Validate format of GoogleServiceAccount in CCC

[jingyih]

Create a CCC object with invalid GSA.

$ cat ~/tmp/ccc.yaml 
apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnectorContext
metadata:
    name: configconnectorcontext.core.cnrm.cloud.google.com
    namespace: config-control
spec:
    googleServiceAccount: foo@bar.com

$ k apply -f ~/tmp/ccc.yaml 
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com created

CCC Status:

$ k describe -f ~/tmp/ccc.yaml 
(...)
Spec:
  Google Service Account:  foo@bar.com
Status:
  Errors:
    error during reconciliation: invalid GoogleServiceAccount format for "foo@bar.com"
  Healthy:  false
Events:
  Type     Reason        Age                From                               Message
  ----     ------        ----               ----                               -------
  Warning  UpdateFailed  4s (x13 over 24s)  configconnectorcontext-controller  error during reconciliation: invalid GoogleServiceAccount format for "foo@bar.com"

KCC operator logs:

{"severity":"error","timestamp":"2024-07-13T08:40:57.453Z","msg":"preflight check failed, not reconciling","controller":"configconnectorcontext-controller","controllerGroup":"core.cnrm.cloud.google.com","controllerKind":"ConfigConnectorContext","ConfigConnectorContext":{"name":"configconnectorcontext.core.cnrm.cloud.google.com","namespace":"config-control"},"namespace":"config-control","name":"configconnectorcontext.core.cnrm.cloud.google.com","reconcileID":"7be584f2-b021-4adb-9e3e-14123b343030","error":"invalid GoogleServiceAccount format for \"foo@bar.com\""}

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from jingyih. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[justinsb]

Nit: do you mean not a required field? Or do you mean that it's required at the schema level, so this is unreachable?

Either way, I agree that you should just return nil for empty values!

[jingyih]

Yeah this code should be unreachable. It is a required field, so empty string will error early during CR creation.

[yuwenma]

A readability rule of thumb is to always consider the function for its own and always handle the edge cases for itself, it would be easier to maintenance and less error prone if the other parts changed. i.e. somehow we decide to disable the required field check in the CRD level.

[jingyih]

If we fail here, that effectively means the GoogleServiceAccount is a required field, even if we mark it as optional in the CRD level. So I think we should not fail here.

[justinsb]

Where did you get this regex from? I found https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/create which suggested a more restrictive regex for the first bit.

projectID matches description here https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects (which is good)

I'm actually more concerned about us rejecting valid gcpServiceAccount values though, so as long as our regex is too permissive, that's OK IMO!

[jingyih]

Where did you get this regex from

I think I got the regex from a back-and-forth discussion between me and AI...

I found https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/create which suggested a more restrictive regex for the first bit.

Good find! We could certainly make the first bit more restrictive to match Cloud IAM, but I feel leaving it less restrictive has more benefits.

• If Cloud IAM update the regex in the future, our validation will likely still work.
• IMO the primary goal is to reject really wrong formats, like if user forgot to replace "${GSA}" with the actual email address, it should get rejected here. (today we don't reject it, and annotate KSA with any string user write to this field)

[justinsb]

LGTM, one nit on the comment and some background on the regex