OCP cloud identity on GCP

Signed-off-by: Meghna Singh <ms73385@netapp.com>

Author: singhmeghna79

storage_drivers/gcp/api/gcnv.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"reflect"
 	"regexp"
+	"strings"
 	"time"
 
 	compute "cloud.google.com/go/compute/apiv1"
@@ -54,6 +55,9 @@ type ClientConfig struct {
 	// GCP project number
 	ProjectNumber string
 
+	// GCP Workload Identity Pool credential configuration for GCNV API authentication
+	WIPCredentialConfig *drivers.GCPWIPCredential
+
 	// GCP CVS API authentication parameters
 	APIKey *drivers.GCPPrivateKey
 
@@ -88,7 +92,23 @@ type Client struct {
 func NewDriver(ctx context.Context, config *ClientConfig) (GCNV, error) {
 	var credentials *google.Credentials
 	var err error
-	if reflect.ValueOf(*config.APIKey).IsZero() {
+	if config.WIPCredentialConfig != nil {
+		Logc(ctx).Debug("Using GCP Workload Identity pool credentials from backend config")
+
+		if err := validateWIPCredentialConfig(config.WIPCredentialConfig); err != nil {
+			return nil, fmt.Errorf("invalid WIP credential configuration: %v", err)
+		}
+
+		credBytes, jsonErr := json.Marshal(config.WIPCredentialConfig)
+		if jsonErr != nil {
+			return nil, fmt.Errorf("failed to marshal WIP credential config: %v", jsonErr)
+		}
+
+		credentials, err = google.CredentialsFromJSON(ctx, credBytes, netapp.DefaultAuthScopes()...)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create credentials from WIP credential config: %v", err)
+		}
+	} else if reflect.ValueOf(*config.APIKey).IsZero() {
 		credentials, err = google.FindDefaultCredentials(ctx)
 		if err != nil {
 			return nil, err
@@ -133,6 +153,37 @@ func NewDriver(ctx context.Context, config *ClientConfig) (GCNV, error) {
 	}, nil
 }
 
+func validateWIPCredentialConfig(config *drivers.GCPWIPCredential) error {
+	var missingFields []string
+
+	if config.Type == "" {
+		missingFields = append(missingFields, "type")
+	}
+	if config.Audience == "" {
+		missingFields = append(missingFields, "audience")
+	}
+	if config.SubjectTokenType == "" {
+		missingFields = append(missingFields, "subject_token_type")
+	}
+	if config.TokenURL == "" {
+		missingFields = append(missingFields, "token_url")
+	}
+	if config.ServiceAccountImpersonationURL == "" {
+		missingFields = append(missingFields, "service_account_impersonation_url")
+	}
+	if config.CredentialSource == nil {
+		missingFields = append(missingFields, "credential_source")
+	} else if config.CredentialSource.File == "" {
+		missingFields = append(missingFields, "credential_source.file")
+	}
+
+	if len(missingFields) > 0 {
+		return fmt.Errorf("missing required WIP credential fields: %s", strings.Join(missingFields, ", "))
+	}
+
+	return nil
+}
+
 // Init runs startup logic after allocating the driver resources.
 func (c Client) Init(ctx context.Context, pools map[string]storage.Pool) error {
 	// Map vpools to backend

storage_drivers/gcp/api/gcnv_test.go

@@ -847,3 +847,199 @@ func TestTerminalState(t *testing.T) {
 
 	assert.Equal(t, expected, actual, " Terminal state error is not equal")
 }
+
+func TestValidateWIPCredentialConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		config      *drivers.GCPWIPCredential
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			name: "Valid_AllFieldsPresent",
+			config: &drivers.GCPWIPCredential{
+				Type:                           "external_account",
+				Audience:                       "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "Valid_WithOptionalFields",
+			config: &drivers.GCPWIPCredential{
+				UniverseDomain:                 "googleapis.com",
+				Type:                           "external_account",
+				Audience:                       "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+				},
+				QuotaProjectID: "quota-project",
+			},
+			expectError: false,
+		},
+		{
+			name: "Error_MissingType",
+			config: &drivers.GCPWIPCredential{
+				Type:                           "",
+				Audience:                       "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+				},
+			},
+			expectError: true,
+			errorMsg:    "type",
+		},
+		{
+			name: "Error_MissingAudience",
+			config: &drivers.GCPWIPCredential{
+				Type:                           "external_account",
+				Audience:                       "",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+				},
+			},
+			expectError: true,
+			errorMsg:    "audience",
+		},
+		{
+			name: "Error_MissingSubjectTokenType",
+			config: &drivers.GCPWIPCredential{
+				Type:                           "external_account",
+				Audience:                       "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType:               "",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+				},
+			},
+			expectError: true,
+			errorMsg:    "subject_token_type",
+		},
+		{
+			name: "Error_MissingTokenURL",
+			config: &drivers.GCPWIPCredential{
+				Type:                           "external_account",
+				Audience:                       "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+				},
+			},
+			expectError: true,
+			errorMsg:    "token_url",
+		},
+		{
+			name: "Error_NilCredentialSource",
+			config: &drivers.GCPWIPCredential{
+				Type:                           "external_account",
+				Audience:                       "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+				CredentialSource:               nil,
+			},
+			expectError: true,
+			errorMsg:    "credential_source",
+		},
+		{
+			name: "Error_MissingCredentialSourceFile",
+			config: &drivers.GCPWIPCredential{
+				Type:                           "external_account",
+				Audience:                       "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "",
+				},
+			},
+			expectError: true,
+			errorMsg:    "credential_source.file",
+		},
+		{
+			name: "Error_MultipleFieldsMissing",
+			config: &drivers.GCPWIPCredential{
+				Type:                           "",
+				Audience:                       "",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "",
+				CredentialSource:               nil,
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@project.iam.gserviceaccount.com:generateAccessToken",
+			},
+			expectError: true,
+			errorMsg:    "type, audience, token_url, credential_source",
+		},
+		{
+			name: "Error_AllFieldsMissing",
+			config: &drivers.GCPWIPCredential{
+				Type:             "",
+				Audience:         "",
+				SubjectTokenType: "",
+				TokenURL:         "",
+				CredentialSource: nil,
+			},
+			expectError: true,
+			errorMsg:    "type, audience, subject_token_type, token_url, service_account_impersonation_url, credential_source",
+		},
+		{
+			name: "Error_OnlyCredentialSourceFileMissing",
+			config: &drivers.GCPWIPCredential{
+				Type:             "external_account",
+				Audience:         "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:         "https://sts.googleapis.com/v1/token",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "",
+				},
+			},
+			expectError: true,
+		},
+		{
+			name: "Error_MissingServiceAccountImpersonationURL",
+			config: &drivers.GCPWIPCredential{
+				UniverseDomain:   "googleapis.com",
+				Type:             "external_account",
+				Audience:         "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/provider",
+				SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:         "https://sts.googleapis.com/v1/token",
+				CredentialSource: &drivers.GCPWIPCredentialSource{
+					File: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+				},
+				QuotaProjectID: "quota-project",
+			},
+			expectError: true,
+			errorMsg:    "service_account_impersonation_url",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateWIPCredentialConfig(tt.config)
+
+			if tt.expectError {
+				assert.Error(t, err, "Expected an error but got none")
+				assert.Contains(t, err.Error(), "missing required WIP credential fields")
+				assert.Contains(t, err.Error(), tt.errorMsg, "Error message should contain expected missing field(s)")
+			} else {
+				assert.NoError(t, err, "Expected no error but got: %v", err)
+			}
+		})
+	}
+}

storage_drivers/gcp/gcp_gcnv.go

@@ -557,13 +557,14 @@ func (d *NASStorageDriver) initializeGCNVAPIClient(
 	}
 
 	gcnv, err := api.NewDriver(ctx, &api.ClientConfig{
-		ProjectNumber:   config.ProjectNumber,
-		Location:        config.Location,
-		APIKey:          &config.APIKey,
-		APIEndpoint:     config.APIEndpoint,
-		DebugTraceFlags: config.DebugTraceFlags,
-		SDKTimeout:      sdkTimeout,
-		MaxCacheAge:     maxCacheAge,
+		ProjectNumber:       config.ProjectNumber,
+		Location:            config.Location,
+		APIKey:              &config.APIKey,
+		APIEndpoint:         config.APIEndpoint,
+		WIPCredentialConfig: config.WIPCredentialConfig,
+		DebugTraceFlags:     config.DebugTraceFlags,
+		SDKTimeout:          sdkTimeout,
+		MaxCacheAge:         maxCacheAge,
 	})
 	if err != nil {
 		return nil, err

storage_drivers/types.go

@@ -632,18 +632,35 @@ type GCPPrivateKey struct {
 	ClientX509CertURL       string `json:"client_x509_cert_url"`
 }
 
+type GCPWIPCredentialSource struct {
+	File string `json:"file"`
+}
+
+type GCPWIPCredential struct {
+	UniverseDomain                 string                  `json:"universe_domain,omitempty"`
+	Type                           string                  `json:"type"`
+	Audience                       string                  `json:"audience"`
+	SubjectTokenType               string                  `json:"subject_token_type"`
+	TokenURL                       string                  `json:"token_url"`
+	ServiceAccountImpersonationURL string                  `json:"service_account_impersonation_url,omitempty"`
+	CredentialSource               *GCPWIPCredentialSource `json:"credential_source"`
+	QuotaProjectID                 string                  `json:"quota_project_id,omitempty"`
+}
+
 type GCNVNASStorageDriverConfig struct {
 	*CommonStorageDriverConfig
 	ProjectNumber string        `json:"projectNumber"`
 	Location      string        `json:"location"`
 	APIKey        GCPPrivateKey `json:"apiKey"`
 	// APIEndpoint is a developer-only field for internal testing against autopush/staging GCNV environments.
-	APIEndpoint         string `json:"apiEndpoint,omitempty"`
-	NFSMountOptions     string `json:"nfsMountOptions"`
-	VolumeCreateTimeout string `json:"volumeCreateTimeout"`
-	SDKTimeout          string `json:"sdkTimeout"`
-	MaxCacheAge         string `json:"maxCacheAge"`
-	NASType             string `json:"nasType"`
+	APIEndpoint string `json:"apiEndpoint,omitempty"`
+	// workload identity pool credential configuration for GCNV API authentication
+	WIPCredentialConfig *GCPWIPCredential `json:"wipCredentialConfig,omitempty"`
+	NFSMountOptions     string            `json:"nfsMountOptions"`
+	VolumeCreateTimeout string            `json:"volumeCreateTimeout"`
+	SDKTimeout          string            `json:"sdkTimeout"`
+	MaxCacheAge         string            `json:"maxCacheAge"`
+	NASType             string            `json:"nasType"`
 	GCNVNASStorageDriverPool
 	Storage []GCNVNASStorageDriverPool `json:"storage"`
 }