OCPBUGS-12890: Create GCP Bucket and signed url

** Create an ignition shim and use this for metadata.
** Add proxy information to the shim.

Author: barbacbd

data/data/gcp/bootstrap/main.tf

@@ -11,63 +11,6 @@ provider "google" {
   region      = var.gcp_region
 }
 
-resource "google_storage_bucket" "ignition" {
-  name                        = "${var.cluster_id}-bootstrap-ignition"
-  location                    = var.gcp_region
-  uniform_bucket_level_access = true
-  labels                      = var.gcp_extra_labels
-}
-
-resource "google_tags_location_tag_binding" "user_tag_binding_bucket" {
-  for_each = var.gcp_extra_tags
-
-  parent = format("//storage.googleapis.com/projects/_/buckets/%s",
-    google_storage_bucket.ignition.name,
-  )
-  tag_value = each.value
-  location  = var.gcp_region
-
-  depends_on = [google_storage_bucket.ignition]
-}
-
-resource "google_storage_bucket_object" "ignition" {
-  bucket  = google_storage_bucket.ignition.name
-  name    = "bootstrap.ign"
-  content = var.ignition_bootstrap
-}
-
-resource "google_service_account" "bootstrap-node-sa" {
-  count        = var.gcp_create_bootstrap_sa ? 1 : 0
-  account_id   = "${var.cluster_id}-b"
-  display_name = "${var.cluster_id}-bootstrap-node"
-  description  = local.description
-}
-
-resource "google_service_account_key" "bootstrap" {
-  count              = var.gcp_create_bootstrap_sa ? 1 : 0
-  service_account_id = google_service_account.bootstrap-node-sa[0].name
-}
-
-resource "google_project_iam_member" "bootstrap-storage-admin" {
-  count   = var.gcp_create_bootstrap_sa ? 1 : 0
-  project = var.gcp_project_id
-  role    = "roles/storage.admin"
-  member  = "serviceAccount:${google_service_account.bootstrap-node-sa[0].email}"
-}
-
-data "google_storage_object_signed_url" "ignition_url" {
-  bucket      = google_storage_bucket.ignition.name
-  path        = "bootstrap.ign"
-  duration    = "1h"
-  credentials = var.gcp_create_bootstrap_sa ? base64decode(google_service_account_key.bootstrap[0].private_key) : null
-}
-
-data "ignition_config" "redirect" {
-  replace {
-    source = data.google_storage_object_signed_url.ignition_url.signed_url
-  }
-}
-
 resource "google_compute_address" "bootstrap" {
   name        = "${var.cluster_id}-bootstrap-ip"
   description = local.description
@@ -144,7 +87,7 @@ resource "google_compute_instance" "bootstrap" {
   }
 
   metadata = {
-    user-data = data.ignition_config.redirect.rendered
+    user-data = var.gcp_ignition_shim
   }
 
   tags = ["${var.cluster_id}-master", "${var.cluster_id}-bootstrap"]

data/data/gcp/variables-gcp.tf

@@ -153,12 +153,6 @@ variable "gcp_master_on_host_maintenance" {
   default = ""
 }
 
-variable "gcp_create_bootstrap_sa" {
-  type = bool
-  default = false
-  description = "Whether a service account should be created to sign the ignition URL."
-}
-
 variable "gcp_user_provisioned_dns" {
   type = bool
   default = false
@@ -175,3 +169,9 @@ Example: `{ "tagKeys/123" = "tagValues/456", "tagKeys/456" = "tagValues/789" }`
 EOF
   default = {}
 }
+
+variable "gcp_ignition_shim" {
+  type = string
+  description = "Ignition stub containing the signed url that points to the bucket containing the ignition data."
+  default = ""
+}

pkg/asset/cluster/tfvars/tfvars.go

@@ -29,6 +29,7 @@ import (
 	"github.com/openshift/installer/pkg/asset/ignition"
 	"github.com/openshift/installer/pkg/asset/ignition/bootstrap"
 	baremetalbootstrap "github.com/openshift/installer/pkg/asset/ignition/bootstrap/baremetal"
+	gcpbootstrap "github.com/openshift/installer/pkg/asset/ignition/bootstrap/gcp"
 	"github.com/openshift/installer/pkg/asset/ignition/machine"
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	awsconfig "github.com/openshift/installer/pkg/asset/installconfig/aws"
@@ -515,6 +516,29 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 			}
 		}
 
+		ctx, cancel := context.WithTimeout(context.TODO(), 60*time.Second)
+		defer cancel()
+
+		bucketName := gcpbootstrap.GetBootstrapStorageName(clusterID.InfraID)
+		bucketHandle, err := gcpbootstrap.CreateBucketHandle(ctx, bucketName)
+		if err != nil {
+			return fmt.Errorf("failed to create bucket handle %s: %w", bucketName, err)
+		}
+
+		bootstrapIgnURL, err := gcpbootstrap.ProvisionBootstrapStorage(ctx, installConfig, bucketHandle, clusterID.InfraID)
+		if err != nil {
+			return fmt.Errorf("failed to provision gcp bootstrap storage resources: %w", err)
+		}
+
+		if err := gcpbootstrap.FillBucket(ctx, bucketHandle, bootstrapIgn); err != nil {
+			return fmt.Errorf("failed to fill bootstrap ignition bucket: %w", err)
+		}
+
+		shim, err := bootstrap.GenerateIgnitionShimWithCertBundleAndProxy(bootstrapIgnURL, installConfig.Config.AdditionalTrustBundle, installConfig.Config.Proxy)
+		if err != nil {
+			return fmt.Errorf("failed to create gcp ignition shim: %w", err)
+		}
+
 		archName := coreosarch.RpmArch(string(installConfig.Config.ControlPlane.Architecture))
 		st, err := rhcospkg.FetchCoreOSBuild(ctx)
 		if err != nil {
@@ -551,6 +575,7 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 				InfrastructureName:  clusterID.InfraID,
 				UserProvisionedDNS:  installConfig.Config.GCP.UserProvisionedDNS == gcp.UserProvisionedDNSEnabled,
 				UserTags:            tags,
+				IgnitionShim:        string(shim),
 			},
 		)
 		if err != nil {

pkg/terraform/stages/gcp/stages.go

@@ -1,16 +1,18 @@
 package gcp
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"os"
+	"time"
 
 	igntypes "github.com/coreos/ignition/v2/config/v3_2/types"
 	"github.com/hashicorp/terraform-exec/tfexec"
 	"github.com/pkg/errors"
 
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/ignition"
+	gcpbootstrap "github.com/openshift/installer/pkg/asset/ignition/bootstrap/gcp"
 	"github.com/openshift/installer/pkg/asset/lbconfig"
 	"github.com/openshift/installer/pkg/terraform"
 	"github.com/openshift/installer/pkg/terraform/providers"
@@ -118,20 +120,21 @@ func extractGCPLBConfig(s stages.SplitStage, directory string, terraformDir stri
 		return "", err
 	}
 
-	// Update the ignition bootstrap variable to include the lbconfig.
-	tfvarData["ignition_bootstrap"] = string(ignitionOutput)
+	clusterID, ok := tfvarData["cluster_id"]
+	if !ok {
+		return "", fmt.Errorf("failed to read cluster id from tfvars")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute*1)
+	defer cancel()
 
-	// Convert the bootstrap data and write the data back to a file. This will overwrite the original tfvars file.
-	jsonBootstrap, err := json.Marshal(tfvarData)
+	bucketName := gcpbootstrap.GetBootstrapStorageName(clusterID.(string))
+	bucketHandle, err := gcpbootstrap.CreateBucketHandle(ctx, bucketName)
 	if err != nil {
-		return "", fmt.Errorf("failed to convert bootstrap ignition to bytes: %w", err)
+		return "", fmt.Errorf("failed to create bucket handle %s: %w", bucketName, err)
 	}
-	tfvarsFile.Data = jsonBootstrap
-
-	// update the value on disk to match
-	if err := os.WriteFile(fmt.Sprintf("%s/%s", directory, tfvarsFile.Filename), jsonBootstrap, 0o600); err != nil {
-		return "", fmt.Errorf("failed to rewrite %s: %w", tfvarsFile.Filename, err)
+	if err := gcpbootstrap.FillBucket(context.Background(), bucketHandle, string(ignitionOutput)); err != nil {
+		return "", fmt.Errorf("failed to fill gcp bucket with updated boostrap ignition contents: %w", err)
 	}
-
 	return "", nil
 }

pkg/tfvars/gcp/gcp.go

@@ -4,8 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/pkg/errors"
-
 	machineapi "github.com/openshift/api/machine/v1beta1"
 	"github.com/openshift/installer/pkg/types"
 )
@@ -29,7 +27,6 @@ type config struct {
 	Auth                      `json:",inline"`
 	Region                    string            `json:"gcp_region,omitempty"`
 	BootstrapInstanceType     string            `json:"gcp_bootstrap_instance_type,omitempty"`
-	CreateBootstrapSA         bool              `json:"gcp_create_bootstrap_sa"`
 	CreateFirewallRules       bool              `json:"gcp_create_firewall_rules"`
 	MasterInstanceType        string            `json:"gcp_master_instance_type,omitempty"`
 	MasterAvailabilityZones   []string          `json:"gcp_master_availability_zones"`
@@ -52,6 +49,7 @@ type config struct {
 	ExtraLabels               map[string]string `json:"gcp_extra_labels,omitempty"`
 	UserProvisionedDNS        bool              `json:"gcp_user_provisioned_dns,omitempty"`
 	ExtraTags                 map[string]string `json:"gcp_extra_tags,omitempty"`
+	IgnitionShim              string            `json:"gcp_ignition_shim,omitempty"`
 }
 
 // TFVarsSources contains the parameters to be converted into Terraform variables
@@ -67,6 +65,7 @@ type TFVarsSources struct {
 	InfrastructureName  string
 	UserProvisionedDNS  bool
 	UserTags            map[string]string
+	IgnitionShim        string
 }
 
 // TFVars generates gcp-specific Terraform variables launching the cluster.
@@ -109,6 +108,7 @@ func TFVars(sources TFVarsSources) ([]byte, error) {
 		ExtraLabels:               labels,
 		UserProvisionedDNS:        sources.UserProvisionedDNS,
 		ExtraTags:                 sources.UserTags,
+		IgnitionShim:              sources.IgnitionShim,
 	}
 
 	if masterConfig.Disks[0].EncryptionKey != nil {
@@ -124,17 +124,6 @@ func TFVars(sources TFVarsSources) ([]byte, error) {
 	}
 	cfg.InstanceServiceAccount = instanceServiceAccount
 
-	serviceAccount := make(map[string]interface{})
-
-	if err := json.Unmarshal([]byte(cfg.Auth.ServiceAccount), &serviceAccount); len(cfg.Auth.ServiceAccount) > 0 && err != nil {
-		return nil, errors.Wrapf(err, "unmarshaling service account")
-	}
-
-	// A private key is needed to sign the URL for bootstrap ignition.
-	// If there is no key in the credentials, we need to generate a new SA.
-	_, foundKey := serviceAccount["private_key"]
-	cfg.CreateBootstrapSA = !foundKey
-
 	return json.MarshalIndent(cfg, "", "  ")
 }