feat: [CI-12041]: add oidc support

.drone.yml

@@ -12,7 +12,7 @@ platform:
 
 steps:
   - name: vet
-    image: golang:1.17
+    image: golang:1.21
     commands:
       - go vet ./...
     environment:
@@ -43,7 +43,7 @@ pool:
 steps:
   - name: build
     pull: always
-    image: golang:1.19
+    image: golang:1.21
     commands:
       - GOOS=linux   GOARCH=amd64   go build -ldflags "-s -w" -a -tags netgo -o release/drone-buildx-gcr-linux-amd64 ./cmd/drone-buildx-gcr
       - GOOS=linux   GOARCH=arm64   go build -ldflags "-s -w" -a -tags netgo -o release/drone-buildx-gcr-linux-arm64 ./cmd/drone-buildx-gcr

cmd/drone-buildx-gcr/main.go

@@ -1,57 +1,92 @@
 package main
 
 import (
-	"encoding/base64"
+	"log"
 	"os"
 	"path"
 	"strings"
 
 	docker "github.com/drone-plugins/drone-buildx"
+	"github.com/drone-plugins/drone-buildx-gcr/internal/gcp"
 	"github.com/joho/godotenv"
+	"github.com/sirupsen/logrus"
 )
 
-// gcr default username
-const username = "_json_key"
+type Config struct {
+	Repo        string
+	Registry    string
+	Password    string
+	Username    string
+	AccessToken string
+}
 
-func main() {
-	// Load env-file if it exists first
+func loadConfig() Config {
+	// Default username
+	username := "_json_key"
+	var config Config
+
+	// Load env-file if it exists
 	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
-		godotenv.Load(env)
+		if err := godotenv.Load(env); err != nil {
+			log.Fatalf("Error loading .env file: %v", err)
+		}
 	}
 
-	var (
-		repo     = getenv("PLUGIN_REPO")
-		registry = getenv("PLUGIN_REGISTRY")
-		password = getenv(
+	idToken := getenv("PLUGIN_OIDC_TOKEN_ID")
+	projectId := getenv("PLUGIN_PROJECT_NUMBER")
+	poolId := getenv("PLUGIN_POOL_ID")
+	providerId := getenv("PLUGIN_PROVIDER_ID")
+	serviceAccountEmail := getenv("PLUGIN_SERVICE_ACCOUNT_EMAIL")
+
+	if idToken != "" && projectId != "" && poolId != "" && providerId != "" && serviceAccountEmail != "" {
+		federalToken, err := gcp.GetFederalToken(idToken, projectId, poolId, providerId)
+		if err != nil {
+			logrus.Fatalf("Error getting federal token: %s", err)
+		}
+		accessToken, err := gcp.GetGoogleCloudAccessToken(federalToken, serviceAccountEmail)
+		if err != nil {
+			logrus.Fatalf("Error getting Google Cloud Access Token: %s", err)
+		}
+		config.AccessToken = accessToken
+	} else {
+		password := getenv(
 			"PLUGIN_JSON_KEY",
 			"GCR_JSON_KEY",
 			"GOOGLE_CREDENTIALS",
 			"TOKEN",
 		)
-	)
-
-	// decode the token if base64 encoded
-	decoded, err := base64.StdEncoding.DecodeString(password)
-	if err == nil {
-		password = string(decoded)
+		config.Password = password
 	}
+	config.Username = username
+	config.Repo = getenv("PLUGIN_REPO")
+	config.Registry = getenv("PLUGIN_REGISTRY")
+
+	return config
+}
+
+func main() {
+	config := loadConfig()
 
 	// default registry value
-	if registry == "" {
-		registry = "gcr.io"
+	if config.Registry == "" {
+		config.Registry = "gcr.io"
 	}
 
 	// must use the fully qualified repo name. If the
 	// repo name does not have the registry prefix we
 	// should prepend.
-	if !strings.HasPrefix(repo, registry) {
-		repo = path.Join(registry, repo)
+	if !strings.HasPrefix(config.Repo, config.Registry) {
+		config.Repo = path.Join(config.Registry, config.Repo)
 	}
 
-	os.Setenv("PLUGIN_REPO", repo)
-	os.Setenv("PLUGIN_REGISTRY", registry)
-	os.Setenv("DOCKER_USERNAME", username)
-	os.Setenv("DOCKER_PASSWORD", password)
+	os.Setenv("PLUGIN_REPO", config.Repo)
+	os.Setenv("PLUGIN_REGISTRY", config.Registry)
+	os.Setenv("DOCKER_USERNAME", config.Username)
+	if config.AccessToken != "" {
+		os.Setenv("ACCESS_TOKEN", config.AccessToken)
+	} else {
+		os.Setenv("DOCKER_PASSWORD", config.Password)
+	}
 	os.Setenv("PLUGIN_REGISTRY_TYPE", "GCR")
 
 	// invoke the base docker plugin binary

go.mod

@@ -1,18 +1,45 @@
 module github.com/drone-plugins/drone-buildx-gcr
 
-go 1.19
+go 1.21
 
-require github.com/joho/godotenv v1.5.1
+require (
+	github.com/drone-plugins/drone-buildx v1.1.1-0.20240421214441-457c07806e5f
+	github.com/joho/godotenv v1.5.1
+	github.com/sirupsen/logrus v1.9.3
+	golang.org/x/oauth2 v0.19.0
+	google.golang.org/api v0.174.0
+)
 
 require (
+	cloud.google.com/go/auth v0.2.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.0 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/drone-plugins/drone-buildx v1.0.2 // indirect
-	github.com/drone-plugins/drone-plugin-lib v0.4.1 // indirect
+	github.com/drone-plugins/drone-plugin-lib v0.4.2 // indirect
 	github.com/drone/drone-go v1.7.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
 	github.com/inhies/go-bytesize v0.0.0-20210819104631-275770b98743 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/urfave/cli v1.22.2 // indirect
-	golang.org/x/sys v0.0.0-20220731174439-a90be440212d // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be // indirect
+	google.golang.org/grpc v1.63.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 )