Merge pull request #932 from fluxcd/gcp-wif-int-test

[RFC-0010] Add integration test for GCP workload identity federation

Author: matheuscscp

auth/gcp/options.go

@@ -54,5 +54,5 @@ func getWorkloadIdentityProviderAudience(serviceAccount corev1.ServiceAccount) (
 		return "", fmt.Errorf("invalid %s annotation: '%s'. must match %s",
 			key, wip, workloadIdentityProviderPattern)
 	}
-	return fmt.Sprintf("https://iam.googleapis.com/%s", wip), nil
+	return fmt.Sprintf("//iam.googleapis.com/%s", wip), nil
 }

auth/gcp/provider_test.go

@@ -97,7 +97,7 @@ func TestProvider_NewTokenForServiceAccount(t *testing.T) {
 		{
 			name: "direct access - federation",
 			conf: externalaccount.Config{
-				Audience:         "https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+				Audience:         "//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
 				SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
 				TokenURL:         "https://sts.googleapis.com/v1/token",
 				TokenInfoURL:     "https://sts.googleapis.com/v1/introspect",
@@ -115,7 +115,7 @@ func TestProvider_NewTokenForServiceAccount(t *testing.T) {
 		{
 			name: "impersonation - federation",
 			conf: externalaccount.Config{
-				Audience:                       "https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+				Audience:                       "//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
 				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
 				TokenURL:                       "https://sts.googleapis.com/v1/token",
 				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test-sa@project-id.iam.gserviceaccount.com:generateAccessToken",
@@ -197,7 +197,7 @@ func TestProvider_GetAudience(t *testing.T) {
 			annotations: map[string]string{
 				"gcp.auth.fluxcd.io/workload-identity-provider": "projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
 			},
-			expected: "https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+			expected: "//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
 		},
 		{
 			name:     "gke",

oci/tests/integration/gcp_test.go

@@ -32,6 +32,10 @@ const (
 	// gcpIAMAnnotation is the key for the annotation on the kubernetes serviceaccount
 	// with the email address of the IAM service account on GCP.
 	gcpIAMAnnotation = "iam.gke.io/gcp-service-account"
+
+	// gcpWorkloadIdentityProviderAnnotation is the key for the annotation on the kubernetes serviceaccount
+	// with the name of the workload identity provider on GCP.
+	gcpWorkloadIdentityProviderAnnotation = "gcp.auth.fluxcd.io/workload-identity-provider"
 )
 
 // createKubeconfigGKE constructs kubeconfig from the terraform state output at
@@ -85,6 +89,18 @@ func getWISAAnnotationsGCP(output map[string]*tfjson.StateOutput) (map[string]st
 	}, nil
 }
 
+// getWIFederationSAAnnotationsGCP returns workload identity federation annotations for a kubernetes ServiceAccount
+func getWIFederationSAAnnotationsGCP(output map[string]*tfjson.StateOutput) (map[string]string, error) {
+	workloadIdentityProvider := output["workload_identity_provider"].Value.(string)
+	if workloadIdentityProvider == "" {
+		return nil, fmt.Errorf("no GCP workload identity provider in terraform output")
+	}
+
+	return map[string]string{
+		gcpWorkloadIdentityProviderAnnotation: workloadIdentityProvider,
+	}, nil
+}
+
 // When implemented, getGitTestConfigGCP would return the git-specific test config for GCP
 func getGitTestConfigGCP(outputs map[string]*tfjson.StateOutput) (*gitTestConfig, error) {
 	return nil, fmt.Errorf("NotImplemented for GCP")

oci/tests/integration/go.mod

@@ -10,7 +10,7 @@ replace (
 )
 
 require (
-	github.com/fluxcd/pkg/auth v0.14.0
+	github.com/fluxcd/pkg/auth v0.16.0
 	github.com/fluxcd/pkg/git v0.31.0
 	github.com/fluxcd/pkg/git/gogit v0.33.0
 	github.com/fluxcd/test-infra/tftestenv v0.0.0-20240903092121-c783b14801d1

oci/tests/integration/job_test.go

@@ -34,6 +34,8 @@ const (
 	objectLevelWIModeDisabled objectLevelWIMode = iota
 	objectLevelWIModeDirectAccess
 	objectLevelWIModeImpersonation
+	objectLevelWIModeDirectAccessFederation
+	objectLevelWIModeImpersonationFederation
 )
 
 type objectLevelWIMode int
@@ -78,6 +80,10 @@ func testjobExecutionWithArgs(t *testing.T, args []string, opts ...jobOption) {
 				args = append(args, "-wisa-name="+wiServiceAccount)
 			case objectLevelWIModeDirectAccess:
 				args = append(args, "-wisa-name="+wiServiceAccountDirectAccess)
+			case objectLevelWIModeImpersonationFederation:
+				args = append(args, "-wisa-name="+wiServiceAccountFederation)
+			case objectLevelWIModeDirectAccessFederation:
+				args = append(args, "-wisa-name="+wiServiceAccountFederationDirectAccess)
 			}
 		}
 		job.Spec.Template.Spec.ServiceAccountName = saName

oci/tests/integration/oci_test.go

@@ -81,6 +81,46 @@ func TestOciImageRepositoryListTagsUsingObjectLevelWorkloadIdentityWithDirectAcc
 	}
 }
 
+func TestOciImageRepositoryListTagsUsingObjectLevelWorkloadIdentityFederation(t *testing.T) {
+	if !testWIFederation {
+		t.Skip("Skipping workload identity federation test, not supported for provider")
+	}
+
+	if len(testRepos) == 0 {
+		t.Fatalf("expected testRepos to be set")
+	}
+
+	for name, repo := range testRepos {
+		t.Run(name, func(t *testing.T) {
+			args := []string{
+				"-category=oci",
+				fmt.Sprintf("-repo=%s", repo),
+			}
+			testjobExecutionWithArgs(t, args, withObjectLevelWI(objectLevelWIModeImpersonationFederation))
+		})
+	}
+}
+
+func TestOciImageRepositoryListTagsUsingObjectLevelWorkloadIdentityFederationWithDirectAccess(t *testing.T) {
+	if !testWIFederation || !testWIDirectAccess {
+		t.Skip("Skipping workload identity federation direct access test, not supported for provider")
+	}
+
+	if len(testRepos) == 0 {
+		t.Fatalf("expected testRepos to be set")
+	}
+
+	for name, repo := range testRepos {
+		t.Run(name, func(t *testing.T) {
+			args := []string{
+				"-category=oci",
+				fmt.Sprintf("-repo=%s", repo),
+			}
+			testjobExecutionWithArgs(t, args, withObjectLevelWI(objectLevelWIModeDirectAccessFederation))
+		})
+	}
+}
+
 func TestOciRepositoryRootLoginListTags(t *testing.T) {
 	if len(testRepos) == 0 {
 		t.Fatalf("expected testRepos to be set")