feat: retrieve identity service server

Author: afarbos

cloud/scope/clients.go

@@ -103,6 +103,34 @@ func newComputeService(ctx context.Context, credentialsRef *infrav1.ObjectRefere
 	return computeSvc, nil
 }
 
+func newTargetPoolsClient(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) (*computerest.TargetPoolsClient, error) {
+	opts, err := defaultClientOptions(ctx, credentialsRef, crClient)
+	if err != nil {
+		return nil, fmt.Errorf("getting default gcp client options: %w", err)
+	}
+
+	targetPoolsClient, err := computerest.NewTargetPoolsRESTClient(ctx, opts...)
+	if err != nil {
+		return nil, errors.Errorf("failed to create target pools client: %v", err)
+	}
+
+	return targetPoolsClient, nil
+}
+
+func newForwardingRulesClient(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) (*computerest.ForwardingRulesClient, error) {
+	opts, err := defaultClientOptions(ctx, credentialsRef, crClient)
+	if err != nil {
+		return nil, fmt.Errorf("getting default gcp client options: %w", err)
+	}
+
+	forwardingRulesClient, err := computerest.NewForwardingRulesRESTClient(ctx, opts...)
+	if err != nil {
+		return nil, errors.Errorf("failed to create gcp forwarding rules client: %v", err)
+	}
+
+	return forwardingRulesClient, nil
+}
+
 func newClusterManagerClient(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) (*container.ClusterManagerClient, error) {
 	opts, err := defaultClientOptions(ctx, credentialsRef, crClient)
 	if err != nil {

cloud/scope/managedcontrolplane.go

@@ -24,6 +24,7 @@ import (
 
 	"sigs.k8s.io/cluster-api/util/conditions"
 
+	compute "cloud.google.com/go/compute/apiv1"
 	container "cloud.google.com/go/container/apiv1"
 	credentials "cloud.google.com/go/iam/credentials/apiv1"
 	resourcemanager "cloud.google.com/go/resourcemanager/apiv3"
@@ -43,6 +44,8 @@ const (
 // ManagedControlPlaneScopeParams defines the input parameters used to create a new Scope.
 type ManagedControlPlaneScopeParams struct {
 	CredentialsClient      *credentials.IamCredentialsClient
+	TargetPoolsClient      *compute.TargetPoolsClient
+	ForwardingRulesClient  *compute.ForwardingRulesClient
 	ManagedClusterClient   *container.ClusterManagerClient
 	TagBindingsClient      *resourcemanager.TagBindingsClient
 	Client                 client.Client
@@ -69,12 +72,19 @@ func NewManagedControlPlaneScope(ctx context.Context, params ManagedControlPlane
 		return nil, fmt.Errorf("getting gcp credentials: %w", err)
 	}
 
+	if params.TargetPoolsClient == nil {
+		targetPoolsClient, err := newTargetPoolsClient(ctx, params.GCPManagedCluster.Spec.CredentialsRef, params.Client)
+		if err != nil {
+			return nil, errors.Errorf("failed to create gcp target pools client: %v", err)
+		}
+		params.TargetPoolsClient = targetPoolsClient
+	}
 	if params.ManagedClusterClient == nil {
-		managedClusterClient, err := newClusterManagerClient(ctx, params.GCPManagedCluster.Spec.CredentialsRef, params.Client)
+		forwardingRulesClient, err := newForwardingRulesClient(ctx, params.GCPManagedCluster.Spec.CredentialsRef, params.Client)
 		if err != nil {
-			return nil, errors.Errorf("failed to create gcp managed cluster client: %v", err)
+			return nil, errors.Errorf("failed to create gcp forwarding rules client: %v", err)
 		}
-		params.ManagedClusterClient = managedClusterClient
+		params.ForwardingRulesClient = forwardingRulesClient
 	}
 	if params.TagBindingsClient == nil {
 		tagBindingsClient, err := newTagBindingsClient(ctx, params.GCPManagedCluster.Spec.CredentialsRef, params.Client, params.GCPManagedCluster.Spec.Region)
@@ -102,6 +112,8 @@ func NewManagedControlPlaneScope(ctx context.Context, params ManagedControlPlane
 		Cluster:                params.Cluster,
 		GCPManagedCluster:      params.GCPManagedCluster,
 		GCPManagedControlPlane: params.GCPManagedControlPlane,
+		tpClient:               params.TargetPoolsClient,
+		frClient:               params.ForwardingRulesClient,
 		mcClient:               params.ManagedClusterClient,
 		tagBindingsClient:      params.TagBindingsClient,
 		credentialsClient:      params.CredentialsClient,
@@ -118,6 +130,8 @@ type ManagedControlPlaneScope struct {
 	Cluster                *clusterv1.Cluster
 	GCPManagedCluster      *infrav1exp.GCPManagedCluster
 	GCPManagedControlPlane *infrav1exp.GCPManagedControlPlane
+	tpClient               *compute.TargetPoolsClient
+	frClient               *compute.ForwardingRulesClient
 	mcClient               *container.ClusterManagerClient
 	tagBindingsClient      *resourcemanager.TagBindingsClient
 	credentialsClient      *credentials.IamCredentialsClient
@@ -142,6 +156,8 @@ func (s *ManagedControlPlaneScope) PatchObject() error {
 
 // Close closes the current scope persisting the managed control plane configuration and status.
 func (s *ManagedControlPlaneScope) Close() error {
+	s.tpClient.Close()
+	s.frClient.Close()
 	s.mcClient.Close()
 	s.tagBindingsClient.Close()
 	s.credentialsClient.Close()
@@ -158,6 +174,16 @@ func (s *ManagedControlPlaneScope) Client() client.Client {
 	return s.client
 }
 
+// TargetPoolsClient returns a client used to interact with google compute target pools.
+func (s *ManagedControlPlaneScope) TargetPoolsClient() *compute.TargetPoolsClient {
+	return s.tpClient
+}
+
+// ForwardingRulesClient returns a client used to interact with google compute forwarding rules.
+func (s *ManagedControlPlaneScope) ForwardingRulesClient() *compute.ForwardingRulesClient {
+	return s.frClient
+}
+
 // ManagedControlPlaneClient returns a client used to interact with GKE.
 func (s *ManagedControlPlaneScope) ManagedControlPlaneClient() *container.ClusterManagerClient {
 	return s.mcClient

cloud/services/container/clusters/reconcile.go

@@ -18,12 +18,15 @@ package clusters
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
+	"sigs.k8s.io/cluster-api-provider-gcp/cloud/providerid"
 	"sigs.k8s.io/cluster-api-provider-gcp/cloud/scope"
 	"sigs.k8s.io/cluster-api-provider-gcp/cloud/services/shared"
 
+	"cloud.google.com/go/compute/apiv1/computepb"
 	"cloud.google.com/go/container/apiv1/containerpb"
 	"github.com/go-logr/logr"
 	"github.com/google/go-cmp/cmp"
@@ -166,6 +169,13 @@ func (s *Service) Reconcile(ctx context.Context) (ctrl.Result, error) {
 		return ctrl.Result{}, err
 	}
 
+	identityServiceServer, err := s.getIdentityServiceServer(ctx, &log)
+	if err != nil {
+		log.Error(err, "Failed to retrieve identity service server")
+	} else if identityServiceServer != "" {
+		s.scope.GCPManagedControlPlane.Status.IdentityServiceServer = identityServiceServer
+	}
+
 	s.scope.SetEndpoint(cluster.GetEndpoint())
 	conditions.MarkTrue(s.scope.ConditionSetter(), clusterv1.ReadyCondition)
 	conditions.MarkTrue(s.scope.ConditionSetter(), infrav1exp.GKEControlPlaneReadyCondition)
@@ -482,3 +492,67 @@ func compareMasterAuthorizedNetworksConfig(a, b *containerpb.MasterAuthorizedNet
 	}
 	return true
 }
+
+func (s *Service) getIdentityServiceServer(ctx context.Context, log *logr.Logger) (string, error) {
+	if s.scope.GCPManagedControlPlane.Spec.EnableIdentityService == nil || !*s.scope.GCPManagedControlPlane.Spec.EnableIdentityService {
+		// Identity service is not enabled, return empty string
+		return "", nil
+	}
+
+	nodePools, _, err := s.scope.GetAllNodePools(ctx)
+	if err != nil {
+		return "", err
+	}
+	const (
+		indentityServiceFilter = "description:anthos-identity-service"
+		instanceFilterFormat   = "instance:https://www.googleapis.com/compute/v1/projects/%s/zones/%s/instances/%s"
+	)
+
+	instanceFilters := []string{}
+	for _, np := range nodePools {
+		for _, providerID := range np.Spec.ProviderIDList {
+			parsedProviderID, err := providerid.NewFromResourceURL(providerID)
+			if err != nil {
+				return "", err
+			}
+			instanceFilters = append(instanceFilters, fmt.Sprintf(instanceFilterFormat, parsedProviderID.Project, parsedProviderID.Location, parsedProviderID.Name))
+		}
+	}
+
+	if len(instanceFilters) == 0 {
+		return "", errors.New("no instances found")
+	}
+
+	targetPoolName := ""
+	req := &computepb.ListTargetPoolsRequest{Filter: indentityServiceFilter + " AND (" + strings.Join(instanceFilters, " OR ") + ")"}
+	for resp, err := range s.scope.TargetPoolsClient().List(ctx, req).All() {
+		if err != nil {
+			return "", err
+		} else if targetPoolName != "" {
+			return "", errors.New("multiple target pools found")
+		}
+		targetPoolName = resp.Name
+	}
+	identityServer := ""
+	nameFilter := "name:" + targetPoolName
+	req := &computepb.ListForwardingRulesRequest{Filter: instanceFilter + " AND " + nameFilter}
+	for resp, err := range s.scope.ForwardingRulesClient().List(ctx, req).All() {
+		if err != nil {
+			return err
+		} else if identityServer != "" {
+			return "", errors.New("multiple forwarding rules found")
+		} else if len(resp.Ports) != 1 {
+			return "", fmt.Errorf("unexpected ports count in forwarding rule: %d", len(resp.Ports))
+		} else if resp.Ports[0] != "443" {
+			return "", fmt.Errorf("unexpected port in forwarding rule: %d", resp.Ports[0])
+		}
+
+		return "https://" + resp.IPAddress + ":" + resp.Ports[0], nil
+	}
+
+	if identityServer == "" {
+		return "", errors.New("no forwarding rules found")
+	}
+
+	return identityServer, nil
+}

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml

@@ -259,6 +259,10 @@ spec:
                   - type
                   type: object
                 type: array
+              identityServiceServer:
+                description: identityServiceServer indicates the server for external authentication
+                  when the identity service is enabled.
+                type: boolean
               currentVersion:
                 description: CurrentVersion shows the current version of the GKE control
                   plane.

exp/api/v1beta1/gcpmanagedcontrolplane_types.go

@@ -171,6 +171,10 @@ type GCPManagedControlPlaneStatus struct {
 	// CurrentVersion shows the current version of the GKE control plane.
 	// +optional
 	CurrentVersion string `json:"currentVersion,omitempty"`
+
+	// IdentityServiceServer shows the server of anthos indentify service when enabled.
+	// +optional
+	IdentityServiceServer string `json:"identityServiceServer,omitempty"`
 }
 
 // +kubebuilder:object:root=true