-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCP: allow environmental authentication #6330
GCP: allow environmental authentication #6330
Conversation
Make service account optional to allow for authentication through service accounts when running on GCP. cf: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#primary-authentication
Signed URLs, which are used to provide access to the bootstrap ignition storage object, require a service account key (the private key is used to sign the url). This works fine when the installer is authenticated with a service account json file. In order to allow authentication of the installer with other methods, this commit creates a service account for the bootstrap process, and uses that private key to sign the url.
d27c989
to
8f39559
Compare
Reworked the validation logic to allow better unit testing. |
8f39559
to
98e47f7
Compare
When authenticating with any method other than a JSON service account file, the Installer should require manual mode. Prior to this change, the Installer is silently writing an empty cluster credential file .
98e47f7
to
afc39a8
Compare
Updates unit tests to add new GetCredentials method.
afc39a8
to
79851cb
Compare
allErrs := field.ErrorList{} | ||
creds := client.GetCredentials() | ||
|
||
if creds.JSON == nil && ic.CredentialsMode != types.ManualCredentialsMode { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we check the credentials mode first? If the creds mode is not correct error immediately without calling GetCredentials()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "correctness" of the credentials mode depends on the credential contents, so we have to grab them.
Updated PR description |
/retest-required |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sadasu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
@patrickdillon: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Enables environmental authentication, so that the Installer when running on a GCP VM can authenticate with the VM's service account without requiring a service account in a JSON file.The ability to authenticate through the GCP environment was added in the original commit for GCP auth (05924cb). This PR builds on that work to enable the full deployment of a cluster. Prior to this change, the cluster secret would be invalid and provisioning infrastructure would fail, if no service account JSON object is present.
The biggest challenge here is that the signed URLs used to enable accessing bootstrap ignition require the private key from a service account JSON file in order to sign the URL. To solve this, I updated terraform to create a service account specifically for bootstrapping, and use the private key from that.
I explored the idea of granting explicit permission for the bootstrap node to access the bootstrap ignition object, but there is not a clear way to do this. Unless the object is public, the bootstrap node would need to pass an authentication token in the header when requesting access to the object, but the Terraform ignition provider does not support adding headers: so there is no way to pass the token when making the request.
The current solution is more in-line with the existing install procedure, which already uses signed urls.
https://issues.redhat.com/browse/CORS-2050