default provider
- Dockerfile + build-and-push.sh: packages and pushes the image
- gke-auth-test-job.yaml: K8s Job manifest with Workload Identity service
account
I've confirmed this works against a real GCP project.
Without these files, there's no way to verify that the new credential
provider actually works in production GCP environments. The k8s/ directory is
outside sbt source paths, so it doesn't affect the build or published
artifacts.
The project ID and region values would need to be updated by anyone reusing
them.
Might be worth keeping in the repo for quick verification when
credential-related changes are made in the future.
I'll address all the review comments you've left in the next push.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
