[Logs] Deliver GCP logging credential to a readable remote path#9991
[Logs] Deliver GCP logging credential to a readable remote path#9991aylei wants to merge 1 commit into
Conversation
logs.gcp.credentials_file was uploaded to the same path it has on the API server and used directly as GOOGLE_APPLICATION_CREDENTIALS. This breaks two real cases: the source path lives under a home the cluster's runtime user cannot read (e.g. /root while the cluster runs as a non-root user), and the key is a symlink (e.g. a Kubernetes Secret mounted as a volume) that the file-mount upload does not follow. Resolve the configured path with expanduser + realpath and deliver the resolved file to a fixed home-relative location (~/.sky/logging/gcp_credentials.json), pointing GOOGLE_APPLICATION_CREDENTIALS there. When no key is configured the behavior is unchanged (application-default credentials / metadata server).
There was a problem hiding this comment.
Code Review
This pull request updates the GCP logging agent to deliver user-provided service-account keys to a fixed, home-relative remote path instead of using the source path. It resolves symlinks and expands user paths on the local credentials file before uploading, ensuring compatibility with Kubernetes Secrets and multi-user environments. Unit tests have been added to verify these behaviors. I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/smoke-test -k logging |
|
/smoke-test -k test_log_collection |
DanielZhangQD
left a comment
There was a problem hiding this comment.
LGTM! Thanks! @aylei
Summary
logs.gcp.credentials_fileis uploaded to clusters and exported asGOOGLE_APPLICATION_CREDENTIALSfor the fluent-bit stackdriver output. Two cases were broken:/rootwhile the cluster runs as a non-root user), fluent-bit cannot open the key and stackdriver initialization fails — silently, since on GKE the setup falls back to the metadata server and the agent still starts but never authenticates.This resolves the configured path with
expanduser+realpath(handling~, relative paths, and symlinks) and delivers the resolved file to a fixed home-relative location,~/.sky/logging/gcp_credentials.json, pointingGOOGLE_APPLICATION_CREDENTIALSthere. Behavior is unchanged when no key is configured (application-default credentials / metadata server).Test
tests/unit_tests/test_sky/logs/test_gcp.py: symlink resolution,~expansion, and that the setup command exportsGOOGLE_APPLICATION_CREDENTIALSto the remote path when a key is set (and to the application-default path otherwise).pytest tests/unit_tests/test_sky/logs/test_gcp.py— 5 passed.