fix: serviceAccountJsonSecretKeyRef for gcedisk (#470)

mikhail-klimko · web-flow · commit 7e7a66ab1eab · 2024-06-09T14:03:31.000+03:00
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 6.3.30
+version: 6.3.31
 keywords:
   - codefresh
   - runner
@@ -17,8 +17,10 @@ annotations:
   artifacthub.io/containsSecurityUpdates: "false"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: added
-      description: Add pullPolicy for dind and engine
+    - kind: fixed
+      description: Fix serviceAccountJsonSecretKeyRef for gcedisk
+    - kind: fixed
+      description: Fix google-service-account.json key in volume-provisioner secret template
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 6.3.30](https://img.shields.io/badge/Version-6.3.30-informational?style=flat-square)
+![Version: 6.3.31](https://img.shields.io/badge/Version-6.3.31-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -20,6 +20,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
 - [Configuration](#configuration)
   - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
   - [Azure Disks backend volume configuration in AKS](#azure-disks-backend-volume-configuration)
+  - [GCE Disks backend volume configuration in GKE](#gce-disks-backend-volume-configuration-in-gke)
   - [Custom volume mounts](#custom-volume-mounts)
   - [Custom global environment variables](#custom-global-environment-variables)
   - [Volume reuse policy](#volume-reuse-policy)
@@ -440,6 +441,113 @@ runtime:
       topology.kubernetes.io/zone: northeurope-1
 ```
 
+### GCE Disks backend volume configuration in GKE
+
+`dind-volume-provisioner` should have `ComputeEngine.StorageAdmin` permissions
+
+There are three options:
+
+1. Run `dind-volume-provisioner` pod on the node/node-group with IAM Service Account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+2. Pass static credentials in `.Values.storage.gcedisk.serviceAccountJson` (inline) or `.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef` (from your own secret)
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: |
+        {
+        "type": "service_account",
+        "project_id": "...",
+        "private_key_id": "...",
+        "private_key": "...",
+        "client_email": "...",
+        "client_id": "...",
+        "auth_uri": "...",
+        "token_uri": "...",
+        "auth_provider_x509_cert_url": "...",
+        "client_x509_cert_url": "..."
+        }
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.:
+    # serviceAccountJsonSecretKeyRef:
+    #   name: gce-service-account
+    #   key: service-account.json
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+3. Assign IAM role to `dind-volume-provisioner` service account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Additional service account annotations
+    annotations:
+      iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
 ### Custom global environment variables
 
 You can add your own environment variables to the runtime environment. All pipeline steps have access to the global variables.
diff --git a/charts/cf-runtime/README.md.gotmpl b/charts/cf-runtime/README.md.gotmpl
@@ -20,6 +20,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
 - [Configuration](#configuration)
   - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
   - [Azure Disks backend volume configuration in AKS](#azure-disks-backend-volume-configuration)
+  - [GCE Disks backend volume configuration in GKE](#gce-disks-backend-volume-configuration-in-gke)
   - [Custom volume mounts](#custom-volume-mounts)
   - [Custom global environment variables](#custom-global-environment-variables)
   - [Volume reuse policy](#volume-reuse-policy)
@@ -440,6 +441,112 @@ runtime:
       topology.kubernetes.io/zone: northeurope-1
 ```
 
+### GCE Disks backend volume configuration in GKE
+
+`dind-volume-provisioner` should have `ComputeEngine.StorageAdmin` permissions
+
+There are three options:
+
+1. Run `dind-volume-provisioner` pod on the node/node-group with IAM Service Account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+2. Pass static credentials in `.Values.storage.gcedisk.serviceAccountJson` (inline) or `.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef` (from your own secret)
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: |
+        {
+        "type": "service_account",
+        "project_id": "...",
+        "private_key_id": "...",
+        "private_key": "...",
+        "client_email": "...",
+        "client_id": "...",
+        "auth_uri": "...",
+        "token_uri": "...",
+        "auth_provider_x509_cert_url": "...",
+        "client_x509_cert_url": "..."
+        }
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.:
+    # serviceAccountJsonSecretKeyRef:
+    #   name: gce-service-account
+    #   key: service-account.json
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+3. Assign IAM role to `dind-volume-provisioner` service account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Additional service account annotations
+    annotations:
+      iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
 
 ### Custom global environment variables
 
diff --git a/charts/cf-runtime/templates/_components/volume-provisioner/_env-vars.yaml b/charts/cf-runtime/templates/_components/volume-provisioner/_env-vars.yaml
@@ -34,7 +34,7 @@ AWS_SECRET_ACCESS_KEY:
 {{- end }}
 
 {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
-GOOGLE_APPLICATION_CREDENTIALS: /etc/dind-volume-provisioner/credentials/google-service-account.json
+GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }}
 {{- end }}
 
 {{- if and .Values.storage.mountAzureJson }}
@@ -62,7 +62,7 @@ CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
     optional: true
   {{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
 - name: credentials
-  secrete:
+  secret:
     secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }}
     optional: true
   {{- end }}
@@ -85,4 +85,4 @@ CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
   readOnly: true
   mountPath: "/etc/kubernetes/azure.json"
   {{- end }}
-{{- end }}
+{{- end }}
diff --git a/charts/cf-runtime/templates/_components/volume-provisioner/_secret.yaml b/charts/cf-runtime/templates/_components/volume-provisioner/_secret.yaml
@@ -9,7 +9,8 @@ metadata:
     {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
 stringData:
   {{- with .Values.storage.gcedisk.serviceAccountJson }}
-  google-service-account.json: {{ . }}
+  google-service-account.json: |
+{{- . | nindent 4 }}
   {{- end }}
   {{- with .Values.storage.ebs.accessKeyId }}
   aws_access_key_id: {{ . }}
