feat(gcp): add Application Default Credentials support to GCP variant for chart deployment (f1feb1e6) · Commits · to be continuous... / Helm

README.md

+26 −8

Original line number	Diff line number	Diff line
		@@ -552,24 +552,42 @@ variables:

		### Google Cloud variant

		This variant allows publishing your helm packages to Google Cloud's [Artifact Registry](https://cloud.google.com/artifact-registry).
		This variant allows two different use cases:

		1. publishing your Helm packages to Google Cloud's [Artifact Registry](https://cloud.google.com/artifact-registry),
		2. and deploying your applications (as charts) to [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine).

		:warning: this template doesn't support Google Cloud's [Container Registry](https://cloud.google.com/container-registry) that is [deprecated](https://cloud.google.com/container-registry/docs/deprecations/container-registry-deprecation) and whose support will be discontinued in May 2024.

		List of requirements before using this variant for publishing your container images:
		List of requirements before using this variant for publishing your charts:

		1. You must have a Docker repository in Artifact Registry (cf [Artifact Registry - Work with Helm charts](https://cloud.google.com/artifact-registry/docs/helm)),
		2. You must have a Workload Identity Federation Pool,
		3. You must have a Service Account with enough permissions to push to your Artifact Registry repository.

		List of requirements before using this variant for deploying your charts:

		1. You must have a Workload Identity Federation Pool.
		2. You must have a Service Account with enough permissions to push to your Artifact Registry repository.
		3. You must have a `kubeconfig.yaml` configuration which [enable application default credentials for kubectl](https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#environments-without-gcloud)
		4. You must provide a docker image containing `gke-gcloud-auth-plugin`, `kubectl` and `helm`.

		#### Configuration

		\| Input / Variable \| Description \| Default value \|
		\| ------------------------ \| -------------------------------------- \| ----------------- \|
		\|-----------------------------------------------------------\|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\|-----------------------------------------------------------------------\|
		\| `TBC_GCP_PROVIDER_IMAGE` \| The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) \| `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest` \|
		\| `gcp-oidc-aud` / `GCP_OIDC_AUD` \| The `aud` claim for the JWT token \| `$CI_SERVER_URL` \|
		\| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` \| Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) \| _none_ \|
		\| `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` \| Default Service Account to which impersonate with OpenID Connect authentication \| _none_ \|
		\| `gcp-review-oidc-provider` / `GCP_REVIEW_OIDC_PROVIDER` \| Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment _(only define to override default)_ \| _none_ \|
		\| `gcp-review-oidc-account` / `GCP_REVIEW_OIDC_ACCOUNT` \| Service Account to which impersonate with OpenID Connect authentication on `review` environment _(only define to override default)_ \| _none_ \|
		\| `gcp-integ-oidc-provider` / `GCP_INTEG_OIDC_PROVIDER` \| Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment _(only define to override default)_ \| _none_ \|
		\| `gcp-integ-oidc-account` / `GCP_INTEG_OIDC_ACCOUNT` \| Service Account to which impersonate with OpenID Connect authentication on `integration` environment _(only define to override default)_ \| _none_ \|
		\| `gcp-staging-oidc-provider` / `GCP_STAGING_OIDC_PROVIDER` \| Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment _(only define to override default)_ \| _none_ \|
		\| `gcp-staging-oidc-account` / `GCP_STAGING_OIDC_ACCOUNT` \| Service Account to which impersonate with OpenID Connect authentication on `staging` environment _(only define to override default)_ \| _none_ \|
		\| `gcp-prod-oidc-provider` / `GCP_PROD_OIDC_PROVIDER` \| Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment _(only define to override default)_ \| _none_ \|
		\| `gcp-prod-oidc-account` / `GCP_PROD_OIDC_ACCOUNT` \| Service Account to which impersonate with OpenID Connect authentication on `production` environment _(only define to override default)_ \| _none_ \|

		#### Example

kicker.json

+41 −1

Original line number	Diff line number	Diff line
		@@ -438,7 +438,7 @@
		{
		"id": "gcp",
		"name": "Google Cloud",
		"description": "Retrieves a registry authentication for the Google Cloud's [Artifact Registry](https://cloud.google.com/artifact-registry)",
		"description": "Retrieve credentials for Google Cloud",
		"template_path": "templates/gitlab-ci-helm-gcp.yml",
		"variables": [
		{
		@@ -460,6 +460,46 @@
		{
		"name": "GCP_OIDC_PROVIDER",
		"description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
		},
		{
		"name": "GCP_REVIEW_OIDC_ACCOUNT",
		"description": "Service Account to which impersonate with OpenID Connect authentication on `review` environment",
		"advanced": true
		},
		{
		"name": "GCP_REVIEW_OIDC_PROVIDER",
		"description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment",
		"advanced": true
		},
		{
		"name": "GCP_INTEG_OIDC_ACCOUNT",
		"description": "Service Account to which impersonate with OpenID Connect authentication on `integration` environment",
		"advanced": true
		},
		{
		"name": "GCP_INTEG_OIDC_PROVIDER",
		"description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment",
		"advanced": true
		},
		{
		"name": "GCP_STAGING_OIDC_ACCOUNT",
		"description": "Service Account to which impersonate with OpenID Connect authentication on `staging` environment",
		"advanced": true
		},
		{
		"name": "GCP_STAGING_OIDC_PROVIDER",
		"description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment",
		"advanced": true
		},
		{
		"name": "GCP_PROD_OIDC_ACCOUNT",
		"description": "Service Account to which impersonate with OpenID Connect authentication on `production` environment",
		"advanced": true
		},
		{
		"name": "GCP_PROD_OIDC_PROVIDER",
		"description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment",
		"advanced": true
		}
		]
		}

templates/gitlab-ci-helm-gcp.yml

+85 −5

Original line number	Diff line number	Diff line
		@@ -7,12 +7,34 @@ spec:
		description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
		default: $CI_SERVER_URL
		gcp-oidc-account:
		description: Default Service Account to which impersonate with OpenID Connect
		authentication
		description: Default Service Account to which impersonate with OpenID Connect authentication
		default: ''
		gcp-oidc-provider:
		description: Default Workload Identity Provider associated with GitLab to [authenticate
		with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
		description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
		default: ''
		gcp-review-oidc-account:
		description: Service Account to which impersonate with OpenID Connect authentication on `review` environment
		default: ''
		gcp-review-oidc-provider:
		description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment
		default: ''
		gcp-integ-oidc-account:
		description: Service Account to which impersonate with OpenID Connect authentication on `integration` environment
		default: ''
		gcp-integ-oidc-provider:
		description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment
		default: ''
		gcp-staging-oidc-account:
		description: Service Account to which impersonate with OpenID Connect authentication on `staging` environment
		default: ''
		gcp-staging-oidc-provider:
		description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment
		default: ''
		gcp-prod-oidc-account:
		description: Service Account to which impersonate with OpenID Connect authentication on `production` environment
		default: ''
		gcp-prod-oidc-provider:
		description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment
		default: ''
		---
		variables:
		@@ -20,6 +42,64 @@ variables:
		GCP_OIDC_AUD: $[[ inputs.gcp-oidc-aud ]]
		GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]]
		GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]]
		GCP_REVIEW_OIDC_ACCOUNT: $[[ inputs.gcp-review-oidc-account ]]
		GCP_REVIEW_OIDC_PROVIDER: $[[ inputs.gcp-review-oidc-provider ]]
		GCP_INTEG_OIDC_ACCOUNT: $[[ inputs.gcp-integ-oidc-account ]]
		GCP_INTEG_OIDC_PROVIDER: $[[ inputs.gcp-integ-oidc-provider ]]
		GCP_STAGING_OIDC_ACCOUNT: $[[ inputs.gcp-staging-oidc-account ]]
		GCP_STAGING_OIDC_PROVIDER: $[[ inputs.gcp-staging-oidc-provider ]]
		GCP_PROD_OIDC_ACCOUNT: $[[ inputs.gcp-prod-oidc-account ]]
		GCP_PROD_OIDC_PROVIDER: $[[ inputs.gcp-prod-oidc-provider ]]

		.gcp-provider-auth:
		before_script:
		- echo "Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file"
		- echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt"
		- \|-
		if [[ "$ENV_TYPE" ]]
		then
		case "$ENV_TYPE" in
		review*)
		env_prefix=REVIEW;;
		integ*)
		env_prefix=INTEG;;
		staging*)
		env_prefix=STAGING;;
		prod*)
		env_prefix=PROD;;
		*)
		;;
		esac
		env_oidc_provider=$(eval echo "\$GCP_${env_prefix}_OIDC_PROVIDER")
		env_oidc_account=$(eval echo "\$GCP_${env_prefix}_OIDC_ACCOUNT")
		fi
		oidc_provider="${env_oidc_provider:-$GCP_OIDC_PROVIDER}"
		oidc_account="${env_oidc_account:-$GCP_OIDC_ACCOUNT}"
		- \|-
		cat << EOF > "$CI_BUILDS_DIR/google_application_credentials.json"
		{
		"type": "external_account",
		"audience": "//iam.googleapis.com/${oidc_provider}",
		"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
		"token_url": "https://sts.googleapis.com/v1/token",
		"credential_source": {
		"file": "$CI_BUILDS_DIR/.auth_token.jwt"
		},
		"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${oidc_account}:generateAccessToken"
		}
		EOF
		- export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json"

		.helm-deploy:
		before_script:
		- !reference [.helm-scripts]
		- !reference [.gcp-provider-auth, before_script]
		- install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
		- add_helm_repositories
		- setup_kubeconfig
		id_tokens:
		GCP_JWT:
		aud: "$GCP_OIDC_AUD"

		.helm-publish:
		extends: .helm-base