Merge pull request #7 from pluralsh/workload-identity

floreks · web-flow · commit 93c3dff1ad21 · 2023-08-22T18:06:42.000+02:00
feat: workload identity for kubeconfig credentials
diff --git a/cloud/scope/clients.go b/cloud/scope/clients.go
@@ -82,7 +82,7 @@ func defaultClientOptions(ctx context.Context, credentialsRef *infrav1.ObjectRef
 		if err != nil {
 			return nil, fmt.Errorf("getting gcp credentials from reference %s: %w", credentialsRef, err)
 		}
-		opts = append(opts, option.WithCredentialsJSON(rawData))
+		opts = append(opts, option.WithCredentialsJSON(rawData.JSON))
 	}
 
 	return opts, nil
diff --git a/cloud/scope/credentials.go b/cloud/scope/credentials.go
@@ -18,11 +18,11 @@ package scope
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"os"
 
 	"github.com/pkg/errors"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	infrav1 "sigs.k8s.io/cluster-api-provider-gcp/api/v1beta1"
@@ -35,31 +35,53 @@ const (
 	ConfigFileEnvVar = "GOOGLE_APPLICATION_CREDENTIALS"
 )
 
+var (
+	gcpScopes = []string{
+		"https://www.googleapis.com/auth/cloud-platform",
+		"https://www.googleapis.com/auth/userinfo.email",
+	}
+)
+
 // Credential is a struct to hold GCP credential data.
 type Credential struct {
-	Type        string `json:"type"`
-	ProjectID   string `json:"project_id"`
-	ClientEmail string `json:"client_email"`
-	ClientID    string `json:"client_id"`
+	token oauth2.TokenSource
+}
+
+// GetToken returns the access token of the loaded GCP credentials.
+func (c *Credential) GetToken(ctx context.Context) (string, error) {
+	token, err := c.token.Token()
+	if err != nil {
+		return "", err
+	}
+	return token.AccessToken, nil
 }
 
 func getCredentials(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) (*Credential, error) {
-	var credentialData []byte
+	var credential *google.Credentials
 	var err error
 
 	if credentialsRef != nil {
-		credentialData, err = getCredentialDataFromRef(ctx, credentialsRef, crClient)
+		credential, err = getCredentialDataFromRef(ctx, credentialsRef, crClient)
 	} else {
-		credentialData, err = getCredentialDataUsingADC()
+		credential, err = getCredentialDataUsingADC(ctx)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("getting credential data: %w", err)
 	}
 
-	return parseCredential(credentialData)
+	token := credential.TokenSource
+	if token == nil {
+		return nil, errors.New("failed retrieving token from credentials")
+	}
+
+	credentials := &Credential{
+		token: token,
+	}
+
+	return credentials, nil
 }
 
-func getCredentialDataFromRef(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) ([]byte, error) {
+func getCredentialDataFromRef(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) (*google.Credentials, error) {
 	secretRefName := types.NamespacedName{
 		Name:      credentialsRef.Name,
 		Namespace: credentialsRef.Namespace,
@@ -75,27 +97,25 @@ func getCredentialDataFromRef(ctx context.Context, credentialsRef *infrav1.Objec
 		return nil, errors.New("no credentials key in secret")
 	}
 
-	return rawData, nil
-}
-
-func getCredentialDataUsingADC() ([]byte, error) {
-	credsPath := os.Getenv(ConfigFileEnvVar)
-	if credsPath == "" {
-		return nil, fmt.Errorf("no ADC environment variable found for credentials (expect %s)", ConfigFileEnvVar)
-	}
-
-	byteValue, err := os.ReadFile(credsPath) //nolint:gosec // We need to read a file here
+	creds, err := google.CredentialsFromJSON(ctx, rawData, gcpScopes...)
 	if err != nil {
-		return nil, fmt.Errorf("reading credentials from file %s: %w", credsPath, err)
+		return nil, fmt.Errorf("getting credentials from json: %w", err)
 	}
-	return byteValue, nil
+	if creds == nil {
+		return nil, errors.New("failed finding default credentials, cred is nil")
+	}
+
+	return creds, nil
 }
 
-func parseCredential(rawData []byte) (*Credential, error) {
-	var credential Credential
-	err := json.Unmarshal(rawData, &credential)
+func getCredentialDataUsingADC(ctx context.Context) (*google.Credentials, error) {
+	creds, err := google.FindDefaultCredentials(ctx, gcpScopes...)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("getting credentials from json: %w", err)
 	}
-	return &credential, nil
+	if creds == nil {
+		return nil, errors.New("failed finding default credentials, cred is nil")
+	}
+
+	return creds, nil
 }
diff --git a/cloud/services/container/clusters/kubeconfig.go b/cloud/services/container/clusters/kubeconfig.go
@@ -22,7 +22,6 @@ import (
 	"fmt"
 
 	"cloud.google.com/go/container/apiv1/containerpb"
-	"cloud.google.com/go/iam/credentials/apiv1/credentialspb"
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
@@ -147,7 +146,7 @@ func (s *Service) createCAPIKubeconfigSecret(ctx context.Context, cluster *conta
 		return fmt.Errorf("creating base kubeconfig: %w", err)
 	}
 
-	token, err := s.generateToken(ctx)
+	token, err := s.scope.GetCredential().GetToken(ctx)
 	if err != nil {
 		log.Error(err, "failed generating token")
 		return err
@@ -184,7 +183,7 @@ func (s *Service) updateCAPIKubeconfigSecret(ctx context.Context, configSecret *
 		return errors.Wrap(err, "failed to convert kubeconfig Secret into a clientcmdapi.Config")
 	}
 
-	token, err := s.generateToken(ctx)
+	token, err := s.scope.GetCredential().GetToken(ctx)
 	if err != nil {
 		return err
 	}
@@ -239,17 +238,3 @@ func (s *Service) createBaseKubeConfig(contextName string, cluster *containerpb.
 
 	return cfg, nil
 }
-
-func (s *Service) generateToken(ctx context.Context) (string, error) {
-	req := &credentialspb.GenerateAccessTokenRequest{
-		Name: fmt.Sprintf("projects/-/serviceAccounts/%s", s.scope.GetCredential().ClientEmail),
-		Scope: []string{
-			GkeScope,
-		},
-	}
-	resp, err := s.scope.CredentialsClient().GenerateAccessToken(ctx, req)
-	if err != nil {
-		return "", errors.Errorf("error generating access token: %v", err)
-	}
-	return resp.AccessToken, nil
-}
diff --git a/cloud/services/container/clusters/reconcile.go b/cloud/services/container/clusters/reconcile.go
@@ -263,6 +263,7 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 		WorkloadIdentityConfig: s.createWorkloadIdentityConfig(),
 		NetworkConfig:          s.createNetworkConfig(),
 		AddonsConfig:           s.createAddonsConfig(),
+		ResourceLabels:         s.scope.GCPManagedCluster.Labels,
 	}
 
 	if s.scope.GCPManagedControlPlane.Spec.ControlPlaneVersion != nil {

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ func defaultClientOptions(ctx context.Context, credentialsRef *infrav1.ObjectRef`
`82`	`82`	`if err != nil {`
`83`	`83`	`return nil, fmt.Errorf("getting gcp credentials from reference %s: %w", credentialsRef, err)`
`84`	`84`	`}`
`85`		`- opts = append(opts, option.WithCredentialsJSON(rawData))`
	`85`	`+ opts = append(opts, option.WithCredentialsJSON(rawData.JSON))`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`return opts, nil`
Original file line number	Diff line number	Diff line change
`@@ -263,6 +263,7 @@ func (s Service) createCluster(ctx context.Context, log logr.Logger) error {`
`263`	`263`	`WorkloadIdentityConfig: s.createWorkloadIdentityConfig(),`
`264`	`264`	`NetworkConfig: s.createNetworkConfig(),`
`265`	`265`	`AddonsConfig: s.createAddonsConfig(),`
	`266`	`+ ResourceLabels: s.scope.GCPManagedCluster.Labels,`
`266`	`267`	`}`
`267`	`268`
`268`	`269`	`if s.scope.GCPManagedControlPlane.Spec.ControlPlaneVersion != nil {`