feat: add oidc support for gcr-auth (#69)

Co-authored-by: Eric Ribeiro <eric.ribeiro@circleci.com>
CircleCI-Public · Jan 19, 2024 · 2d8a235 · 2d8a235
1 parent 661c9a8
commit 2d8a235
Show file tree

Hide file tree

Showing 5 changed files with 227 additions and 8 deletions.
diff --git a/.circleci/test-deploy.yml b/.circleci/test-deploy.yml
@@ -15,7 +15,7 @@ release-filters: &release-filters
     only: /^v[0-9]+\.[0-9]+\.[0-9]+$/
 
 jobs:
-  integration-test:
+  integration-test-without-oidc:
     executor: gcp-gcr/default
     steps:
       # test orb commands
@@ -36,14 +36,37 @@ jobs:
           image: sample-image
           source-tag: ${CIRCLE_SHA1:0:7}.$CIRCLE_BUILD_NUMBER
           target-tag: tagged.$CIRCLE_BUILD_NUMBER
+  integration-test-with-oidc:
+    executor: gcp-gcr/default
+    steps:
+      # test orb commands
+      - checkout
+      - gcp-gcr/gcr-auth:
+          use_oidc: true
+      - gcp-gcr/build-image:
+          registry-url: us.gcr.io
+          image: sample-image
+          tag: ${CIRCLE_SHA1:0:7}.$CIRCLE_BUILD_NUMBER.oidc
+          path: ~/project/sample/
+          docker-context: ~/project/sample/
+      - gcp-gcr/push-image:
+          registry-url: us.gcr.io
+          image: sample-image
+          tag: ${CIRCLE_SHA1:0:7}.$CIRCLE_BUILD_NUMBER.oidc
+      - gcp-gcr/tag-image:
+          registry-url: us.gcr.io
+          image: sample-image
+          source-tag: ${CIRCLE_SHA1:0:7}.$CIRCLE_BUILD_NUMBER.oidc
+          target-tag: tagged.$CIRCLE_BUILD_NUMBER.oidc
+
 workflows:
   test-deploy:
     jobs:
-      - integration-test:
+      - integration-test-without-oidc:
           context: cpe-gcp
           filters: *filters
       - gcp-gcr/build-and-push-image:
-          name: build-and-push
+          name: build-and-push-without-oidc
           registry-url: us.gcr.io
           image: sample-image
           tag: ${CIRCLE_SHA1:0:7}.$CIRCLE_BUILD_NUMBER
@@ -53,7 +76,7 @@ workflows:
           context: cpe-gcp
           filters: *filters
           requires:
-            - integration-test
+            - integration-test-without-oidc
           post-steps:
             - run:
                 command: |
@@ -69,7 +92,27 @@ workflows:
           context: cpe-gcp
           filters: *filters
           requires:
-            - integration-test
+            - integration-test-without-oidc
+          post-steps:
+            - run:
+                command: |
+                  echo "Digest is: $(</tmp/digest.txt)"
+      - integration-test-with-oidc:
+          context: cpe-gcp
+          filters: *filters
+      - gcp-gcr/build-and-push-image:
+          name: build-and-push-with-oidc
+          registry-url: us.gcr.io
+          image: sample-image
+          tag: ${CIRCLE_SHA1:0:7}.$CIRCLE_BUILD_NUMBER.oidc
+          digest-path: /tmp/digest.txt
+          path: ~/project/sample/
+          docker-context: ~/project/sample/
+          use_oidc: true
+          context: cpe-gcp
+          filters: *filters
+          requires:
+            - integration-test-with-oidc
           post-steps:
             - run:
                 command: |
@@ -84,8 +127,10 @@ workflows:
           github_token: GHI_TOKEN
           requires:
             - orb-tools/pack
-            - integration-test
-            - build-and-push
+            - integration-test-without-oidc
+            - build-and-push-without-oidc
             - build-and-push-with-env-var
+            - integration-test-with-oidc
+            - build-and-push-with-oidc
           context: orb-publisher
           filters: *release-filters
diff --git a/src/@orb.yml b/src/@orb.yml
@@ -9,4 +9,4 @@ display:
 
 orbs:
   docker: circleci/docker@1.5
-  gcp-cli: circleci/gcp-cli@3.0
+  gcp-cli: circleci/gcp-cli@3.1
diff --git a/src/commands/gcr-auth.yml b/src/commands/gcr-auth.yml
@@ -33,12 +33,72 @@ parameters:
     type: string
     default: gcr.io
 
+  version:
+    default: latest
+    description: >
+      The version of the gcloud CLI to install. If left to "latest", the latest
+      version will be installed. Otherwise, provide the full version number as
+      it appears in the URL on this page:
+      https://cloud.google.com/sdk/docs/downloads-versioned-archives
+    type: string
+
+  components:
+    type: string
+    default: ""
+    description: >
+      The list of gcloud components to install. Space separated.
+      See https://cloud.google.com/sdk/docs/components for additional
+
+  # OIDC parameters
+
+  use_oidc:
+    type: boolean
+    default: false
+    description: Set to true to enable OIDC
+
+  google_project_number:
+    type: env_var_name
+    default: GOOGLE_PROJECT_NUMBER
+    description: |
+      Name of environment variable storing the Google project number
+      used to configure OIDC.
+
+  workload_identity_pool_id:
+    type: env_var_name
+    default: OIDC_WIP_ID
+    description: |
+      Environment variable containing OIDC configured workload identity pool is stored.
+
+  workload_identity_pool_provider_id:
+    type: env_var_name
+    default: OIDC_WIP_PROVIDER_ID
+    description: |
+      Environment variable containing OIDC configured workload identity pool provider ID is stored.
+
+  service_account_email:
+    type: env_var_name
+    default: OIDC_SERVICE_ACCOUNT_EMAIL
+    description: Environment variable containing OIDC service account email.
+
+  gcp_cred_config_file_path:
+    type: string
+    default: ~/gcp_cred_config.json
+    description: Output location of OIDC credentials.
+
 steps:
   - gcp-cli/setup:
+      version: << parameters.version >>
+      components: << parameters.components >>
       google_project_id: <<parameters.google-project-id>>
       google_compute_zone: <<parameters.google-compute-zone>>
       google_compute_region: <<parameters.google-compute-region>>
       gcloud_service_key: <<parameters.gcloud-service-key>>
+      use_oidc: << parameters.use_oidc >>
+      google_project_number: << parameters.google_project_number >>
+      workload_identity_pool_id: << parameters.workload_identity_pool_id >>
+      workload_identity_pool_provider_id: << parameters.workload_identity_pool_provider_id >>
+      service_account_email: << parameters.service_account_email >>
+      gcp_cred_config_file_path: << parameters.gcp_cred_config_file_path >>
 
   - run:
       name: gcloud auth configure-docker

diff --git a/src/jobs/add-image-tag.yml b/src/jobs/add-image-tag.yml
@@ -46,13 +46,70 @@ parameters:
     type: string
     description: A new Docker image tag
 
+  gcloud_version:
+    type: string
+    default: latest
+    description: |
+      Version of gcloud CLI to install.
+
+  gcloud_components:
+      type: string
+      default: ""
+      description: >
+        The list of gcloud components to install. Space separated.
+        See https://cloud.google.com/sdk/docs/components for additional info.
+
+  # OIDC parameters
+
+  use_oidc:
+    type: boolean
+    default: false
+    description: Set to true to enable OIDC
+
+  google_project_number:
+    type: env_var_name
+    default: GOOGLE_PROJECT_NUMBER
+    description: |
+      Name of environment variable storing the Google project number
+      used to configure OIDC.
+
+  workload_identity_pool_id:
+    type: env_var_name
+    default: OIDC_WIP_ID
+    description: |
+      Environment variable containing OIDC configured workload identity pool is stored.
+
+  workload_identity_pool_provider_id:
+    type: env_var_name
+    default: OIDC_WIP_PROVIDER_ID
+    description: |
+      Environment variable containing OIDC configured workload identity pool provider ID is stored.
+
+  service_account_email:
+    type: env_var_name
+    default: OIDC_SERVICE_ACCOUNT_EMAIL
+    description: Environment variable containing OIDC service account email.
+
+  gcp_cred_config_file_path:
+    type: string
+    default: ~/gcp_cred_config.json
+    description: Output location of OIDC credentials.
+
 steps:
 
   - gcr-auth:
       google-project-id: <<parameters.google-project-id>>
       google-compute-zone: <<parameters.google-compute-zone>>
       google-compute-region: <<parameters.google-compute-region>>
       gcloud-service-key: <<parameters.gcloud-service-key>>
+      version: <<parameters.gcloud_version>>
+      components: <<parameters.gcloud_components>>
+      use_oidc: << parameters.use_oidc >>
+      google_project_number: << parameters.google_project_number >>
+      workload_identity_pool_id: << parameters.workload_identity_pool_id >>
+      workload_identity_pool_provider_id: << parameters.workload_identity_pool_provider_id >>
+      service_account_email: << parameters.service_account_email >>
+      gcp_cred_config_file_path: << parameters.gcp_cred_config_file_path >>
 
   - tag-image:
       registry-url: <<parameters.registry-url>>

diff --git a/src/jobs/build-and-push-image.yml b/src/jobs/build-and-push-image.yml
@@ -112,6 +112,55 @@ parameters:
       Pass through a default timeout if your Docker build does not output
       anything for more than 10 minutes.
 
+  gcloud_version:
+    type: string
+    default: latest
+    description: |
+      Version of gcloud CLI to install.
+
+  gcloud_components:
+      type: string
+      default: ""
+      description: >
+        The list of gcloud components to install. Space separated.
+        See https://cloud.google.com/sdk/docs/components for additional info.
+
+  # OIDC parameters
+
+  use_oidc:
+    type: boolean
+    default: false
+    description: Set to true to enable OIDC
+
+  google_project_number:
+    type: env_var_name
+    default: GOOGLE_PROJECT_NUMBER
+    description: |
+      Name of environment variable storing the Google project number
+      used to configure OIDC.
+
+  workload_identity_pool_id:
+    type: env_var_name
+    default: OIDC_WIP_ID
+    description: |
+      Environment variable containing OIDC configured workload identity pool is stored.
+
+  workload_identity_pool_provider_id:
+    type: env_var_name
+    default: OIDC_WIP_PROVIDER_ID
+    description: |
+      Environment variable containing OIDC configured workload identity pool provider ID is stored.
+
+  service_account_email:
+    type: env_var_name
+    default: OIDC_SERVICE_ACCOUNT_EMAIL
+    description: Environment variable containing OIDC service account email.
+
+  gcp_cred_config_file_path:
+    type: string
+    default: ~/gcp_cred_config.json
+    description: Output location of OIDC credentials.
+
 steps:
   - checkout
 
@@ -128,6 +177,14 @@ steps:
       google-compute-region: <<parameters.google-compute-region>>
       gcloud-service-key: <<parameters.gcloud-service-key>>
       registry-url: <<parameters.registry-url>>
+      version: <<parameters.gcloud_version>>
+      components: <<parameters.gcloud_components>>
+      use_oidc: << parameters.use_oidc >>
+      google_project_number: << parameters.google_project_number >>
+      workload_identity_pool_id: << parameters.workload_identity_pool_id >>
+      workload_identity_pool_provider_id: << parameters.workload_identity_pool_provider_id >>
+      service_account_email: << parameters.service_account_email >>
+      gcp_cred_config_file_path: << parameters.gcp_cred_config_file_path >>
 
   - build-image:
       registry-url: <<parameters.registry-url>>