LOG-9171: Add support for GCP workload identity federation v0.54#263
LOG-9171: Add support for GCP workload identity federation v0.54#263vparfonov wants to merge 5 commits intoViaQ:v0.54.0-rhfrom
Conversation
- Restore PUBSUB_ADDRESS static removed by accident (fixes compilation) - Add MALACHITE_INGESTION scope for Chronicle sink (least-privilege) - Add falls_back_to_adc test to gcp::tests - Document ScopedEnv rationale (no with_credentials_file() API) - Remove dev comment from spawn_regenerate_token - Trim verbose test comments in pubsub and stackdriver tests - Apply cargo fmt Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
/hold |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vparfonov The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
| // The google-cloud-auth Builder has no with_credentials_file() method. | ||
| // The GOOGLE_APPLICATION_CREDENTIALS env var is the only way to pass | ||
| // a credentials path. ScopedEnv restores the original value on drop. | ||
| let _guard = ScopedEnv::set("GOOGLE_APPLICATION_CREDENTIALS", path); |
There was a problem hiding this comment.
Is this correct in there is no way for us to support isolating credentials for multiple GCP outputs?
There was a problem hiding this comment.
Yes, this is a limitation of the google-cloud-auth library — its Builder has no with_credentials_file() method, so the GOOGLE_APPLICATION_CREDENTIALS env var is the only way to pass a credentials path.
The env var is only set temporarily during build_access_token_credentials() call. After that the ScopedEnv guard drops, restores the original value, and each GCP output holds its own independent AccessTokenCredentials instance with its own credentials. So at runtime, multiple GCP outputs with different credentials work fine.
The only theoretical risk is during initialization: if two GCP outputs with different credentials_path values call build() concurrently, they could race on the env var. In practice Vector builds sink configs sequentially during startup, so this doesn't happen.
There was a problem hiding this comment.
What does this mean in practice? Do we need to set this var? Do these credentials need to be a parent or some set of credentials that delegates to the individual outputs? Maybe these questions are not relevant for the collector but more so for the operator
vparfonov
changed the title
|
@vparfonov: This pull request references LOG-9171 which is a valid jira issue. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test unit |
2 similar comments
|
/test unit |
|
/test unit |
- make_token(): replace .ok() with proper error logging and rate limiting so token fetch failures are visible instead of causing opaque 403 responses - from_file(): add mutex around ScopedEnv to prevent concurrent sink initializations from racing on GOOGLE_APPLICATION_CREDENTIALS Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
/test unit |
google-cloud-auth 1.8.0 requires serde_json >= 1.0.148, which changed float exponent formatting from e308 to e+308. Update fixtures to match. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@vparfonov: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
…json 1.0.149+ serde_json 1.0.149 replaced ryu with zmij for float serialization, which uses scientific notation for very large floats. This caused a mismatch between ryu::Buffer::format_finite() and actual JSON output, breaking the estimate_f32 and serialize_f64 quickcheck tests. Use serde_json::to_string() directly so the estimation always matches the actual serialized output regardless of future serde_json changes. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
4 participants
Following PR: #249
Core changes (
src/gcp.rs)goauth+smpl_jwtlibraries with officialgoogle-cloud-authv1.6New changes:
Scope::MalachiteIngestion to scopes::CLOUD_PLATFORM, which grants access to all GCP APIs. Restored the original narrow scope by addingMALACHITE_INGESTION (https://www.googleapis.com/auth/malachite-ingestion)as a scope constant.cargo-fmt-check/assign @jcantrill
/cc @cahartma @Clee2691
https://redhat.atlassian.net/browse/LOG-9171