From 04a5cdf6b84aae83a9e5250d3b83ed763c50382e Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 9 May 2025 11:19:38 +0200 Subject: [PATCH] helm: force app creds in GCP CCM (#3822) --- .../charts/ccm/templates/gcp-cm.yaml | 8 +++++++- .../charts/ccm/templates/gcp-cm.yaml | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml b/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml index 06a971465..220c3efc6 100644 --- a/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml +++ b/internal/constellation/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml @@ -5,5 +5,11 @@ metadata: name: gceconf namespace: {{ .Release.Namespace }} data: - gce.conf: "[global]\nproject-id = {{.Values.GCP.projectID }}\nuse-metadata-server = true\nnode-tags = constellation-{{ .Values.GCP.uid }}\nregional = true\n" + gce.conf: | + [global] + project-id = {{.Values.GCP.projectID }} + use-metadata-server = true + node-tags = constellation-{{ .Values.GCP.uid }} + regional = true + token-url = nil # This forces use of GOOGLE_APPLICATION_CREDENTIALS. {{- end -}} diff --git a/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml b/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml index 5855fb988..c0ed7d331 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml @@ -4,4 +4,4 @@ metadata: name: gceconf namespace: testNamespace data: - gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\nregional = true\n" + gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\nregional = true\ntoken-url = nil # This forces use of GOOGLE_APPLICATION_CREDENTIALS."