CORS-3218: GCP Remove the use case of users passing contents for json secret data.

barbacbd · barbacbd · commit 20359cc11ce8 · 2024-04-11T08:23:54.000-04:00
**Expose environment variable strings for GCP credentials.
**CAPG infrastructure controller will look for the gcp credentials to determine which contains a file location. This will be supplied to the controller.
**The default file location for capg infrastructure controller will remain the same, but it will use the default location from the gcp credentials file in the install config package.
diff --git a/pkg/asset/installconfig/gcp/session.go b/pkg/asset/installconfig/gcp/session.go
@@ -25,6 +25,10 @@ var (
 // Session is an object representing session for GCP API.
 type Session struct {
 	Credentials *googleoauth.Credentials
+
+	// Path contains the filepath for provided credentials. When authenticating with
+	// Default Application Credentials, Path will be empty.
+	Path string
 }
 
 // GetSession returns a GCP session by using credentials found in default locations in order:
@@ -35,17 +39,18 @@ type Session struct {
 // gcloud cli defaults
 // and, if no creds are found, asks for them and stores them on disk in a config file
 func GetSession(ctx context.Context) (*Session, error) {
-	creds, err := loadCredentials(ctx)
+	creds, path, err := loadCredentials(ctx)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to load credentials")
 	}
 
 	return &Session{
 		Credentials: creds,
+		Path:        path,
 	}, nil
 }
 
-func loadCredentials(ctx context.Context) (*googleoauth.Credentials, error) {
+func loadCredentials(ctx context.Context) (*googleoauth.Credentials, string, error) {
 	if len(credLoaders) == 0 {
 		for _, authEnv := range authEnvs {
 			credLoaders = append(credLoaders, &envLoader{env: authEnv})
@@ -66,30 +71,31 @@ func loadCredentials(ctx context.Context) (*googleoauth.Credentials, error) {
 		onceLoggers[loader].Do(func() {
 			logrus.Infof("Credentials loaded from %s", loader)
 		})
-		return creds, nil
+		return creds, loader.Content(), nil
 	}
 	return getCredentials(ctx)
 }
 
-func getCredentials(ctx context.Context) (*googleoauth.Credentials, error) {
+func getCredentials(ctx context.Context) (*googleoauth.Credentials, string, error) {
 	creds, err := (&userLoader{}).Load(ctx)
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
 
 	filePath := defaultAuthFilePath
 	logrus.Infof("Saving the credentials to %q", filePath)
 	if err := os.MkdirAll(filepath.Dir(filePath), 0700); err != nil {
-		return nil, err
+		return nil, "", err
 	}
 	if err := os.WriteFile(filePath, creds.JSON, 0o600); err != nil {
-		return nil, err
+		return nil, "", err
 	}
-	return creds, nil
+	return creds, filePath, nil
 }
 
 type credLoader interface {
 	Load(context.Context) (*googleoauth.Credentials, error)
+	Content() string
 }
 
 type envLoader struct {
@@ -115,19 +121,25 @@ func (e *envLoader) String() string {
 	return strings.Join(path, ", ")
 }
 
+func (e *envLoader) Content() string {
+	envValue, found := os.LookupEnv(e.env)
+	if !found {
+		return ""
+	}
+	return envValue
+}
+
 type fileOrContentLoader struct {
 	pathOrContent string
 	delegate      credLoader
 }
 
 func (fc *fileOrContentLoader) Load(ctx context.Context) (*googleoauth.Credentials, error) {
 	// if this is a path and we can stat it, assume it's ok
-	if _, err := os.Stat(fc.pathOrContent); err == nil {
-		fc.delegate = &fileLoader{path: fc.pathOrContent}
-	} else {
-		fc.delegate = &contentLoader{content: fc.pathOrContent}
+	if _, err := os.Stat(fc.pathOrContent); err != nil {
+		return nil, fmt.Errorf("supplied value should be the path to a GCP credentials file: %w", err)
 	}
-
+	fc.delegate = &fileLoader{path: fc.pathOrContent}
 	return fc.delegate.Load(ctx)
 }
 
@@ -138,6 +150,13 @@ func (fc *fileOrContentLoader) String() string {
 	return "file or content"
 }
 
+func (fc *fileOrContentLoader) Content() string {
+	if _, err := os.Stat(fc.pathOrContent); err != nil {
+		return ""
+	}
+	return fc.pathOrContent
+}
+
 type fileLoader struct {
 	path string
 }
@@ -154,6 +173,10 @@ func (f *fileLoader) String() string {
 	return fmt.Sprintf("file %q", f.path)
 }
 
+func (f *fileLoader) Content() string {
+	return f.path
+}
+
 type contentLoader struct {
 	content string
 }
@@ -166,6 +189,10 @@ func (f *contentLoader) String() string {
 	return "content <redacted>"
 }
 
+func (f *contentLoader) Content() string {
+	return ""
+}
+
 type cliLoader struct{}
 
 func (c *cliLoader) Load(ctx context.Context) (*googleoauth.Credentials, error) {
@@ -176,14 +203,18 @@ func (c *cliLoader) String() string {
 	return "gcloud CLI defaults"
 }
 
+func (c *cliLoader) Content() string {
+	return ""
+}
+
 type userLoader struct{}
 
 func (u *userLoader) Load(ctx context.Context) (*googleoauth.Credentials, error) {
 	var content string
 	err := survey.Ask([]*survey.Question{
 		{
 			Prompt: &survey.Multiline{
-				Message: "Service Account (absolute path to file or JSON content)",
+				Message: "Service Account (absolute path to file)",
 				// Due to a bug in survey pkg, help message is not rendered
 				Help: "The location to file that contains the service account in JSON, or the service account in JSON format",
 			},
@@ -193,5 +224,9 @@ func (u *userLoader) Load(ctx context.Context) (*googleoauth.Credentials, error)
 		return nil, err
 	}
 	content = strings.TrimSpace(content)
-	return (&fileOrContentLoader{pathOrContent: content}).Load(ctx)
+	return (&fileLoader{path: content}).Load(ctx)
+}
+
+func (u *userLoader) Content() string {
+	return defaultAuthFilePath
 }
diff --git a/pkg/clusterapi/system.go b/pkg/clusterapi/system.go
@@ -18,6 +18,7 @@ import (
 
 	"github.com/openshift/installer/data"
 	"github.com/openshift/installer/pkg/asset/installconfig"
+	gcpic "github.com/openshift/installer/pkg/asset/installconfig/gcp"
 	powervsic "github.com/openshift/installer/pkg/asset/installconfig/powervs"
 	"github.com/openshift/installer/pkg/clusterapi/internal/process"
 	"github.com/openshift/installer/pkg/clusterapi/internal/process/addr"
@@ -175,6 +176,21 @@ func (c *system) Run(ctx context.Context, installConfig *installconfig.InstallCo
 			),
 		)
 	case gcp.Name:
+		session, err := gcpic.GetSession(context.Background())
+		if err != nil {
+			return fmt.Errorf("failed to create gcp session: %w", err)
+		}
+
+		//nolint:gosec // CAPG only expects a single credentials environment variable
+		gAppCredEnvVar := "GOOGLE_APPLICATION_CREDENTIALS"
+		capgEnvVars := map[string]string{
+			gAppCredEnvVar: session.Path,
+		}
+
+		if v, ok := capgEnvVars[gAppCredEnvVar]; ok {
+			logrus.Infof("setting %q to %s for capg infrastructure controller", gAppCredEnvVar, v)
+		}
+
 		controllers = append(controllers,
 			c.getInfrastructureController(
 				&GCP,
@@ -185,10 +201,7 @@ func (c *system) Run(ctx context.Context, installConfig *installconfig.InstallCo
 					"--webhook-port={{.WebhookPort}}",
 					"--webhook-cert-dir={{.WebhookCertDir}}",
 				},
-				map[string]string{
-					// TODO: Authentication must be handled in a more complex way detailed here: https://issues.redhat.com/browse/CORS-3218
-					"GOOGLE_APPLICATION_CREDENTIALS": filepath.Join(os.Getenv("HOME"), ".gcp", "osServiceAccount.json"),
-				},
+				capgEnvVars,
 			),
 		)
 	case ibmcloud.Name:
