docs: document unset GOOGLE_APPLICATION_CREDENTIALS

In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not
set, a redirect to storage.googleapis.com is issued, which means the
underlying bucket objects need to be publicly accessible.

This wasn't really obvious until now, so further clarify it.
This commit is contained in:
Florian Klink 2021-04-29 16:02:26 +02:00 committed by Vincent Ambo
parent 970f492235
commit 7e8295189b
2 changed files with 8 additions and 0 deletions

View file

@ -94,6 +94,10 @@ account key, Nixery will also use this key to create [signed URLs][] for layers
in the storage bucket. This makes it possible to serve layers from a bucket in the storage bucket. This makes it possible to serve layers from a bucket
without having to make them publicly available. without having to make them publicly available.
In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not set, a
redirect to storage.googleapis.com is issued, which means the underlying bucket
objects need to be publicly accessible.
### Storage ### Storage
Nixery supports multiple different storage backends in which its build cache and Nixery supports multiple different storage backends in which its build cache and

View file

@ -222,6 +222,10 @@ func signingOptsFromEnv() (*storage.SignedURLOptions, error) {
// Signing the URL allows unauthenticated clients to retrieve objects from the // Signing the URL allows unauthenticated clients to retrieve objects from the
// bucket. // bucket.
// //
// In case signing is not configured, a redirect to storage.googleapis.com is
// issued, which means the underlying bucket objects need to be publicly
// accessible.
//
// The Docker client is known to follow redirects, but this might not be true // The Docker client is known to follow redirects, but this might not be true
// for all other registry clients. // for all other registry clients.
func (b *GCSBackend) constructLayerUrl(digest string) (string, error) { func (b *GCSBackend) constructLayerUrl(digest string) (string, error) {