feat: add support for gcloud cli (#330)

Signed-off-by: Matheus Pimenta <[email protected]>
matheuscscp · Feb 16, 2025 · 9c42a52 · 9c42a52
1 parent ced63ed
commit 9c42a52
Show file tree

Hide file tree

Showing 19 changed files with 492 additions and 218 deletions.
diff --git a/cmd/server.go b/cmd/server.go
@@ -49,6 +49,7 @@ import (
 func newServerCommand() *cobra.Command {
 	var (
 		serverPort                          int
+		projectID                           string
 		workloadIdentityProvider            string
 		nodePoolServiceAccountName          string
 		nodePoolServiceAccountNamespace     string
@@ -98,7 +99,7 @@ func newServerCommand() *cobra.Command {
 					Namespace: nodePoolServiceAccountNamespace,
 				}
 			}
-			googleCredentialsConfig, workloadIdentityPool, err := googlecredentials.NewConfig(googlecredentials.ConfigOptions{
+			googleCredentialsConfig, numericProjectID, workloadIdentityPool, err := googlecredentials.NewConfig(googlecredentials.ConfigOptions{
 				WorkloadIdentityProvider: workloadIdentityProvider,
 			})
 			if err != nil {
@@ -235,6 +236,8 @@ func newServerCommand() *cobra.Command {
 				ServiceAccountTokens:   serviceAccountTokens,
 				MetricsRegistry:        metricsRegistry,
 				NodePoolServiceAccount: nodePoolServiceAccount,
+				ProjectID:              projectID,
+				NumericProjectID:       numericProjectID,
 				WorkloadIdentityPool:   workloadIdentityPool,
 			})
 
@@ -250,6 +253,8 @@ func newServerCommand() *cobra.Command {
 
 	cmd.Flags().IntVar(&serverPort, "server-port", 8080,
 		"Network address where the metadata server must listen on")
+	cmd.Flags().StringVar(&projectID, "project-id", "",
+		"Project ID of the GCP project where the GCP Workload Identity Provider is configured")
 	cmd.Flags().StringVar(&workloadIdentityProvider, "workload-identity-provider", "",
 		"Mandatory fully-qualified resource name of the GCP Workload Identity Provider (projects/<project_number>/locations/global/workloadIdentityPools/<pool_name>/providers/<provider_name>)")
 	cmd.Flags().StringVar(&nodePoolServiceAccountName, "node-pool-service-account-name", "",

diff --git a/e2e_test.go b/e2e_test.go
@@ -43,6 +43,7 @@ type emulator struct {
 
 type pod struct {
 	name               string
+	file               string
 	serviceAccountName string
 	hostNetwork        bool
 	nodePool           nodePool
@@ -129,6 +130,15 @@ func TestEndToEnd(t *testing.T) {
 						namespace: "kube-system",
 					},
 				},
+				{
+					name:               "test-gcloud",
+					file:               "pod-gcloud.yaml",
+					serviceAccountName: "test",
+					nodePool: nodePool{
+						name:      "gke-metadata-server",
+						namespace: "kube-system",
+					},
+				},
 				// for host network pods the service account is retrieved from the emulator config
 				{
 					name:               "test-host-network",
@@ -278,7 +288,11 @@ func applyPods(t *testing.T, pods []pod) {
 
 		// execute pod template
 		var pod string
-		b, err := os.ReadFile("testdata/pod.yaml")
+		file := "pod.yaml"
+		if p.file != "" {
+			file = p.file
+		}
+		b, err := os.ReadFile("testdata/" + file)
 		require.NoError(t, err)
 		serviceAccountName := "default"
 		if sa := p.serviceAccountName; sa != "" {

diff --git a/helm/gke-metadata-server/templates/daemonset.yaml b/helm/gke-metadata-server/templates/daemonset.yaml
@@ -85,6 +85,7 @@ spec:
           privileged: true
         args:
         - server
+        - --project-id={{ .Values.config.projectID }}
         - --workload-identity-provider={{ .Values.config.workloadIdentityProvider }}
         {{- if (.Values.config.nodePool | default dict).enable }}
         - --node-pool-service-account-name={{ .Release.Name }}

diff --git a/helm/gke-metadata-server/values.yaml b/helm/gke-metadata-server/values.yaml
@@ -25,6 +25,8 @@
 # Declare variables to be passed into your templates.
 
 config:
+  # Mandatory GCP project ID.
+  projectID: ""
   # Mandatory fully-qualified name of the GCP Workload Identity Provider.
   # This full name can be retrieved on the Google Cloud Console webpage for the provider.
   # Must match the pattern: projects/<gcp_project_number>/locations/global/workloadIdentityPools/<pool_name>/providers/<provider_name>

diff --git a/internal/googlecredentials/google_credentials.go b/internal/googlecredentials/google_credentials.go
@@ -41,7 +41,7 @@ type (
 	}
 )
 
-var workloadIdentityProviderRegex = regexp.MustCompile(`^projects/\d+/locations/global/workloadIdentityPools/([^/]+)/providers/[^/]+$`)
+var workloadIdentityProviderRegex = regexp.MustCompile(`^projects/(\d+)/locations/global/workloadIdentityPools/([^/]+)/providers/[^/]+$`)
 
 func AccessScopes() []string {
 	return []string{
@@ -50,13 +50,14 @@ func AccessScopes() []string {
 	}
 }
 
-func NewConfig(opts ConfigOptions) (*Config, string, error) {
+func NewConfig(opts ConfigOptions) (*Config, string, string, error) {
 	if !workloadIdentityProviderRegex.MatchString(opts.WorkloadIdentityProvider) {
-		return nil, "", fmt.Errorf("workload identity provider name does not match pattern %s",
+		return nil, "", "", fmt.Errorf("workload identity provider name does not match pattern %s",
 			workloadIdentityProviderRegex.String())
 	}
-	workloadIdentityPool := workloadIdentityProviderRegex.FindStringSubmatch(opts.WorkloadIdentityProvider)[1]
-	return &Config{opts}, workloadIdentityPool, nil
+	numericProjectID := workloadIdentityProviderRegex.FindStringSubmatch(opts.WorkloadIdentityProvider)[1]
+	workloadIdentityPool := workloadIdentityProviderRegex.FindStringSubmatch(opts.WorkloadIdentityProvider)[2]
+	return &Config{opts}, numericProjectID, workloadIdentityPool, nil
 }
 
 func (c *Config) Get(ctx context.Context, credFile string, googleServiceAccountEmail *string) (*google.Credentials, error) {