gcp: support projects with no default permissions (#3656)

* helm/gcp: use service account in operator and joinservice * helm: format operator testdata * terraform/iam: create additional service account for VMs This service account is used in the following commits and is attached to the VMs * config: pass VM service account from iam create to cluster create via config * cli/iamcreate: limit name prefix length * docs: add minimal gcp IAM permissions
2025-07-22 15:00:38 -04:00 · 2025-03-25 14:13:38 +01:00 · 2025-03-25 14:13:38 +01:00 · 66815a4a47
commit 66815a4a47
parent 83e08e3e37
42 changed files with 771 additions and 466 deletions
--- a/cli/internal/cmd/iamcreate_test.go
+++ b/cli/internal/cmd/iamcreate_test.go
@ -456,6 +456,7 @@ func TestIAMCreateGCP(t *testing.T) {
 		creator              *stubIAMCreator
 		zoneFlag             string
 		serviceAccountIDFlag string
+		namePrefixFlag       string
 		projectIDFlag        string
 		yesFlag              bool
 		updateConfigFlag     bool
@ -466,6 +467,14 @@ func TestIAMCreateGCP(t *testing.T) {
 		wantErr              bool
 	}{
 		"iam create gcp": {
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
+			yesFlag:        true,
+		},
+		"iam create gcp with deprecated serice account flag": {
 			setupFs:              defaultFs,
 			creator:              &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:             "europe-west1-a",
@ -474,91 +483,91 @@ func TestIAMCreateGCP(t *testing.T) {
 			yesFlag:              true,
 		},
 		"iam create gcp with existing config": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			yesFlag:              true,
-			existingConfigFiles:  []string{constants.ConfigFilename},
+			setupFs:             defaultFs,
+			creator:             &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:            "europe-west1-a",
+			namePrefixFlag:      "constell-test",
+			projectIDFlag:       "constell-1234",
+			yesFlag:             true,
+			existingConfigFiles: []string{constants.ConfigFilename},
 		},
 		"iam create gcp --update-config": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			updateConfigFlag:     true,
-			yesFlag:              true,
-			existingConfigFiles:  []string{constants.ConfigFilename},
+			setupFs:             defaultFs,
+			creator:             &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:            "europe-west1-a",
+			namePrefixFlag:      "constell-test",
+			projectIDFlag:       "constell-1234",
+			updateConfigFlag:    true,
+			yesFlag:             true,
+			existingConfigFiles: []string{constants.ConfigFilename},
 		},
 		"iam create gcp existing terraform dir": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",

 			existingDirs: []string{constants.TerraformIAMWorkingDir},
 			yesFlag:      true,
 			wantErr:      true,
 		},
 		"iam create gcp invalid b64": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: invalidIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			yesFlag:              true,
-			wantErr:              true,
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: invalidIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
+			yesFlag:        true,
+			wantErr:        true,
 		},
 		"interactive": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			stdin:                "yes\n",
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
+			stdin:          "yes\n",
 		},
 		"interactive update config": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			stdin:                "yes\n",
-			updateConfigFlag:     true,
-			existingConfigFiles:  []string{constants.ConfigFilename},
+			setupFs:             defaultFs,
+			creator:             &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:            "europe-west1-a",
+			namePrefixFlag:      "constell-test",
+			projectIDFlag:       "constell-1234",
+			stdin:               "yes\n",
+			updateConfigFlag:    true,
+			existingConfigFiles: []string{constants.ConfigFilename},
 		},
 		"interactive abort": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			stdin:                "no\n",
-			wantAbort:            true,
+			setupFs:        defaultFs,
+			creator:        &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:       "europe-west1-a",
+			namePrefixFlag: "constell-test",
+			projectIDFlag:  "constell-1234",
+			stdin:          "no\n",
+			wantAbort:      true,
 		},
 		"interactive abort update config": {
-			setupFs:              defaultFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			stdin:                "no\n",
-			wantAbort:            true,
-			updateConfigFlag:     true,
-			existingConfigFiles:  []string{constants.ConfigFilename},
+			setupFs:             defaultFs,
+			creator:             &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:            "europe-west1-a",
+			namePrefixFlag:      "constell-test",
+			projectIDFlag:       "constell-1234",
+			stdin:               "no\n",
+			wantAbort:           true,
+			updateConfigFlag:    true,
+			existingConfigFiles: []string{constants.ConfigFilename},
 		},
 		"unwritable fs": {
-			setupFs:              readOnlyFs,
-			creator:              &stubIAMCreator{id: validIAMIDFile},
-			zoneFlag:             "europe-west1-a",
-			serviceAccountIDFlag: "constell-test",
-			projectIDFlag:        "constell-1234",
-			yesFlag:              true,
-			updateConfigFlag:     true,
-			wantErr:              true,
+			setupFs:          readOnlyFs,
+			creator:          &stubIAMCreator{id: validIAMIDFile},
+			zoneFlag:         "europe-west1-a",
+			namePrefixFlag:   "constell-test",
+			projectIDFlag:    "constell-1234",
+			yesFlag:          true,
+			updateConfigFlag: true,
+			wantErr:          true,
 		},
 	}

@ -590,6 +599,7 @@ func TestIAMCreateGCP(t *testing.T) {
 					flags: gcpIAMCreateFlags{
 						zone:             tc.zoneFlag,
 						serviceAccountID: tc.serviceAccountIDFlag,
+						namePrefix:       tc.serviceAccountIDFlag,
 						projectID:        tc.projectIDFlag,
 					},
 				},