enable standard forms of GCP auth for oci sources

fluxcd · Oct 12, 2024 · f6308e6 · f6308e6
1 parent ac1007b
commit f6308e6
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 39 deletions.
diff --git a/oci/auth/gcp/auth.go b/oci/auth/gcp/auth.go
@@ -18,10 +18,7 @@ package gcp
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"io"
-	"net/http"
 	"net/url"
 	"strings"
 	"time"
@@ -31,6 +28,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 
 	"github.com/fluxcd/pkg/oci"
+	"golang.org/x/oauth2/google"
 )
 
 type gceToken struct {
@@ -79,54 +77,34 @@ func (c *Client) WithTokenURL(url string) *Client {
 	return c
 }
 
-// getLoginAuth obtains authentication by getting a token from the metadata API
-// on GCP. This assumes that the pod has right to pull the image which would be
-// the case if it is hosted on GCP. It works with both service account and
-// workload identity enabled clusters.
+// getLoginAuth obtains authentication using the default GCP credential chain.
+// This supports various authentication methods including service account JSON,
+// external account JSON, user credentials, and GCE metadata service.
 func (c *Client) getLoginAuth(ctx context.Context) (authn.AuthConfig, time.Time, error) {
 	var authConfig authn.AuthConfig
 
-	request, err := http.NewRequestWithContext(ctx, http.MethodGet, c.tokenURL, nil)
-	if err != nil {
-		return authConfig, time.Time{}, err
-	}
-
-	request.Header.Add("Metadata-Flavor", "Google")
-
-	var transport http.RoundTripper
-	if c.proxyURL != nil {
-		t := http.DefaultTransport.(*http.Transport).Clone()
-		t.Proxy = http.ProxyURL(c.proxyURL)
-		transport = t
-	}
+	// Define the required scopes for accessing GCR.
+	scopes := []string{"https://www.googleapis.com/auth/cloud-platform"}
 
-	client := &http.Client{Transport: transport}
-	response, err := client.Do(request)
+	// Obtain the default token source.
+	tokenSource, err := google.DefaultTokenSource(ctx, scopes...)
 	if err != nil {
-		return authConfig, time.Time{}, err
+		return authConfig, time.Time{}, fmt.Errorf("failed to get default token source: %w", err)
 	}
-	defer response.Body.Close()
-	defer io.Copy(io.Discard, response.Body)
 
-	if response.StatusCode != http.StatusOK {
-		return authConfig, time.Time{}, fmt.Errorf("unexpected status from metadata service: %s", response.Status)
-	}
-
-	var accessToken gceToken
-	decoder := json.NewDecoder(response.Body)
-	if err := decoder.Decode(&accessToken); err != nil {
-		return authConfig, time.Time{}, err
+	// Retrieve the token.
+	token, err := tokenSource.Token()
+	if err != nil {
+		return authConfig, time.Time{}, fmt.Errorf("failed to obtain token: %w", err)
 	}
 
+	// Set up the authentication configuration.
 	authConfig = authn.AuthConfig{
 		Username: "oauth2accesstoken",
-		Password: accessToken.AccessToken,
+		Password: token.AccessToken,
 	}
 
-	// add expiresIn seconds to the current time to get the expiry time
-	expiresAt := time.Now().Add(time.Duration(accessToken.ExpiresIn) * time.Second)
-
-	return authConfig, expiresAt, nil
+	return authConfig, token.Expiry, nil
 }
 
 // Login attempts to get the authentication material for GCR.

diff --git a/oci/go.mod b/oci/go.mod
@@ -29,6 +29,7 @@ require (
 )
 
 require (
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
@@ -136,7 +137,7 @@ require (
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/net v0.29.0 // indirect
-	golang.org/x/oauth2 v0.22.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.25.0 // indirect
 	golang.org/x/term v0.24.0 // indirect

diff --git a/oci/go.sum b/oci/go.sum
@@ -1,4 +1,8 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o=
+cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
@@ -408,6 +412,8 @@ golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
 golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=