Merge pull request #1594 from salasberryfin/backport_to_1.11

[release-1.11] bump google client and update gcp client auth

Author: k8s-ci-robot

api/v1beta1/gcpcluster_types.go

@@ -62,6 +62,8 @@ type GCPClusterSpec struct {
 
 	// CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not
 	// supplied then the credentials of the controller will be used.
+	// When creating a new GCP client, the controller will try to extract the type
+	// of credential from the JSON data, and it will request a client for the specific credential type.
 	// +optional
 	CredentialsRef *ObjectReference `json:"credentialsRef,omitempty"`
 

cloud/scope/clients.go

@@ -18,6 +18,7 @@ package scope
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"time"
 
@@ -43,6 +44,12 @@ type GCPServices struct {
 // GCPRateLimiter implements cloud.RateLimiter.
 type GCPRateLimiter struct{}
 
+// credentialHeader is a helper struct used for determining the type of
+// GCP credentials from JSON data.
+type credentialHeader struct {
+	Type string `json:"type"`
+}
+
 // Accept blocks until the operation can be performed.
 func (rl *GCPRateLimiter) Accept(ctx context.Context, key *cloud.RateLimitKey) error {
 	if key.Operation == "Get" && key.Service == "Operations" {
@@ -83,7 +90,22 @@ func defaultClientOptions(ctx context.Context, credentialsRef *infrav1.ObjectRef
 		if err != nil {
 			return nil, fmt.Errorf("getting gcp credentials from reference %s: %w", credentialsRef, err)
 		}
-		opts = append(opts, option.WithCredentialsJSON(rawData))
+
+		header := &credentialHeader{}
+		if err := json.Unmarshal(rawData, header); err != nil {
+			return nil, fmt.Errorf("parsing gcp credential type from reference %s: %w", credentialsRef, err)
+		}
+
+		switch header.Type {
+		case "service_account":
+			opts = append(opts, option.WithAuthCredentialsJSON(option.ServiceAccount, rawData))
+		case "external_account":
+			opts = append(opts, option.WithAuthCredentialsJSON(option.ExternalAccount, rawData))
+		case "impersonated_service_account":
+			opts = append(opts, option.WithAuthCredentialsJSON(option.ImpersonatedServiceAccount, rawData))
+		default:
+			opts = append(opts, option.WithAuthCredentialsJSON(option.ServiceAccount, rawData))
+		}
 	}
 
 	return opts, nil

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclusters.yaml

@@ -86,6 +86,8 @@ spec:
                 description: |-
                   CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not
                   supplied then the credentials of the controller will be used.
+                  When creating a new GCP client, the controller will try to extract the type
+                  of credential from the JSON data, and it will request a client for the specific credential type.
                 properties:
                   name:
                     description: |-

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclustertemplates.yaml

@@ -103,6 +103,8 @@ spec:
                         description: |-
                           CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not
                           supplied then the credentials of the controller will be used.
+                          When creating a new GCP client, the controller will try to extract the type
+                          of credential from the JSON data, and it will request a client for the specific credential type.
                         properties:
                           name:
                             description: |-

controllers/gcpcluster_controller_test.go

@@ -17,9 +17,10 @@ limitations under the License.
 package controllers
 
 import (
+	"context"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"golang.org/x/net/context"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	infrav1 "sigs.k8s.io/cluster-api-provider-gcp/api/v1beta1"
 	ctrl "sigs.k8s.io/controller-runtime"

go.mod

@@ -18,11 +18,10 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
-	golang.org/x/crypto v0.43.0
-	golang.org/x/mod v0.29.0
-	golang.org/x/net v0.45.0
-	google.golang.org/api v0.252.0
-	google.golang.org/grpc v1.76.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/mod v0.30.0
+	google.golang.org/api v0.258.0
+	google.golang.org/grpc v1.77.0
 	k8s.io/api v0.33.3
 	k8s.io/apimachinery v0.33.3
 	k8s.io/client-go v0.33.3
@@ -41,6 +40,7 @@ require (
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/net v0.48.0 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 )
 
@@ -94,7 +94,7 @@ require (
 	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -128,31 +128,31 @@ require (
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect; indirect// indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/oauth2 v0.31.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/term v0.36.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
-	golang.org/x/time v0.13.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 // indirect
-	google.golang.org/protobuf v1.36.10 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect