Use GCP metadata server and sign blob API for GCS cache url (!3231) · Merge requests · GitLab.org / gitlab-runner

Jasper Maes requested to merge jlemaes/gitlab-runner:gcs-metadata into main Dec 03, 2021

What does this MR do?

With this MR it is possible to use the gcp metadata server to get the current service account of the vm or the service account of the pod when running in GKE with workload identity. After this service account is known, it uses the iam sign blob api to create the signed cache urls.

I've also added docs for the new gcs cache config option and to make sure the serviceaccount that is used has the required permissions to use the sign blob api, this is taken from how gitlab itself does this when using object storage: https://docs.gitlab.com/ee/administration/object_storage.html#google-example-with-adc-consolidated-form

Why was this MR needed?

There was no support for the google cloud metadata server to generate gcs cache signed urls.

What's the best way to test this MR?

Create a vm on gcp with gitlab-runner installed(can be any runner executor that uses cache), apply the gcs cache config with only the BucketName attribute and grant the required permissions to the serviceaccount.

What are the relevant issue numbers?

#5018 (closed)

Edited Jun 09, 2022 by Pedro Pombeiro (OOO from July 16th till Aug 7th)

Use GCP metadata server and sign blob API for GCS cache url

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports