Merge pull request #105 from pp511/PWX-26307-use-default-service-account-as-kms-account-when-device-level-account-info-not-specified

PWX-26307: Use default gce account when device level account not prov…

Author: pp511

gce/gce.go

@@ -2,6 +2,7 @@ package gce
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"os"
@@ -19,6 +20,7 @@ import (
 	"github.com/libopenstorage/openstorage/pkg/parser"
 	"github.com/portworx/sched-ops/task"
 	"github.com/sirupsen/logrus"
+	google "golang.org/x/oauth2/google"
 	compute "google.golang.org/api/compute/v1"
 	container "google.golang.org/api/container/v1"
 	"google.golang.org/api/googleapi"
@@ -63,6 +65,7 @@ type instance struct {
 	clusterName     string
 	clusterLocation string
 	nodePoolID      string
+	serviceAccount  string
 }
 
 // IsDevMode checks if the pkg is invoked in developer mode where GCE credentials
@@ -77,9 +80,10 @@ func IsDevMode() bool {
 func NewClient() (cloudops.Ops, error) {
 
 	var i = new(instance)
+	ctx := context.Background()
 	var err error
 	if metadata.OnGCE() {
-		err = gceInfo(i)
+		err = gceInfo(ctx, i)
 	} else if ok := IsDevMode(); ok {
 		err = gceInfoFromEnv(i)
 	} else {
@@ -90,7 +94,6 @@ func NewClient() (cloudops.Ops, error) {
 		return nil, fmt.Errorf("error fetching instance info. Err: %v", err)
 	}
 
-	ctx := context.Background()
 	computeService, err := compute.NewService(ctx, option.WithScopes(compute.ComputeScope))
 	if err != nil {
 		return nil, fmt.Errorf("unable to create Compute service: %v", err)
@@ -378,6 +381,11 @@ func (s *gceOps) Create(
 			"Invalid volume template given", "")
 	}
 
+	if isDiskEncryptedWithDefaultAccount(v) {
+		logrus.Infof("Default service account to be used as disk encryption kms service account")
+		v.DiskEncryptionKey.KmsKeyServiceAccount = s.inst.serviceAccount
+	}
+
 	newDisk := &compute.Disk{
 		Description:       "Disk created by openstorage",
 		Labels:            formatLabels(labels),
@@ -1173,7 +1181,7 @@ func (s *gceOps) describeinstance() (*compute.Instance, error) {
 }
 
 // gceInfo fetches the GCE instance metadata from the metadata server
-func gceInfo(inst *instance) error {
+func gceInfo(ctx context.Context, inst *instance) error {
 	var err error
 	inst.zone, err = metadata.Zone()
 	if err != nil {
@@ -1225,6 +1233,19 @@ func gceInfo(inst *instance) error {
 			}
 		}
 	}
+
+	credential, err := google.FindDefaultCredentials(ctx)
+	content := map[string]interface{}{}
+	json.Unmarshal(credential.JSON, &content)
+	if content["client_email"] != nil {
+		inst.serviceAccount = fmt.Sprintf("%s", content["client_email"])
+	} else {
+		serviceAccount, err := metadata.Email("")
+		if err != nil {
+			return fmt.Errorf("unable to get gce instance service account")
+		}
+		inst.serviceAccount = serviceAccount
+	}
 	return nil
 }
 
@@ -1250,6 +1271,7 @@ func gceInfoFromEnv(inst *instance) error {
 	inst.clusterName, _ = cloudops.GetEnvValueStrict("GKE_CLUSTER_NAME")
 	inst.clusterLocation, _ = cloudops.GetEnvValueStrict("GKE_CLUSTER_LOCATION")
 	inst.nodePoolID, _ = cloudops.GetEnvValueStrict("GKE_NODE_POOL")
+	inst.serviceAccount, _ = cloudops.GetEnvValueStrict("GKE_CLUSTER_SERVICE_ACCOUNT")
 
 	return nil
 }
@@ -1482,3 +1504,9 @@ func isZonalCluster(clusterLocation string) (bool, error) {
 	zoneRegex := "[a-zA-z0-9]+-[a-zA-Z0-9]+-[a-zA-Z]"
 	return regexp.MatchString(zoneRegex, clusterLocation)
 }
+
+func isDiskEncryptedWithDefaultAccount(d *compute.Disk) bool {
+	return d.DiskEncryptionKey != nil &&
+		len(d.DiskEncryptionKey.KmsKeyName) > 0 &&
+		len(d.DiskEncryptionKey.KmsKeyServiceAccount) == 0
+}

go.mod

@@ -23,6 +23,7 @@ require (
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0
 	github.com/vmware/govmomi v0.22.2
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
 	google.golang.org/api v0.30.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/apimachinery v0.20.4

go.sum

@@ -1591,6 +1591,7 @@ golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1604,8 +1605,9 @@ golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5 h1:Lm4OryKCca1vehdsWogr9N4t7NfZxLbJoc/H0w4K4S4=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=