Support GCP JSON Creds

Author: CRThaze

charts/s3proxy/override-values.example.yaml

@@ -82,9 +82,37 @@ config:
     googleCloudStorage:
       enabled: false  # Set to true to use GCS backend
       projectId: "my-project"
-      privateKey: "-----BEGIN RSA PRIVATE KEY-----\n..."
+
+      # Service account email or user email (required for both authentication methods)
       clientEmail: "[email protected]"
 
+      # Option 1: Using privateKey directly
+      privateKey: "-----BEGIN RSA PRIVATE KEY-----\n..."
+
+      # Option 2: Using JSON credentials file (preferred for GCP)
+      # This provides the credential (privateKey) via a mounted file
+      jsonCredentials:
+        enabled: false  # Set to true to use JSON credentials
+
+        # Either provide the JSON content directly:
+        # jsonContent: |
+        #   {
+        #     "type": "service_account",
+        #     "project_id": "my-project",
+        #     "private_key_id": "key-id",
+        #     "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...",
+        #     "client_email": "[email protected]",
+        #     "client_id": "...",
+        #     "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+        #     "token_uri": "https://oauth2.googleapis.com/token",
+        #     "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+        #     "client_x509_cert_url": "..."
+        #   }
+
+        # Or reference an existing secret containing the JSON:
+        # existingSecret: "my-gcp-credentials-secret"
+        # secretKey: "credentials.json"  # Key in the secret containing the JSON (default: credentials.json)
+
     # Backblaze B2 backend
     b2:
       enabled: false  # Set to true to use B2 backend

charts/s3proxy/templates/deployment.yaml

@@ -157,6 +157,11 @@ spec:
               mountPath: {{ .Values.config.backends.filesystem.basedir }}
   {{- end }}
 {{- end }}
+{{- if and .Values.config.backends.googleCloudStorage.enabled .Values.config.backends.googleCloudStorage.jsonCredentials.enabled }}
+            - name: gcp-json-credentials
+              mountPath: /gcp-credentials
+              readOnly: true
+{{- end }}
 {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
 {{- end }}
@@ -176,6 +181,15 @@ spec:
             claimName: {{ .Values.persistence.existingClaim | default (include "s3proxy.fullname" .) }}
   {{- end }}
 {{- end }}
+{{- if and .Values.config.backends.googleCloudStorage.enabled .Values.config.backends.googleCloudStorage.jsonCredentials.enabled }}
+        - name: gcp-json-credentials
+          secret:
+  {{- if .Values.config.backends.googleCloudStorage.jsonCredentials.jsonContent }}
+            secretName: {{ include "s3proxy.fullname" . }}-gcp-json
+  {{- else if .Values.config.backends.googleCloudStorage.jsonCredentials.existingSecret }}
+            secretName: {{ .Values.config.backends.googleCloudStorage.jsonCredentials.existingSecret }}
+  {{- end }}
+{{- end }}
 {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
 {{- end }}

charts/s3proxy/templates/secret-gcp-json.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.config.backends.googleCloudStorage.enabled .Values.config.backends.googleCloudStorage.jsonCredentials.enabled .Values.config.backends.googleCloudStorage.jsonCredentials.jsonContent }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "s3proxy.fullname" . }}-gcp-json
+  labels:
+    {{- include "s3proxy.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{ .Values.config.backends.googleCloudStorage.jsonCredentials.secretKey }}: |
+    {{- .Values.config.backends.googleCloudStorage.jsonCredentials.jsonContent | nindent 4 }}
+{{- end }}

charts/s3proxy/templates/secret.yaml

@@ -39,8 +39,14 @@ stringData:
   {{- if .Values.config.backends.googleCloudStorage.clientEmail }}
     jclouds.identity={{ .Values.config.backends.googleCloudStorage.clientEmail }}
   {{- end }}
-  {{- if .Values.config.backends.googleCloudStorage.privateKey }}
+  {{- if .Values.config.backends.googleCloudStorage.jsonCredentials.enabled }}
+    # Using JSON credentials file
+    jclouds.credential=/gcp-credentials/{{ .Values.config.backends.googleCloudStorage.jsonCredentials.secretKey }}
+  {{- else }}
+    # Using privateKey directly
+    {{- if .Values.config.backends.googleCloudStorage.privateKey }}
     jclouds.credential={{ .Values.config.backends.googleCloudStorage.privateKey }}
+    {{- end }}
   {{- end }}
 {{- else if .Values.config.backends.b2.enabled }}
     # Backblaze B2 backend credentials

charts/s3proxy/values.yaml

@@ -112,7 +112,7 @@ affinity: {}
 config:
   # -- Log level for S3Proxy (DEBUG, INFO, WARN, ERROR)
   logLevel: "INFO"
-  
+
   auth:
     # -- Authorization type (none, aws-v2, aws-v4, aws-v2-or-v4)
     type: "aws-v4"
@@ -205,10 +205,20 @@ config:
       enabled: false
       # -- GCP project ID
       projectId: ""
-      # -- Private key
+      # -- Private key (only used when jsonCredentials.enabled is false)
       privateKey: ""
-      # -- Service account email
+      # -- Service account email or user email (used with both privateKey and jsonCredentials methods)
       clientEmail: ""
+      # -- JSON credentials configuration
+      jsonCredentials:
+        # -- Use JSON credentials file instead of privateKey
+        enabled: false
+        # -- JSON content for creating a new secret (takes precedence over existingSecret)
+        jsonContent: ""
+        # -- Name of existing secret containing GCP credentials JSON
+        existingSecret: ""
+        # -- Key in the secret containing the JSON credentials (default: credentials.json)
+        secretKey: "credentials.json"
 
     b2:
       # -- Enable Backblaze B2 backend