openshift · openshift-merge-robot · Sep 16, 2022 · Sep 9, 2022 · Sep 11, 2022 · Sep 11, 2022
diff --git a/data/data/gcp/bootstrap/main.tf b/data/data/gcp/bootstrap/main.tf
@@ -29,10 +29,27 @@ resource "google_storage_bucket_object" "ignition" {
   content = var.ignition_bootstrap
 }
 
+resource "google_service_account" "bootstrap-node-sa" {
+  account_id   = "${var.cluster_id}-b"
+  display_name = "${var.cluster_id}-bootstrap-node"
+  description  = local.description
+}
+
+resource "google_service_account_key" "bootstrap" {
+  service_account_id = google_service_account.bootstrap-node-sa.name
+}
+
+resource "google_project_iam_member" "bootstrap-storage-admin" {
+  project = var.gcp_project_id
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.bootstrap-node-sa.email}"
+}
+
 data "google_storage_object_signed_url" "ignition_url" {
-  bucket   = google_storage_bucket.ignition.name
-  path     = "bootstrap.ign"
-  duration = "1h"
+  bucket      = google_storage_bucket.ignition.name
+  path        = "bootstrap.ign"
+  duration    = "1h"
+  credentials = base64decode(google_service_account_key.bootstrap.private_key)
 }
 
 data "ignition_config" "redirect" {

diff --git a/data/data/gcp/variables-gcp.tf b/data/data/gcp/variables-gcp.tf
@@ -6,6 +6,7 @@ variable "gcp_project_id" {
 variable "gcp_service_account" {
   type        = string
   description = "The service account for authenticating with GCP APIs."
+  default     = ""
 }
 
 variable "gcp_region" {

diff --git a/pkg/asset/installconfig/gcp/client.go b/pkg/asset/installconfig/gcp/client.go
@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	googleoauth "golang.org/x/oauth2/google"
 	"google.golang.org/api/cloudresourcemanager/v1"
 	compute "google.golang.org/api/compute/v1"
 	dns "google.golang.org/api/dns/v1"
@@ -28,6 +29,7 @@ type API interface {
 	GetRecordSets(ctx context.Context, project, zone string) ([]*dns.ResourceRecordSet, error)
 	GetZones(ctx context.Context, project, filter string) ([]*compute.Zone, error)
 	GetEnabledServices(ctx context.Context, project string) ([]string, error)
+	GetCredentials() *googleoauth.Credentials
 }
 
 // Client makes calls to the GCP API.
@@ -317,3 +319,8 @@ func (c *Client) getServiceUsageService(ctx context.Context) (*serviceusage.Serv
 	}
 	return svc, nil
 }
+
+// GetCredentials returns the credentials used to authenticate the GCP session.
+func (c *Client) GetCredentials() *googleoauth.Credentials {
+	return c.ssn.Credentials
+}
diff --git a/pkg/asset/installconfig/gcp/mock/gcpclient_generated.go b/pkg/asset/installconfig/gcp/mock/gcpclient_generated.go
diff --git a/pkg/asset/installconfig/gcp/validation.go b/pkg/asset/installconfig/gcp/validation.go
@@ -2,12 +2,12 @@ package gcp
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"strings"
 
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	compute "google.golang.org/api/compute/v1"
 	"google.golang.org/api/googleapi"
@@ -45,6 +45,7 @@ func Validate(client API, ic *types.InstallConfig) error {
 	allErrs = append(allErrs, validateRegion(client, ic, field.NewPath("platform").Child("gcp"))...)
 	allErrs = append(allErrs, validateNetworks(client, ic, field.NewPath("platform").Child("gcp"))...)
 	allErrs = append(allErrs, validateInstanceTypes(client, ic)...)
+	allErrs = append(allErrs, validateCredentialMode(client, ic)...)
 
 	return allErrs.ToAggregate()
 }
@@ -220,8 +221,8 @@ func validateMachineNetworksContainIP(fldPath *field.Path, networks []types.Mach
 	return field.ErrorList{field.Invalid(fldPath, subnetName, fmt.Sprintf("subnet CIDR range start %s is outside of the specified machine networks", ip))}
 }
 
-//ValidateEnabledServices gets all the enabled services for a project and validate if any of the required services are not enabled.
-//also warns the user if optional services are not enabled.
+// ValidateEnabledServices gets all the enabled services for a project and validate if any of the required services are not enabled.
+// also warns the user if optional services are not enabled.
 func ValidateEnabledServices(ctx context.Context, client API, project string) error {
 	requiredServices := sets.NewString("compute.googleapis.com",
 		"cloudresourcemanager.googleapis.com",
@@ -284,3 +285,17 @@ func validateRegion(client API, ic *types.InstallConfig, fieldPath *field.Path)
 	}
 	return nil
 }
+
+// validateCredentialMode checks whether the credential mode is
+// compatible with the authentication mode.
+func validateCredentialMode(client API, ic *types.InstallConfig) field.ErrorList {
+	allErrs := field.ErrorList{}
+	creds := client.GetCredentials()
+
+	if creds.JSON == nil && ic.CredentialsMode != types.ManualCredentialsMode {
+		errMsg := "environmental authentication is only supported with Manual credentials mode"
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("credentialsMode"), errMsg))
+	}
+
+	return allErrs
+}
diff --git a/pkg/asset/installconfig/gcp/validation_test.go b/pkg/asset/installconfig/gcp/validation_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
+	googleoauth "golang.org/x/oauth2/google"
 	compute "google.golang.org/api/compute/v1"
 	dns "google.golang.org/api/dns/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -285,6 +286,9 @@ func TestGCPInstallConfigValidation(t *testing.T) {
 	gcpClient.EXPECT().GetSubnetworks(gomock.Any(), gomock.Any(), gomock.Not(validProjectName), gomock.Any()).Return([]*compute.Subnetwork{}, nil).AnyTimes()
 	gcpClient.EXPECT().GetSubnetworks(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Not(validRegion)).Return([]*compute.Subnetwork{}, nil).AnyTimes()
 
+	// Return fake credentials when asked
+	gcpClient.EXPECT().GetCredentials().Return(&googleoauth.Credentials{JSON: []byte("fake creds")}).AnyTimes()
+
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			editedInstallConfig := validInstallConfig()