CORS-3257: Create a GCP ServiceAccount and assign to machines

Create a ServiceAccount and add roles to it for master. Associate
the ServiceAccount wiht the master machines when they are created.

Author: bfournie

pkg/asset/machines/gcp/gcpmachines.go

@@ -4,6 +4,7 @@ package gcp
 import (
 	"fmt"
 
+	compute "google.golang.org/api/compute/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
@@ -16,6 +17,8 @@ import (
 	gcptypes "github.com/openshift/installer/pkg/types/gcp"
 )
 
+const masterRole = "master"
+
 // GenerateMachines returns manifests and runtime objects to provision control plane nodes using CAPI.
 func GenerateMachines(installConfig *installconfig.InstallConfig, infraID string, pool *types.MachinePool, imageName string) ([]*asset.RuntimeFile, error) {
 	var result []*asset.RuntimeFile
@@ -39,7 +42,7 @@ func GenerateMachines(installConfig *installconfig.InstallConfig, infraID string
 			Object: gcpMachine,
 		})
 
-		dataSecret := fmt.Sprintf("%s-master", infraID)
+		dataSecret := fmt.Sprintf("%s-%s", infraID, masterRole)
 		capiMachine := createCAPIMachine(gcpMachine.Name, dataSecret, infraID)
 
 		result = append(result, &asset.RuntimeFile{
@@ -97,7 +100,7 @@ func createGCPMachine(name string, installConfig *installconfig.InstallConfig, i
 
 	masterSubnet := installConfig.Config.Platform.GCP.ControlPlaneSubnet
 	if masterSubnet == "" {
-		masterSubnet = gcptypes.DefaultSubnetName(infraID, "master")
+		masterSubnet = gcptypes.DefaultSubnetName(infraID, masterRole)
 	}
 
 	gcpMachine := &capg.GCPMachine{
@@ -132,15 +135,26 @@ func createGCPMachine(name string, installConfig *installconfig.InstallConfig, i
 		shieldedInstanceConfig.SecureBoot = capg.SecureBootPolicyEnabled
 		gcpMachine.Spec.ShieldedInstanceConfig = ptr.To(shieldedInstanceConfig)
 	}
-	if mpool.ServiceAccount != "" {
-		serviceAccount := &capg.ServiceAccount{
-			Email: mpool.ServiceAccount,
-			// Set scopes to value defined at
-			// https://cloud.google.com/compute/docs/access/service-accounts#scopes_best_practice
-			Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
+
+	serviceAccount := &capg.ServiceAccount{
+		// Set scopes to value defined at
+		// https://cloud.google.com/compute/docs/access/service-accounts#scopes_best_practice
+		Scopes: []string{compute.CloudPlatformScope},
+	}
+
+	projectID := installConfig.Config.Platform.GCP.ProjectID
+	serviceAccount.Email = fmt.Sprintf("%s-%s@%s.iam.gserviceaccount.com", infraID, masterRole[0:1], projectID)
+	// The installer will create a service account for compute nodes with the above naming convention.
+	// The same service account will be used for control plane nodes during a vanilla installation. During a
+	// xpn installation, the installer will attempt to use an existing service account from a user supplied
+	// value in install-config.
+	// Note - the derivation of the ServiceAccount from credentials will no longer be supported.
+	if len(installConfig.Config.Platform.GCP.NetworkProjectID) > 0 {
+		if mpool.ServiceAccount != "" {
+			serviceAccount.Email = mpool.ServiceAccount
 		}
-		gcpMachine.Spec.ServiceAccount = serviceAccount
 	}
+	gcpMachine.Spec.ServiceAccount = serviceAccount
 
 	return gcpMachine
 }

pkg/asset/machines/gcp/gcpmachines_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	compute "google.golang.org/api/compute/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
@@ -170,6 +171,10 @@ func getBaseGCPMachine() *capg.GCPMachine {
 			},
 			RootDeviceSize: 128,
 			RootDeviceType: ptr.To(capg.DiskType(diskType)),
+			ServiceAccount: &capg.ServiceAccount{
+				Email:  "[email protected]",
+				Scopes: []string{compute.CloudPlatformScope},
+			},
 		},
 	}
 	return gcpMachine

pkg/infrastructure/gcp/clusterapi/clusterapi.go

@@ -33,6 +33,31 @@ func (p Provider) Name() string {
 // GCP resources that are not created by CAPG (and are required for other stages of the install) are
 // created here using the gcp sdk.
 func (p Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionInput) error {
+	// Create ServiceAccounts which will be used for machines
+	projectID := in.InstallConfig.Config.Platform.GCP.ProjectID
+
+	// ServiceAccount for masters
+	// Only create ServiceAccount for masters if a shared VPC install is not being done
+	if len(in.InstallConfig.Config.Platform.GCP.NetworkProjectID) == 0 ||
+		in.InstallConfig.Config.ControlPlane.Platform.GCP.ServiceAccount == "" {
+		masterSA, err := CreateServiceAccount(ctx, in.InfraID, projectID, "master")
+		if err != nil {
+			return fmt.Errorf("failed to create master serviceAccount: %w", err)
+		}
+		if err = AddServiceAccountRoles(ctx, projectID, masterSA, GetMasterRoles()); err != nil {
+			return fmt.Errorf("failed to add master roles: %w", err)
+		}
+	}
+
+	// ServiceAccount for workers
+	workerSA, err := CreateServiceAccount(ctx, in.InfraID, projectID, "worker")
+	if err != nil {
+		return fmt.Errorf("failed to create worker serviceAccount: %w", err)
+	}
+	if err = AddServiceAccountRoles(ctx, projectID, workerSA, GetWorkerRoles()); err != nil {
+		return fmt.Errorf("failed to add worker roles: %w", err)
+	}
+
 	return nil
 }
 

pkg/infrastructure/gcp/clusterapi/iam.go

@@ -0,0 +1,145 @@
+package clusterapi
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	resourcemanager "google.golang.org/api/cloudresourcemanager/v1"
+	iam "google.golang.org/api/iam/v1"
+	"google.golang.org/api/option"
+
+	gcp "github.com/openshift/installer/pkg/asset/installconfig/gcp"
+)
+
+const (
+	retryTime  = 10 * time.Second
+	retryCount = 6
+)
+
+func defaultServiceAccountID(infraID, projectID, role string) string {
+	// The account id is used to generate the service account email address,
+	// it should not contain the email suffixi. It is unique within a project,
+	// must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])`
+	return fmt.Sprintf("%s-%s", infraID, role[0:1])
+}
+
+// GetMasterRoles returns the pre-defined roles for a master node.
+// Roles are described here https://cloud.google.com/iam/docs/understanding-roles#predefined_roles.
+func GetMasterRoles() []string {
+	return []string{
+		"roles/compute.instanceAdmin",
+		"roles/compute.networkAdmin",
+		"roles/compute.securityAdmin",
+		"roles/storage.admin",
+	}
+}
+
+// GetWorkerRoles returns the pre-defined roles for a worker node.
+func GetWorkerRoles() []string {
+	return []string{
+		"roles/compute.viewer",
+		"roles/storage.admin",
+	}
+}
+
+// CreateServiceAccount is used to create a service account for a compute instance.
+func CreateServiceAccount(ctx context.Context, infraID, projectID, role string) (string, error) {
+	ctx, cancel := context.WithTimeout(ctx, time.Minute*1)
+	defer cancel()
+
+	ssn, err := gcp.GetSession(ctx)
+	if err != nil {
+		return "", fmt.Errorf("failed to get session: %w", err)
+	}
+	service, err := iam.NewService(ctx, option.WithCredentials(ssn.Credentials))
+	if err != nil {
+		return "", fmt.Errorf("failed to create IAM service: %w", err)
+	}
+
+	accountID := defaultServiceAccountID(infraID, projectID, role)
+	displayName := fmt.Sprintf("%s-%s-node", infraID, role)
+
+	request := &iam.CreateServiceAccountRequest{
+		AccountId: accountID,
+		ServiceAccount: &iam.ServiceAccount{
+			Description: "The service account used by the instances.",
+			DisplayName: displayName,
+		},
+	}
+
+	sa, err := service.Projects.ServiceAccounts.Create("projects/"+projectID, request).Do()
+	if err != nil {
+		return "", fmt.Errorf("Projects.ServiceAccounts.Create: %w", err)
+	}
+
+	// Poll for service account
+	for i := 0; i < retryCount; i++ {
+		_, err := service.Projects.ServiceAccounts.Get(sa.Name).Do()
+		if err == nil {
+			logrus.Debugf("Service account created for %s", accountID)
+			return accountID, nil
+		}
+		time.Sleep(retryTime)
+	}
+
+	return "", fmt.Errorf("failure creating service account: %w", err)
+}
+
+// AddServiceAccountRoles adds predefined roles for service account.
+func AddServiceAccountRoles(ctx context.Context, projectID, serviceAccountID string, roles []string) error {
+	policy, err := getProjectIAMPolicy(ctx, projectID)
+	if err != nil {
+		return err
+	}
+
+	for _, role := range roles {
+		err = addMemberToRole(policy, role, serviceAccountID)
+		if err != nil {
+			return fmt.Errorf("failed to add role %s to %s: %w", role, serviceAccountID, err)
+		}
+	}
+
+	return nil
+}
+
+func getProjectIAMPolicy(ctx context.Context, projectID string) (*resourcemanager.Policy, error) {
+	ctx, cancel := context.WithTimeout(ctx, time.Minute*1)
+	defer cancel()
+	req := &resourcemanager.GetIamPolicyRequest{}
+
+	ssn, err := gcp.GetSession(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get session: %w", err)
+	}
+	service, err := resourcemanager.NewService(ctx, option.WithCredentials(ssn.Credentials))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create resourcemanager service: %w", err)
+	}
+
+	policy, err := service.Projects.GetIamPolicy(projectID, req).Context(ctx).Do()
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch project IAM policy: %w", err)
+	}
+	return policy, nil
+}
+
+// addMemberToRole adds a member to a role binding.
+func addMemberToRole(policy *resourcemanager.Policy, role, member string) error {
+	for _, binding := range policy.Bindings {
+		if binding.Role == role {
+			for _, m := range binding.Members {
+				if m == member {
+					logrus.Debugf("found %s role, member %s already exists", role, member)
+					return nil
+				}
+			}
+			binding.Members = append(binding.Members, member)
+			logrus.Debugf("found %s role, added %s member", role, member)
+			return nil
+		}
+	}
+
+	return fmt.Errorf("role %s not found, member %s not added", role, member)
+}