Commit c2e147b5 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/extend-implicit-variables' into 'main' 

feat: extend implicit variables

See merge request to-be-continuous/tools/gcp-auth-provider!36
parents c5caffa2 2a49c04a

.gitlab-ci.yml

+3 −2
Original line number Diff line number Diff line
@@ -25,6 +25,7 @@ variables: 
  GCP_OIDC_PROVIDER: $GCP_OIDC_PROVIDER

  GCP_OIDC_ACCOUNT: $GCP_OIDC_ACCOUNT

  DOCKER_BUILD_ARGS: "--cache-ttl=6h"

  DOCKER_PROD_PUBLISH_STRATEGY: "auto"



.test-scripts: &test-scripts |

  # BEGSCRIPT
@@ -125,11 +126,11 @@ test-token-succeeds: 
    - |

      response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "http://gcp-auth-provider/token")

      assert_eq "200" $response_status

      token=`cat resp.txt`

      token=$(cat resp.txt)



      response_status=$(curl -s -o resp.txt -w "%{http_code}" -H "Authorization: Bearer $token" "https://cloudresourcemanager.googleapis.com/v1/projects/$GCP_PROJECT")

      assert_eq "200" $response_status

      project_id_result=$(cat resp.txt | jq .projectId | tr -d '"')

      project_id_result=$(cat resp.txt | jq -r .projectId)

      assert_eq "$GCP_PROJECT" $project_id_result

  rules:

    - if: $CI_SERVER_HOST != "gitlab.com"

README.md

+7 −6
Original line number Diff line number Diff line
@@ -22,7 +22,7 @@ Retrieve authentication token using API. 
    ```

2. with **implicit** Service Account and Workload Identity Provider retrieved from to-be-continuous standard variables for an **explicitly** specified environment (_production_ here):

    ```

    GET /token?envType=prod

    GET /token?envType=production

    ```

3. with **implicit** Service Account and Workload Identity Provider retrieved from to-be-continuous standard variables for **implicitly** guessed current environment):

    ```
@@ -43,11 +43,12 @@ Retrieve authentication token using API. 
When not explicitly set, `serviceAccount` and `workloadIdentityProvider` values are retrieved from to-be-continuous standard variables for the associated `envType` (`envType` itself may also be guessed, see next chapter):



| `envType`        | `serviceAccount` value                                        | `workloadIdentityProvider` value                                |

| ---------------- | ---------------------- | -------------------------------- |

| ---------------- | ------------------------------------------------------------- | --------------------------------------------------------------- |

| `production`     | `$GCP_PROD_OIDC_ACCOUNT` or `$GCP_OIDC_ACCOUNT` (fallback)    | `$GCP_PROD_OIDC_PROVIDER` or `$GCP_OIDC_PROVIDER` (fallback)    |

| `staging`        | `$GCP_STAGING_OIDC_ACCOUNT` or `$GCP_OIDC_ACCOUNT` (fallback) | `$GCP_STAGING_OIDC_PROVIDER` or `$GCP_OIDC_PROVIDER` (fallback) |

| `integration`    | `$GCP_INTEG_OIDC_ACCOUNT` or `$GCP_OIDC_ACCOUNT` (fallback)   | `$GCP_INTEG_OIDC_PROVIDER` or `$GCP_OIDC_PROVIDER` (fallback)   |

| `review`         | `$GCP_REVIEW_OIDC_ACCOUNT` or `$GCP_OIDC_ACCOUNT` (fallback)  | `$GCP_REVIEW_OIDC_PROVIDER` or `$GCP_OIDC_PROVIDER` (fallback)  |

| `<any>`          | `$GCP_<ANY>_OIDC_ACCOUNT` or `$GCP_OIDC_ACCOUNT` (fallback)   | `$GCP_<ANY>_OIDC_PROVIDER` or `$GCP_OIDC_PROVIDER` (fallback)   |



##### How is guessed `envType`?

app/gcp_client.py

+3 −3
Original line number Diff line number Diff line 
import requests, json, os

from fastapi import HTTPException



CI_JOB_JWT_V2 = os.environ.get('CI_JOB_JWT_V2')

JWT_TOKEN = os.environ.get('GCP_JWT') or os.environ.get('CI_JOB_JWT_V2')





def get_iam_credentials(service_account, federated_token):
@@ -26,7 +26,7 @@ def get_iam_credentials(service_account, federated_token): 




def get_sts_token(audience):

    if CI_JOB_JWT_V2 is None:

    if not JWT_TOKEN:

        raise HTTPException(

            status_code=401,

            detail='Missing $CI_JOB_JWT_V2 token'
@@ -45,7 +45,7 @@ def get_sts_token(audience): 
            "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",

            "scope": "https://www.googleapis.com/auth/cloud-platform",

            "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",

            "subjectToken": CI_JOB_JWT_V2

            "subjectToken": JWT_TOKEN

        })

    )

    if resp.status_code != 200:

app/main.py

+4 −10
Original line number Diff line number Diff line
@@ -35,17 +35,11 @@ def guess_env_type() -> str: 




def get_var_prefix(env_type: str) -> str:

    if env_type == "review":

        return "REVIEW"

    if env_type == "integ" or env_type == "integration":

    if env_type == "integration":

        return "INTEG"

    if env_type == "staging":

        return "STAGING"

    if env_type == "prod" or env_type == "production":

    if env_type == "production":

        return "PROD"

    raise HTTPException(

        status_code=404, detail=f"Unsupported environment type '{env_type}'"

    )

    return env_type.upper()





def get_oidc_account(var_prefix: str) -> str:
@@ -74,7 +68,7 @@ def token( 
    # projects/%s/locations/global/workloadIdentityPools/%s/providers/%s

    if (not workload_identity_provider) or (not service_account):

        # retrieve from TBC standard variables

        if env_type is None:

        if not env_type:

            env_type = guess_env_type()



        var_prefix = get_var_prefix(env_type)