GoogleContainerTools · droot · Oct 31, 2023 · Dec 5, 2023
diff --git a/build/all/Dockerfile b/build/all/Dockerfile
@@ -71,7 +71,8 @@ USER nonroot:nonroot
 ENTRYPOINT ["/hydration-controller"]
 
 # OCI-sync image
-FROM gcr.io/distroless/static:latest as oci-sync
+#FROM gcr.io/distroless/static:latest as oci-sync
+FROM google/cloud-sdk:slim as oci-sync
 # Setting HOME ensures that whatever UID this ultimately runs as can write files.
 ENV HOME=/tmp
 WORKDIR /

diff --git a/cmd/oci-sync/main.go b/cmd/oci-sync/main.go
@@ -35,8 +35,8 @@ import (
 var flImage = flag.String("image", util.EnvString(reconcilermanager.OciSyncImage, ""),
 	"the OCI image repository for the package")
 var flAuth = flag.String("auth", util.EnvString(reconcilermanager.OciSyncAuth, string(configsync.AuthNone)),
-	fmt.Sprintf("the authentication type for access to the OCI package. Must be one of %s, %s, or %s. Defaults to %s",
-		configsync.AuthGCPServiceAccount, configsync.AuthGCENode, configsync.AuthNone, configsync.AuthNone))
+	fmt.Sprintf("the authentication type for access to the OCI package. Must be one of %s, %s, %s, or %s. Defaults to %s",
+		configsync.AuthGCPServiceAccount, configsync.AuthGCPKSA, configsync.AuthGCENode, configsync.AuthNone, configsync.AuthNone))
 var flRoot = flag.String("root", util.EnvString("OCI_SYNC_ROOT", util.EnvString("HOME", "")+"/oci"),
 	"the root directory for oci-sync operations, under which --dest will be created")
 var flDest = flag.String("dest", util.EnvString("OCI_SYNC_DEST", ""),
@@ -86,7 +86,7 @@ func main() {
 	switch configsync.AuthType(*flAuth) {
 	case configsync.AuthNone:
 		auth = authn.Anonymous
-	case configsync.AuthGCPServiceAccount, configsync.AuthGCENode:
+	case configsync.AuthGCPServiceAccount, configsync.AuthGCPKSA, configsync.AuthGCENode:
 		a, err := google.NewEnvAuthenticator()
 		if err != nil {
 			utillog.HandleError(log, true, "ERROR: failed to get the authentication with type %q: %v", *flAuth, err)

diff --git a/manifests/reposync-crd.yaml b/manifests/reposync-crd.yaml
@@ -277,6 +277,7 @@ spec:
                     enum:
                     - gcenode
                     - gcpserviceaccount
+                    - gcpksa
                     - none
                     type: string
                   dir:
@@ -1325,6 +1326,7 @@ spec:
                     enum:
                     - gcenode
                     - gcpserviceaccount
+                    - gcpksa
                     - none
                     type: string
                   dir:

diff --git a/manifests/rootsync-crd.yaml b/manifests/rootsync-crd.yaml
@@ -287,6 +287,7 @@ spec:
                     enum:
                     - gcenode
                     - gcpserviceaccount
+                    - gcpksa
                     - none
                     type: string
                   dir:
@@ -1391,6 +1392,7 @@ spec:
                     enum:
                     - gcenode
                     - gcpserviceaccount
+                    - gcpksa
                     - none
                     type: string
                   dir:

diff --git a/pkg/api/configsync/register.go b/pkg/api/configsync/register.go
@@ -106,6 +106,9 @@ const (
 	// AuthGCPServiceAccount indicates using a GCP service account to authenticate to
 	// Git or OCI or Helm, when GKE Workload Identity or Fleet Workload Identity is enabled.
 	AuthGCPServiceAccount AuthType = "gcpserviceaccount"
+	// AuthGCPKSA indicates using the kubernetes service account as the third party identity provider
+	// for accessing the artifacts stored in GCP services.
+	AuthGCPKSA AuthType = "gcpksa"
 )
 
 // NamespaceStrategy specifies the strategy used by the reconciler for undeclared

diff --git a/pkg/api/configsync/v1alpha1/ociconfig.go b/pkg/api/configsync/v1alpha1/ociconfig.go
@@ -48,7 +48,7 @@ type Oci struct {
 	// Must be one of gcenode, gcpserviceaccount, or none.
 	// The validation of this is case-sensitive. Required.
 	//
-	// +kubebuilder:validation:Enum=gcenode;gcpserviceaccount;none
+	// +kubebuilder:validation:Enum=gcenode;gcpserviceaccount;gcpksa;none
 	Auth configsync.AuthType `json:"auth"`
 
 	// gcpServiceAccountEmail specifies the GCP service account used to annotate

diff --git a/pkg/api/configsync/v1beta1/ociconfig.go b/pkg/api/configsync/v1beta1/ociconfig.go
@@ -48,7 +48,7 @@ type Oci struct {
 	// Must be one of gcenode, gcpserviceaccount, or none.
 	// The validation of this is case-sensitive. Required.
 	//
-	// +kubebuilder:validation:Enum=gcenode;gcpserviceaccount;none
+	// +kubebuilder:validation:Enum=gcenode;gcpserviceaccount;gcpksa;none
 	Auth configsync.AuthType `json:"auth"`
 
 	// gcpServiceAccountEmail specifies the GCP service account used to annotate

diff --git a/pkg/reconcilermanager/controllers/reposync_controller.go b/pkg/reconcilermanager/controllers/reposync_controller.go
@@ -1210,7 +1210,7 @@ func (r *RepoSyncReconciler) mutationsFor(ctx context.Context, rs *v1beta1.RepoS
 
 func enableAskpassSidecar(sourceType string, auth configsync.AuthType) bool {
 	if v1beta1.SourceType(sourceType) == v1beta1.GitSource &&
-		(auth == configsync.AuthGCPServiceAccount || auth == configsync.AuthGCENode) {
+		(auth == configsync.AuthGCPServiceAccount || auth == configsync.AuthGCPKSA || auth == configsync.AuthGCENode) {
 		return true
 	}
 	return false

diff --git a/pkg/reconcilermanager/controllers/secret.go b/pkg/reconcilermanager/controllers/secret.go
@@ -175,11 +175,11 @@ func getSecret(ctx context.Context, c client.Client, sRef types.NamespacedName,
 	return c.Get(ctx, sRef, secret)
 }
 
-// SkipForAuth returns true if the passed auth is either 'none' or 'gcenode' or
+// SkipForAuth returns true if the passed auth is either 'none' or 'gcenode', 'gcpksa' or
 // 'gcpserviceaccount'.
 func SkipForAuth(auth configsync.AuthType) bool {
 	switch auth {
-	case configsync.AuthNone, configsync.AuthGCENode, configsync.AuthGCPServiceAccount:
+	case configsync.AuthNone, configsync.AuthGCENode, configsync.AuthGCPServiceAccount, configsync.AuthGCPKSA:
 		return true
 	default:
 		return false

diff --git a/pkg/reconcilermanager/controllers/util.go b/pkg/reconcilermanager/controllers/util.go
@@ -376,10 +376,10 @@ func PollingPeriod(envName string, defaultValue time.Duration) time.Duration {
 
 // useFWIAuth returns whether ConfigSync uses fleet workload identity for authentication.
 // It is true only when all the following conditions are true:
-// 1. the auth type is `gcpserviceaccount`.
+// 1. the auth type is `gcpserviceaccount` or `gcpksa`.
 // 2. the cluster is registered in a fleet (the membership object exists).
 // 3. the fleet workload identity is enabled (workload_identity_pool and identity_provider are not empty).
 func useFWIAuth(authType configsync.AuthType, membership *hubv1.Membership) bool {
-	return authType == configsync.AuthGCPServiceAccount && membership != nil &&
+	return (authType == configsync.AuthGCPServiceAccount || authType == configsync.AuthGCPKSA) && membership != nil &&
 		membership.Spec.IdentityProvider != "" && membership.Spec.WorkloadIdentityPool != ""
 }
diff --git a/pkg/validate/raw/validate/source_spec_validator.go b/pkg/validate/raw/validate/source_spec_validator.go
@@ -141,7 +141,7 @@ func OciSpec(oci *v1beta1.Oci, rs client.Object) status.Error {
 	// Note that Auth is a case-sensitive field, so ones with arbitrary capitalization
 	// will fail to apply.
 	switch oci.Auth {
-	case configsync.AuthGCENode, configsync.AuthNone:
+	case configsync.AuthGCENode, configsync.AuthGCPKSA, configsync.AuthNone:
 	case configsync.AuthGCPServiceAccount:
 		if oci.GCPServiceAccountEmail == "" {
 			return MissingGCPSAEmail(rs)
@@ -254,7 +254,7 @@ func MissingGitRepo(o client.Object) status.Error {
 // InvalidAuthType reports that a RootSync/RepoSync doesn't use one of the known auth
 // methods.
 func InvalidAuthType(o client.Object) status.Error {
-	types := []string{string(configsync.AuthSSH), string(configsync.AuthCookieFile), string(configsync.AuthGCENode), string(configsync.AuthToken), string(configsync.AuthNone), string(configsync.AuthGCPServiceAccount)}
+	types := []string{string(configsync.AuthSSH), string(configsync.AuthCookieFile), string(configsync.AuthGCENode), string(configsync.AuthToken), string(configsync.AuthNone), string(configsync.AuthGCPServiceAccount), string(configsync.AuthGCPKSA)}
 	kind := o.GetObjectKind().GroupVersionKind().Kind
 	return invalidSyncBuilder.
 		Sprintf("%ss must specify spec.git.auth to be one of %s", kind,
@@ -360,7 +360,7 @@ func MissingOciImage(o client.Object) status.Error {
 // InvalidOciAuthType reports that a RootSync/RepoSync doesn't use one of the known auth
 // methods for OCI image.
 func InvalidOciAuthType(o client.Object) status.Error {
-	types := []string{string(configsync.AuthGCENode), string(configsync.AuthGCPServiceAccount), string(configsync.AuthNone)}
+	types := []string{string(configsync.AuthGCENode), string(configsync.AuthGCPServiceAccount), string(configsync.AuthGCPKSA), string(configsync.AuthNone)}
 	kind := o.GetObjectKind().GroupVersionKind().Kind
 	return invalidSyncBuilder.
 		Sprintf("%ss must specify spec.oci.auth to be one of %s", kind,