configure-gsutil script correctly echos newline in boto config when using Workload Identity
What does this MR do?
The configure-gsutil script runs echo '[GoogleCompute]\nservice_account = default' > ~/.boto when it detects that Application Default credentials should be used by Toolbox pods for interacting with GCS. This produces a ~/.boto file that reads as follows
[GoogleCompute]\nservice_account = defaultThis is not valid syntax for this file and it should read like this
[GoogleCompute]
service_account = defaultToolbox running with the current .boto file layout does not correctly assume the default service account for the pod and will recieve 401 errors from GCS
ServiceException: 401 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).Related issues
Author checklist
For general guidance, please follow our Contributing guide.
Required
For anything in this list which will not be completed, please provide a reason in the MR discussion.
- Merge Request Title and Description are up to date, accurate, and descriptive.
- MR targeting the appropriate branch.
- MR has a green pipeline.
- Documentation created/updated.
- Tests added/updated, and test plan for scenarios not covered by automated tests.
- Equivalent MR/issue for omnibus-gitlab opened.
Reviewers checklist
- MR has a green pipeline on https://gitlab.com/gitlab-org/charts/gitlab.
- Consider downstream impact to the Operator, as per evaluating impact from changes to GitLab chart.
Edited by Clemens Beck