From 5bb8111aabbdf957ba5bba4dd83f2a79bfb954ae Mon Sep 17 00:00:00 2001 From: Brad Wadsworth Date: Tue, 29 Nov 2022 17:45:55 -0600 Subject: [PATCH 1/5] add access token authentication Signed-off-by: Brad Wadsworth --- docs/Configuration.md | 289 ++++++++++++++++++++++++++++++++++++++++ internal/clients/gcp.go | 13 +- 2 files changed, 301 insertions(+), 1 deletion(-) diff --git a/docs/Configuration.md b/docs/Configuration.md index bda1dd93b..5ad325422 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -252,3 +252,292 @@ EOF ### 4. Next steps Now that you have configured `provider-gcp` with Workload Identity supported. + +## Authenticating with Access Tokens + +Using temporary Access Tokens will require a process to regenerate an access token before it expires. Luckily we can use a Kubernetes CronJob to fulfill that. + +**DISCLAIMER** + +*The following method will only work if running the provider in a GKE cluster on GCP. This is because the creation of access tokens requires a service account with Workload Identity enabled.* + +### Steps + +#### 0. Prepare your variables + +In the following sections, you'll need to name your resources. +Define the variables below with any names valid in Kubernetes or GCP so that you +can smoothly set it up: + +```console +$ PROJECT_ID= # e.g.) acme-prod +$ REGION= # e.g.) us-central1 +$ CLUSTER_NAME= # e.g.) demo +$ GCP_SERVICE_ACCOUNT= # e.g.) crossplane +$ ROLE= # e.g.) roles/editor +$ KUBERNETES_SERVICE_ACCOUNT= # e.g.) token-generator +$ NAMESPACE= # e.g.) default +$ SECRET_NAME= # e.g.) gcp-credentials +$ SECRET_KEY= # e.g.) token +$ PROVIDER_GCP= # e.g.) provider-gcp +$ VERSION= # e.g.) v0.19.0 +``` + +#### 1. Create a GKE cluster with Workload Identity Enabled +Create a default vpc if one does not already exist +```console +$ gcloud compute networks create default \ + --subnet-mode=auto \ + --bgp-routing-mode=global \ + --project=${PROJECT_ID} +``` +Create a cloud router +```console +$ gcloud compute routers create ${CLUSTER_NAME} \ + --project=${PROJECT_ID} \ + --network=default \ + --region=${REGION} +``` +Create a cloud nat +```console +$ gcloud compute routers nats create ${CLUSTER_NAME} \ + --router=${CLUSTER_NAME} \ + --region=${REGION} \ + --auto-allocate-nat-external-ips \ + --nat-all-subnet-ip-ranges \ + --project=${PROJECT_ID} +``` +Create the cluster +```console +$ gcloud container clusters create ${CLUSTER_NAME} \ + --region=${REGION} \ + --workload-pool=${PROJECT_ID}.svc.id.goog \ + --create-subnetwork name=gke \ + --enable-ip-alias \ + --enable-private-nodes \ + --no-enable-master-authorized-networks \ + --enable-master-global-access \ + --master-ipv4-cidr=172.16.0.32/28 \ + --max-nodes=3 \ + --project=${PROJECT_ID} +``` +Get the cluster credentials +```console +$ gcloud container clusters get-credentials ${CLUSTER_NAME} --region=${REGION} --project=${PROJECT_ID} +``` + +#### 2. Configure service accounts to use Workload Identity + +Create a GCP service account, which will be used for provisioning actual +infrastructure in GCP, and grant IAM roles you need for accessing the Google +Cloud APIs: + +```console +$ gcloud iam service-accounts create ${GCP_SERVICE_ACCOUNT} \ + --project=${PROJECT_ID} +``` +```console +$ gcloud projects add-iam-policy-binding ${PROJECT_ID} \ + --member="serviceAccount:${GCP_SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \ + --role=${ROLE} \ + --project=${PROJECT_ID} +``` + +#### 3. Create resources to generate an access-token +Create the Kubernetes service account, RBAC, and CronJob to generate the temporary access-token + +**NOTE:** Ensure your kube context is pointing to the cluster created above + +```console +$ cat < Date: Wed, 21 Dec 2022 08:57:18 -0600 Subject: [PATCH 2/5] add access token source type --- apis/v1beta1/types.go | 2 +- docs/Configuration.md | 4 +- examples/providerconfig/accesstoken.yaml | 12 +++++ internal/clients/gcp.go | 48 ++++++++++++------- .../crds/gcp.upbound.io_providerconfigs.yaml | 1 + 5 files changed, 47 insertions(+), 20 deletions(-) create mode 100644 examples/providerconfig/accesstoken.yaml diff --git a/apis/v1beta1/types.go b/apis/v1beta1/types.go index d4f05cdfe..8e15c11d4 100644 --- a/apis/v1beta1/types.go +++ b/apis/v1beta1/types.go @@ -34,7 +34,7 @@ type ProviderConfigSpec struct { // ProviderCredentials required to authenticate. type ProviderCredentials struct { // Source of the provider credentials. - // +kubebuilder:validation:Enum=None;Secret;InjectedIdentity;Environment;Filesystem + // +kubebuilder:validation:Enum=None;Secret;AccessToken;InjectedIdentity;Environment;Filesystem Source xpv1.CredentialsSource `json:"source"` xpv1.CommonCredentialSelectors `json:",inline"` diff --git a/docs/Configuration.md b/docs/Configuration.md index 5ad325422..10330c039 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -318,7 +318,7 @@ $ gcloud container clusters create ${CLUSTER_NAME} \ --no-enable-master-authorized-networks \ --enable-master-global-access \ --master-ipv4-cidr=172.16.0.32/28 \ - --max-nodes=3 \ + --num-nodes=1 \ --project=${PROJECT_ID} ``` Get the cluster credentials @@ -493,7 +493,7 @@ metadata: spec: projectID: ${PROJECT_ID} credentials: - source: Secret + source: AccessToken secretRef: name: ${SECRET_NAME} namespace: ${NAMESPACE} diff --git a/examples/providerconfig/accesstoken.yaml b/examples/providerconfig/accesstoken.yaml new file mode 100644 index 000000000..7ef29173d --- /dev/null +++ b/examples/providerconfig/accesstoken.yaml @@ -0,0 +1,12 @@ +apiVersion: gcp.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: default +spec: + projectID: crossplane-playground + credentials: + source: AccessToken + secretRef: + name: example-creds + namespace: crossplane-system + key: credentials diff --git a/internal/clients/gcp.go b/internal/clients/gcp.go index 12b5148e5..6d5b125dc 100644 --- a/internal/clients/gcp.go +++ b/internal/clients/gcp.go @@ -18,7 +18,6 @@ package clients import ( "context" - "encoding/json" xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" "github.com/crossplane/crossplane-runtime/pkg/resource" @@ -33,8 +32,10 @@ import ( const ( keyProject = "project" - keyCredentials = "credentials" - accessToken = "access_token" + keyCredentials = "credentials" + accountKey = "Secret" + accessToken = "AccessToken" + accessTokenCredentials = "access_token" ) const ( @@ -79,24 +80,37 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr switch pc.Spec.Credentials.Source { //nolint:exhaustive case xpv1.CredentialsSourceInjectedIdentity: // We don't need to do anything here, as the TF Provider will take care of workloadIdentity etc. + case accessToken: + return useAccessToken(ctx, pc, client, ps) default: - data, err := resource.CommonCredentialExtractor(ctx, pc.Spec.Credentials.Source, client, pc.Spec.Credentials.CommonCredentialSelectors) - if err != nil { - return ps, errors.Wrap(err, errExtractCredentials) - } - - // set provider configuration keys for GCP credentials - if isJSON(data) { - ps.Configuration[keyCredentials] = string(data) - } else { - ps.Configuration[accessToken] = string(data) - } + return useSecret(ctx, pc, client, ps) } return ps, nil } } -func isJSON(b []byte) bool { - var js json.RawMessage - return json.Unmarshal(b, &js) == nil +func useDefault(ctx context.Context, pc *v1beta1.ProviderConfig, client client.Client) ([]byte, error) { + data, err := resource.CommonCredentialExtractor(ctx, pc.Spec.Credentials.Source, client, pc.Spec.Credentials.CommonCredentialSelectors) + if err != nil { + return nil, errors.Wrap(err, errExtractCredentials) + } + return data, nil +} + +func useSecret(ctx context.Context, pc *v1beta1.ProviderConfig, client client.Client, ps terraform.Setup) (terraform.Setup, error) { + data, err := useDefault(ctx, pc, client) + if err != nil { + return ps, err + } + ps.Configuration[keyCredentials] = string(data) + return ps, nil +} + +func useAccessToken(ctx context.Context, pc *v1beta1.ProviderConfig, client client.Client, ps terraform.Setup) (terraform.Setup, error) { + data, err := useDefault(ctx, pc, client) + if err != nil { + return ps, err + } + ps.Configuration[accessTokenCredentials] = string(data) + return ps, nil } diff --git a/package/crds/gcp.upbound.io_providerconfigs.yaml b/package/crds/gcp.upbound.io_providerconfigs.yaml index a10bd929d..335aba19a 100644 --- a/package/crds/gcp.upbound.io_providerconfigs.yaml +++ b/package/crds/gcp.upbound.io_providerconfigs.yaml @@ -93,6 +93,7 @@ spec: enum: - None - Secret + - AccessToken - InjectedIdentity - Environment - Filesystem From 763dea3cc9c8ddd9225132b4b1d8ae26fbc070d8 Mon Sep 17 00:00:00 2001 From: Brad Wadsworth Date: Wed, 21 Dec 2022 11:58:15 -0600 Subject: [PATCH 3/5] addgcp client plugin --- cmd/provider/main.go | 1 + go.mod | 1 + go.sum | 49 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 51 insertions(+) diff --git a/cmd/provider/main.go b/cmd/provider/main.go index f24bdaf37..0ece78e25 100644 --- a/cmd/provider/main.go +++ b/cmd/provider/main.go @@ -45,6 +45,7 @@ import ( "github.com/upbound/provider-gcp/internal/clients" "github.com/upbound/provider-gcp/internal/controller" "github.com/upbound/provider-gcp/internal/features" + _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" ) func main() { diff --git a/go.mod b/go.mod index 8d96f4d33..8f1e27a98 100644 --- a/go.mod +++ b/go.mod @@ -16,6 +16,7 @@ require ( ) require ( + cloud.google.com/go v0.97.0 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/agext/levenshtein v1.2.3 // indirect diff --git a/go.sum b/go.sum index 2430f9a0c..dbbc7be58 100644 --- a/go.sum +++ b/go.sum @@ -20,6 +20,14 @@ cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPT cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= +cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= +cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= +cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= +cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= +cloud.google.com/go v0.97.0 h1:3DXvAyifywvq64LfkKaMOmkWPS1CikIQdMe2lY9vxU8= +cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -270,6 +278,7 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170/go.mod h1:EMjYTRimagHs1FwlIqKyX3wAM0u3rA+McvlIIWmSamA= @@ -301,6 +310,7 @@ github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -313,12 +323,16 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= @@ -822,6 +836,7 @@ golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= @@ -841,6 +856,9 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 h1:+jnHzr9VPj32ykQVai5DNahi9+NSp7yYuCsl5eAQtL0= golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= @@ -917,11 +935,16 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1010,6 +1033,8 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= @@ -1041,6 +1066,13 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= +google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= +google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= +google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= +google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1095,8 +1127,21 @@ google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= +google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= +google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad h1:kqrS+lhvaMHCxul6sKQvKJ8nAAhlVItmZV822hYFH/U= google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= @@ -1121,12 +1166,16 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.48.0 h1:rQOsyJ/8+ufEDJd/Gdsz7HG220Mh9HAhFHRGnIjda0w= google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 010aef2c8ec214a9bf33c66c62a98072d62c0535 Mon Sep 17 00:00:00 2001 From: Brad Wadsworth Date: Wed, 21 Dec 2022 11:58:58 -0600 Subject: [PATCH 4/5] change logic for source type --- cmd/provider/main.go | 1 + internal/clients/gcp.go | 40 +++++++++++----------------------------- 2 files changed, 12 insertions(+), 29 deletions(-) diff --git a/cmd/provider/main.go b/cmd/provider/main.go index 0ece78e25..cfe416d34 100644 --- a/cmd/provider/main.go +++ b/cmd/provider/main.go @@ -45,6 +45,7 @@ import ( "github.com/upbound/provider-gcp/internal/clients" "github.com/upbound/provider-gcp/internal/controller" "github.com/upbound/provider-gcp/internal/features" + _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" ) diff --git a/internal/clients/gcp.go b/internal/clients/gcp.go index 6d5b125dc..6cc2c193f 100644 --- a/internal/clients/gcp.go +++ b/internal/clients/gcp.go @@ -33,7 +33,6 @@ const ( keyProject = "project" keyCredentials = "credentials" - accountKey = "Secret" accessToken = "AccessToken" accessTokenCredentials = "access_token" ) @@ -81,36 +80,19 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr case xpv1.CredentialsSourceInjectedIdentity: // We don't need to do anything here, as the TF Provider will take care of workloadIdentity etc. case accessToken: - return useAccessToken(ctx, pc, client, ps) + data, err := resource.CommonCredentialExtractor(ctx, "Secret", client, pc.Spec.Credentials.CommonCredentialSelectors) + if err != nil { + return ps, errors.Wrap(err, errExtractCredentials) + } + ps.Configuration[accessTokenCredentials] = string(data) default: - return useSecret(ctx, pc, client, ps) + data, err := resource.CommonCredentialExtractor(ctx, pc.Spec.Credentials.Source, client, pc.Spec.Credentials.CommonCredentialSelectors) + if err != nil { + return ps, errors.Wrap(err, errExtractCredentials) + } + ps.Configuration[keyCredentials] = string(data) } - return ps, nil - } -} - -func useDefault(ctx context.Context, pc *v1beta1.ProviderConfig, client client.Client) ([]byte, error) { - data, err := resource.CommonCredentialExtractor(ctx, pc.Spec.Credentials.Source, client, pc.Spec.Credentials.CommonCredentialSelectors) - if err != nil { - return nil, errors.Wrap(err, errExtractCredentials) - } - return data, nil -} -func useSecret(ctx context.Context, pc *v1beta1.ProviderConfig, client client.Client, ps terraform.Setup) (terraform.Setup, error) { - data, err := useDefault(ctx, pc, client) - if err != nil { - return ps, err - } - ps.Configuration[keyCredentials] = string(data) - return ps, nil -} - -func useAccessToken(ctx context.Context, pc *v1beta1.ProviderConfig, client client.Client, ps terraform.Setup) (terraform.Setup, error) { - data, err := useDefault(ctx, pc, client) - if err != nil { - return ps, err + return ps, nil } - ps.Configuration[accessTokenCredentials] = string(data) - return ps, nil } From fba7f7a7b32cef20e44674497200ac4d9ff0d1d9 Mon Sep 17 00:00:00 2001 From: Brad Wadsworth Date: Thu, 5 Jan 2023 15:16:10 -0600 Subject: [PATCH 5/5] updated client --- internal/clients/gcp.go | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/internal/clients/gcp.go b/internal/clients/gcp.go index 6cc2c193f..384709c87 100644 --- a/internal/clients/gcp.go +++ b/internal/clients/gcp.go @@ -32,17 +32,18 @@ import ( const ( keyProject = "project" - keyCredentials = "credentials" - accessToken = "AccessToken" - accessTokenCredentials = "access_token" + keyCredentials = "credentials" + credentialsSourceAccessToken = "AccessToken" + keyAccessToken = "access_token" ) const ( // error messages - errNoProviderConfig = "no providerConfigRef provided" - errGetProviderConfig = "cannot get referenced ProviderConfig" - errTrackUsage = "cannot track ProviderConfig usage" - errExtractCredentials = "cannot extract credentials" + errNoProviderConfig = "no providerConfigRef provided" + errGetProviderConfig = "cannot get referenced ProviderConfig" + errTrackUsage = "cannot track ProviderConfig usage" + errExtractKeyCredentials = "cannot extract JSON key credentials" + errExtractTokenCredentials = "cannot extract Access Token credentials" ) // TerraformSetupBuilder builds Terraform a terraform.SetupFn function which @@ -79,16 +80,16 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr switch pc.Spec.Credentials.Source { //nolint:exhaustive case xpv1.CredentialsSourceInjectedIdentity: // We don't need to do anything here, as the TF Provider will take care of workloadIdentity etc. - case accessToken: - data, err := resource.CommonCredentialExtractor(ctx, "Secret", client, pc.Spec.Credentials.CommonCredentialSelectors) + case credentialsSourceAccessToken: + data, err := resource.CommonCredentialExtractor(ctx, xpv1.CredentialsSourceSecret, client, pc.Spec.Credentials.CommonCredentialSelectors) if err != nil { - return ps, errors.Wrap(err, errExtractCredentials) + return ps, errors.Wrap(err, errExtractTokenCredentials) } - ps.Configuration[accessTokenCredentials] = string(data) + ps.Configuration[keyAccessToken] = string(data) default: data, err := resource.CommonCredentialExtractor(ctx, pc.Spec.Credentials.Source, client, pc.Spec.Credentials.CommonCredentialSelectors) if err != nil { - return ps, errors.Wrap(err, errExtractCredentials) + return ps, errors.Wrap(err, errExtractKeyCredentials) } ps.Configuration[keyCredentials] = string(data) }