[iris] Replace gcloud CLI with REST API client in CloudGcpService

[rjpower]

Replace all gcloud subprocess calls in CloudGcpService with direct
REST API calls using httpx + google.auth ADC. This eliminates the
gcloud CLI dependency for resource management and fixes CI failures where
gcloud alpha is not installed.

Changes

• Inline HTTP client into CloudGcpService: Auth (ADC token caching),
  pagination, error mapping, and operation polling are private methods on
  CloudGcpService rather than a separate GCPApi class.
• Enable external IPs on TPU VMs: The gcloud CLI defaults to
  enableExternalIps=true; the REST API does not. Without this, TPU VMs
  had no internet access and startup-scripts couldn't pull Docker images.
• Use locations/- wildcard: Project-wide TPU listing uses a single
  API call (locations/-) instead of iterating all known zones, matching
  gcloud's --zone=- behavior.
• Wait for async operations: VM insert and TPU create poll their
  respective operations before describing the resource.
• Add logging_read to GcpService protocol: Bootstrap log fetching
  goes through the service boundary instead of shelling out to gcloud.

Test plan

• 154 unit tests pass (service validation, mock HTTP integration, platform bootstrap)
• Cloud smoke test passes (GCP CI workflow)
• TPU VMs boot with external IPs, startup-scripts execute, workers register

🤖 Generated with Claude Code

[rjpower]

🤖 Specification

Problem:
CloudGcpService shells out to gcloud CLI via subprocess for all GCP operations.
PR #4379 adds queued-resource operations using gcloud alpha, which requires
the alpha component to be installed. CI environments lack it, causing interactive
install prompts that fail in non-interactive mode (lib/iris/src/iris/cluster/providers/gcp/service.py).
Additionally, _fetch_bootstrap_logs in workers.py uses gcloud logging read via
subprocess, which is another gcloud dependency outside the service boundary.

Approach:
New file api.py: GCPApi class using httpx (direct dep) + google.auth (transitive
via gcsfs, now explicit). Handles ADC auth with token caching (same pattern as
GcpAccessTokenProvider in rpc/auth.py), pagination via nextPageToken, and error
mapping from HTTP status codes to domain exceptions (ResourceNotFoundError,
QuotaExhaustedError, InfraError).

service.py: CloudGcpService constructor takes optional GCPApi, creates one by
default. All 12 methods rewritten from subprocess.run to self._api.* calls.
vm_update_labels and vm_set_metadata become read-modify-write with fingerprints
(REST API requirement). TPU list with empty zones scans all known zones instead
of using --zone=- (REST API requires real zone in parent path).

workers.py: _fetch_bootstrap_logs now calls gcp_service.logging_read() instead of
subprocess. logging_read added to GcpService Protocol; CloudGcpService delegates
to api.logging_list_entries(), InMemoryGcpService returns [].

Key code:
Error mapping in api.py _classify_response: 404 -> ResourceNotFoundError,
429/RESOURCE_EXHAUSTED -> QuotaExhaustedError, everything else -> InfraError.
Delete operations treat 404 as success (idempotent). Token refresh uses
monotonic clock with 5min margin before expiry.

Tests:
23 new tests in test_gcp_api.py using httpx.MockTransport. Cover URL construction
for all endpoint families (TPU, QR, Compute, Logging), error mapping (404, 429,
500, non-JSON), pagination, auth header injection, token refresh, aggregatedList
flattening, and force-delete params. All 151 existing GCP provider tests pass unchanged.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 50ff2d2668

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[yonromai]

Approved. The REST rewrite is directionally right and the new integration test file passes, but I found two remaining Compute Engine operation-wait regressions worth fixing before merge:

• vm_delete() now returns before the delete is durable, which can race the controller-recreate path and accidentally hand back the VM we meant to replace.
• vm_update_labels() / vm_set_metadata() now return before the mutation is visible, so controller discovery tags can lag behind start_controller() returning.

Validation run:

• uv run --package iris --group dev pytest lib/iris/tests/cluster/providers/gcp/test_cloud_service_integration.py
• mocked repro in .codex/pr-review/PR_4393/repro_async_ops.py

Generated with Codex

[yonromai]

instances.delete also returns a zonal operation, but this method returns as soon as the delete request is accepted. That changes controller replacement semantics in start_controller(): we terminate an unhealthy controller and immediately recreate the same fixed VM name, so the follow-up vm_create() can race the still-running delete, hit already exists, and hand back the VM we meant to replace.

I reproduced that with a mock transport against the current code: after vm_delete(), vm_create() returned the old instance (10.0.0.1) while the delete was still in progress.

Recommended fix: capture the delete operation name here and wait for _wait_zone_operation() before returning, so terminate() preserves the old blocking behavior.

Generated with Codex

[yonromai]

setLabels returns a zonal operation, but we stop after the initial POST. The previous gcloud compute instances update path only returned once the mutation had landed; with the REST version, callers can observe stale instance state after vm_update_labels() returns. start_controller() is one concrete example because it sets discovery tags right before returning.

I hit the same issue with a mocked pending operation: the new label was still missing immediately after vm_update_labels() because nothing polled the operation to DONE. The same regression applies to vm_set_metadata() below.

Recommended fix: use the returned operation name and _wait_zone_operation() here and in vm_set_metadata() before returning.

Generated with Codex