diff --git a/templates/gitlab-ci-k8s-gcp.yml b/templates/gitlab-ci-k8s-gcp.yml index 08e370ed269d3517213dedfeae4faf7d84246324..5a1669dfff56b0fdf6bbdcbe8cb0b264907ffb3c 100644 --- a/templates/gitlab-ci-k8s-gcp.yml +++ b/templates/gitlab-ci-k8s-gcp.yml @@ -57,42 +57,46 @@ variables: K8S_KUBECTL_IMAGE: $[[ inputs.kubectl-image ]] .k8s-gcp-adc: - - echo "Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file" - - echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt" - - |- - if [[ "$ENV_TYPE" ]] + - | + if [[ "$GCP_JWT" ]] then - case "$ENV_TYPE" in - review*) - env_prefix=REVIEW;; - integ*) - env_prefix=INTEG;; - staging*) - env_prefix=STAGING;; - prod*) - env_prefix=PROD;; - *) - ;; - esac - env_oidc_provider=$(eval echo "\$GCP_${env_prefix}_OIDC_PROVIDER") - env_oidc_account=$(eval echo "\$GCP_${env_prefix}_OIDC_ACCOUNT") - fi - oidc_provider="${env_oidc_provider:-$GCP_OIDC_PROVIDER}" - oidc_account="${env_oidc_account:-$GCP_OIDC_ACCOUNT}" - - |- - cat << EOF > "$CI_BUILDS_DIR/google_application_credentials.json" - { - "type": "external_account", - "audience": "//iam.googleapis.com/${oidc_provider}", - "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", - "token_url": "https://sts.googleapis.com/v1/token", - "credential_source": { - "file": "$CI_BUILDS_DIR/.auth_token.jwt" - }, - "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${oidc_account}:generateAccessToken" - } + echo "Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file" + echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt" + if [[ "$ENV_TYPE" ]] + then + case "$ENV_TYPE" in + review*) + env_prefix=REVIEW;; + integ*) + env_prefix=INTEG;; + staging*) + env_prefix=STAGING;; + prod*) + env_prefix=PROD;; + *) + ;; + esac + env_oidc_provider=$(eval echo "\$GCP_${env_prefix}_OIDC_PROVIDER") + env_oidc_account=$(eval echo "\$GCP_${env_prefix}_OIDC_ACCOUNT") + fi + oidc_provider="${env_oidc_provider:-$GCP_OIDC_PROVIDER}" + oidc_account="${env_oidc_account:-$GCP_OIDC_ACCOUNT}" + cat << EOF > "$CI_BUILDS_DIR/google_application_credentials.json" + { + "type": "external_account", + "audience": "//iam.googleapis.com/${oidc_provider}", + "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", + "token_url": "https://sts.googleapis.com/v1/token", + "credential_source": { + "file": "$CI_BUILDS_DIR/.auth_token.jwt" + }, + "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${oidc_account}:generateAccessToken" + } EOF - - export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json" + export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json" + else + echo '[WARN] $GCP_JWT is not set: cannot setup Application Default Credentials (ADC) authentication' + fi .k8s-deploy: id_tokens: