GCP: allow environmental authentication #6330
Conversation
Make service account optional to allow for authentication through service accounts when running on GCP. cf: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#primary-authentication
Signed URLs, which are used to provide access to the bootstrap ignition storage object, require a service account key (the private key is used to sign the url). This works fine when the installer is authenticated with a service account json file. In order to allow authentication of the installer with other methods, this commit creates a service account for the bootstrap process, and uses that private key to sign the url.
patrickdillon
force-pushed
the
gcp-auth-sa
branch
from
d27c989
to
8f39559
Compare
|
Reworked the validation logic to allow better unit testing. |
patrickdillon
force-pushed
the
gcp-auth-sa
branch
from
8f39559
to
98e47f7
Compare
When authenticating with any method other than a JSON service account file, the Installer should require manual mode. Prior to this change, the Installer is silently writing an empty cluster credential file .
patrickdillon
force-pushed
the
gcp-auth-sa
branch
from
98e47f7
to
afc39a8
Compare
Updates unit tests to add new GetCredentials method.
patrickdillon
force-pushed
the
gcp-auth-sa
branch
from
afc39a8
to
79851cb
Compare
| allErrs := field.ErrorList{} | ||
| creds := client.GetCredentials() | ||
|
|
||
| if creds.JSON == nil && ic.CredentialsMode != types.ManualCredentialsMode { |
There was a problem hiding this comment.
Should we check the credentials mode first? If the creds mode is not correct error immediately without calling GetCredentials().
There was a problem hiding this comment.
The "correctness" of the credentials mode depends on the credential contents, so we have to grab them.
|
Updated PR description |
|
/retest-required |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sadasu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/lgtm |
|
@patrickdillon: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Enables environmental authentication, so that the Installer when running on a GCP VM can authenticate with the VM's service account without requiring a service account in a JSON file.The ability to authenticate through the GCP environment was added in the original commit for GCP auth (05924cb). This PR builds on that work to enable the full deployment of a cluster. Prior to this change, the cluster secret would be invalid and provisioning infrastructure would fail, if no service account JSON object is present.
The biggest challenge here is that the signed URLs used to enable accessing bootstrap ignition require the private key from a service account JSON file in order to sign the URL. To solve this, I updated terraform to create a service account specifically for bootstrapping, and use the private key from that.
I explored the idea of granting explicit permission for the bootstrap node to access the bootstrap ignition object, but there is not a clear way to do this. Unless the object is public, the bootstrap node would need to pass an authentication token in the header when requesting access to the object, but the Terraform ignition provider does not support adding headers: so there is no way to pass the token when making the request.
The current solution is more in-line with the existing install procedure, which already uses signed urls.
https://issues.redhat.com/browse/CORS-2050