internal/cloud: delete gcp upload implementation

Signed-off-by: Tomáš Hozza <thozza@redhat.com>
2025-08-12 17:07:20 +02:00 · 2025-08-12 17:07:20 +02:00 · 01faa858d4
commit 01faa858d4
parent 992c6365f0
4 changed files with 2 additions and 499 deletions
--- a/go.mod
+++ b/go.mod
@ -6,7 +6,6 @@ exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible

 require (
 	cloud.google.com/go/compute v1.42.0
-	cloud.google.com/go/storage v1.56.0
 	github.com/BurntSushi/toml v1.5.1-0.20250403130103-3d3abc24416a
 	github.com/aws/aws-sdk-go-v2 v1.37.2
 	github.com/aws/aws-sdk-go-v2/config v1.30.3
@ -43,7 +42,6 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329
-	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.16.0
 	google.golang.org/api v0.246.0
 )
@ -56,6 +54,7 @@ require (
 	cloud.google.com/go/compute/metadata v0.7.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
 	cloud.google.com/go/monitoring v1.24.2 // indirect
+	cloud.google.com/go/storage v1.56.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 // indirect
@ -223,6 +222,7 @@ require (
 	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/mod v0.27.0 // indirect
 	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/term v0.34.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
--- a/internal/cloud/gcp/compute.go
+++ b/internal/cloud/gcp/compute.go
@ -1,328 +0,0 @@
-package gcp
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	compute "cloud.google.com/go/compute/apiv1"
-	"cloud.google.com/go/compute/apiv1/computepb"
-	"google.golang.org/api/option"
-
-	"github.com/osbuild/osbuild-composer/internal/common"
-)
-
-// Guest OS Features for RHEL8 images
-var GuestOsFeaturesRHEL8 []*computepb.GuestOsFeature = []*computepb.GuestOsFeature{
-	{Type: common.ToPtr(computepb.GuestOsFeature_UEFI_COMPATIBLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_VIRTIO_SCSI_MULTIQUEUE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_CAPABLE.String())},
-}
-
-// Guest OS Features for RHEL9 images.  Note that if you update this, also
-// consider changing the code in https://github.com/coreos/coreos-assembler/blob/0083086c4720b602b8243effb85c0a1f73f013dd/mantle/platform/api/gcloud/image.go#L105
-// for RHEL CoreOS which uses coreos-assembler today.
-var GuestOsFeaturesRHEL9 []*computepb.GuestOsFeature = []*computepb.GuestOsFeature{
-	{Type: common.ToPtr(computepb.GuestOsFeature_UEFI_COMPATIBLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_VIRTIO_SCSI_MULTIQUEUE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_CAPABLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_GVNIC.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_SNP_CAPABLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_LIVE_MIGRATABLE_V2.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_TDX_CAPABLE.String())},
-}
-
-// Guest OS Features for RHEL images up to RHEL9.5.
-// The TDX support was added since RHEL-9.6.
-var GuestOsFeaturesRHEL95 []*computepb.GuestOsFeature = []*computepb.GuestOsFeature{
-	{Type: common.ToPtr(computepb.GuestOsFeature_UEFI_COMPATIBLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_VIRTIO_SCSI_MULTIQUEUE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_CAPABLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_GVNIC.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_SNP_CAPABLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_LIVE_MIGRATABLE_V2.String())},
-}
-
-// Guest OS Features for RHEL9.1 images.
-// The SEV_LIVE_MIGRATABLE_V2 support was added since RHEL-9.2
-var GuestOsFeaturesRHEL91 []*computepb.GuestOsFeature = []*computepb.GuestOsFeature{
-	{Type: common.ToPtr(computepb.GuestOsFeature_UEFI_COMPATIBLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_VIRTIO_SCSI_MULTIQUEUE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_CAPABLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_GVNIC.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_SNP_CAPABLE.String())},
-}
-
-// Guest OS Features for RHEL9.0 images.
-// The SEV-SNP support was added since RHEL-9.1, so keeping this for RHEL-9.0 only.
-var GuestOsFeaturesRHEL90 []*computepb.GuestOsFeature = []*computepb.GuestOsFeature{
-	{Type: common.ToPtr(computepb.GuestOsFeature_UEFI_COMPATIBLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_VIRTIO_SCSI_MULTIQUEUE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_SEV_CAPABLE.String())},
-	{Type: common.ToPtr(computepb.GuestOsFeature_GVNIC.String())},
-}
-
-// Guest OS Features for RHEL-10 images.
-var GuestOsFeaturesRHEL10 []*computepb.GuestOsFeature = GuestOsFeaturesRHEL9
-
-// GuestOsFeaturesByDistro returns the the list of Guest OS Features, which
-// should be used when importing an image of the specified distribution.
-//
-// In case the provided distribution does not have any specific Guest OS
-// Features list defined, nil is returned.
-func GuestOsFeaturesByDistro(distroName string) []*computepb.GuestOsFeature {
-	switch {
-	case strings.HasPrefix(distroName, "centos-8"):
-		fallthrough
-	case strings.HasPrefix(distroName, "rhel-8"):
-		return GuestOsFeaturesRHEL8
-
-	// TODO: this should be updated for the dot-notation
-	case distroName == "rhel-90":
-		return GuestOsFeaturesRHEL90
-	// TODO: this should be updated for the dot-notation
-	case distroName == "rhel-91":
-		return GuestOsFeaturesRHEL91
-	case distroName == "rhel-92":
-		fallthrough
-	case distroName == "rhel-93":
-		fallthrough
-	case distroName == "rhel-94":
-		fallthrough
-	case distroName == "rhel-95":
-		return GuestOsFeaturesRHEL95
-	case strings.HasPrefix(distroName, "centos-9"):
-		fallthrough
-	case strings.HasPrefix(distroName, "rhel-9"):
-		return GuestOsFeaturesRHEL9
-
-	case strings.HasPrefix(distroName, "centos-10"):
-		fallthrough
-	case strings.HasPrefix(distroName, "rhel-10"):
-		return GuestOsFeaturesRHEL10
-
-	default:
-		return nil
-	}
-}
-
-// ComputeImageInsert imports a previously uploaded archive with raw image into Compute Engine.
-//
-// The image must be RAW image named 'disk.raw' inside a gzip-ed tarball.
-//
-// To delete the Storage object (image) used for the image import, use StorageObjectDelete().
-//
-// bucket - Google storage bucket name with the uploaded image archive
-// object - Google storage object name of the uploaded image
-// imageName - Desired image name after the import. This must be unique within the whole project.
-// regions - A list of valid Google Storage regions where the resulting image should be located.
-//
-//	It is possible to specify multiple regions. Also multi and dual regions are allowed.
-//	If not provided, the region of the used Storage object is used.
-//	See: https://cloud.google.com/storage/docs/locations
-//
-// guestOsFeatures - A list of features supported by the Guest OS on the imported image.
-//
-// Uses:
-//   - Compute Engine API
-func (g *GCP) ComputeImageInsert(
-	ctx context.Context,
-	bucket, object, imageName string,
-	regions []string,
-	guestOsFeatures []*computepb.GuestOsFeature) (*computepb.Image, error) {
-	imagesClient, err := compute.NewImagesRESTClient(ctx, option.WithCredentials(g.creds))
-	if err != nil {
-		return nil, fmt.Errorf("failed to get Compute Engine Images client: %v", err)
-	}
-	defer imagesClient.Close()
-
-	operationsClient, err := compute.NewGlobalOperationsRESTClient(ctx, option.WithCredentials(g.creds))
-	if err != nil {
-		return nil, fmt.Errorf("failed to get Compute Engine Operations client: %v", err)
-	}
-	defer operationsClient.Close()
-
-	imgInsertReq := &computepb.InsertImageRequest{
-		Project: g.GetProjectID(),
-		ImageResource: &computepb.Image{
-			Name:             &imageName,
-			StorageLocations: regions,
-			GuestOsFeatures:  guestOsFeatures,
-			RawDisk: &computepb.RawDisk{
-				ContainerType: common.ToPtr(computepb.RawDisk_TAR.String()),
-				Source:        common.ToPtr(fmt.Sprintf("https://storage.googleapis.com/%s/%s", bucket, object)),
-			},
-		},
-	}
-
-	operation, err := imagesClient.Insert(ctx, imgInsertReq)
-	if err != nil {
-		return nil, fmt.Errorf("failed to insert provided image into GCE: %v", err)
-	}
-
-	// wait for the operation to finish
-	var operationResource *computepb.Operation
-	for {
-		waitOperationReq := &computepb.WaitGlobalOperationRequest{
-			Operation: operation.Proto().GetName(),
-			Project:   g.GetProjectID(),
-		}
-
-		operationResource, err = operationsClient.Wait(ctx, waitOperationReq)
-		if err != nil {
-			return nil, fmt.Errorf("failed to wait for an Image Import operation: %v", err)
-		}
-
-		// The operation finished
-		if operationResource.GetStatus() != computepb.Operation_RUNNING && operationResource.GetStatus() != computepb.Operation_PENDING {
-			break
-		}
-	}
-
-	// If the operation failed, the HttpErrorStatusCode is set to a non-zero value
-	if operationStatusCode := operationResource.GetHttpErrorStatusCode(); operationStatusCode != 0 {
-		operationErrorMsg := operationResource.GetHttpErrorMessage()
-		operationErrors := operationResource.GetError().GetErrors()
-		return nil, fmt.Errorf("failed to insert image into GCE. HTTPErrorCode:%d HTTPErrorMsg:%v Errors:%v", operationStatusCode, operationErrorMsg, operationErrors)
-	}
-
-	getImageReq := &computepb.GetImageRequest{
-		Image:   imageName,
-		Project: g.GetProjectID(),
-	}
-
-	image, err := imagesClient.Get(ctx, getImageReq)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get information about the imported Image: %v", err)
-	}
-
-	return image, nil
-}
-
-// ComputeImageURL returns an image's URL to Google Cloud Console. The method does
-// not check at all, if the image actually exists or not.
-func (g *GCP) ComputeImageURL(imageName string) string {
-	return fmt.Sprintf("https://console.cloud.google.com/compute/imagesDetail/projects/%s/global/images/%s", g.GetProjectID(), imageName)
-}
-
-// ComputeImageShare shares the specified Compute Engine image with list of accounts.
-//
-// "shareWith" is a list of accounts to share the image with. Items can be one
-// of the following options:
-//
-//   - `user:{emailid}`: An email address that represents a specific
-//     Google account. For example, `alice@example.com`.
-//
-//   - `serviceAccount:{emailid}`: An email address that represents a
-//     service account. For example, `my-other-app@appspot.gserviceaccount.com`.
-//
-//   - `group:{emailid}`: An email address that represents a Google group.
-//     For example, `admins@example.com`.
-//
-//   - `domain:{domain}`: The G Suite domain (primary) that represents all
-//     the users of that domain. For example, `google.com` or `example.com`.
-//
-// Uses:
-//   - Compute Engine API
-func (g *GCP) ComputeImageShare(ctx context.Context, imageName string, shareWith []string) error {
-	imagesClient, err := compute.NewImagesRESTClient(ctx, option.WithCredentials(g.creds))
-	if err != nil {
-		return fmt.Errorf("failed to get Compute Engine Images client: %v", err)
-	}
-	defer imagesClient.Close()
-
-	// Standard role to enable account to view and use a specific Image
-	imageDesiredRole := "roles/compute.imageUser"
-
-	// Get the current Policy set on the Image
-	getIamPolicyReq := &computepb.GetIamPolicyImageRequest{
-		Project:  g.GetProjectID(),
-		Resource: imageName,
-	}
-	policy, err := imagesClient.GetIamPolicy(ctx, getIamPolicyReq)
-	if err != nil {
-		return fmt.Errorf("failed to get image's policy: %v", err)
-	}
-
-	// Add new members, who can use the image
-	// Completely override the old policy
-	userBinding := &computepb.Binding{
-		Members: shareWith,
-		Role:    common.ToPtr(imageDesiredRole),
-	}
-	newPolicy := &computepb.Policy{
-		Bindings: []*computepb.Binding{userBinding},
-		Etag:     policy.Etag,
-	}
-	setIamPolicyReq := &computepb.SetIamPolicyImageRequest{
-		Project:  g.GetProjectID(),
-		Resource: imageName,
-		GlobalSetPolicyRequestResource: &computepb.GlobalSetPolicyRequest{
-			Policy: newPolicy,
-		},
-	}
-	_, err = imagesClient.SetIamPolicy(ctx, setIamPolicyReq)
-	if err != nil {
-		return fmt.Errorf("failed to set new image policy: %v", err)
-	}
-
-	// Users won't see the shared image in their images.list requests, unless
-	// they are also granted a specific "imagesList" role on the project. If you
-	// don't need users to be able to view the list of shared images, this
-	// step can be skipped.
-	//
-	// Downside of granting the "imagesList" role to a project is that the user
-	// will be able to list all available images in the project, even those that
-	// they can't use because of insufficient permissions.
-	//
-	// Even without the ability to view / list shared images, the user can still
-	// create a Compute Engine instance using the image via API or 'gcloud' tool.
-	//
-	// Custom role to enable account to only list images in the project.
-	// Without this role, the account won't be able to list and see the image
-	// in the GCP Web UI.
-
-	// For now, the decision is that the account should not get any role to the
-	// project, where the image has been imported.
-
-	return nil
-}
-
-// ComputeImageDelete deletes a Compute Engine image with the given name. If the
-// image existed and was successfully deleted, no error is returned.
-//
-// Uses:
-//   - Compute Engine API
-func (g *GCP) ComputeImageDelete(ctx context.Context, name string) error {
-	imagesClient, err := compute.NewImagesRESTClient(ctx, option.WithCredentials(g.creds))
-	if err != nil {
-		return fmt.Errorf("failed to get Compute Engine Images client: %v", err)
-	}
-	defer imagesClient.Close()
-
-	req := &computepb.DeleteImageRequest{
-		Project: g.GetProjectID(),
-		Image:   name,
-	}
-	_, err = imagesClient.Delete(ctx, req)
-
-	return err
-}
-
-// ComputeExecuteFunctionForImages will pass all the compute images in the account to a function,
-// which is able to iterate over the images. Useful if something needs to be execute for each image.
-// Uses:
-//   - Compute Engine API
-func (g *GCP) ComputeExecuteFunctionForImages(ctx context.Context, f func(*compute.ImageIterator) error) error {
-	imagesClient, err := compute.NewImagesRESTClient(ctx, option.WithCredentials(g.creds))
-	if err != nil {
-		return fmt.Errorf("failed to get Compute Engine Images client: %v", err)
-	}
-	defer imagesClient.Close()
-
-	req := &computepb.ListImagesRequest{
-		Project: g.GetProjectID(),
-	}
-	imagesIterator := imagesClient.List(ctx, req)
-	return f(imagesIterator)
-}
--- a/internal/cloud/gcp/gcp.go
+++ b/internal/cloud/gcp/gcp.go
@ -1,70 +0,0 @@
-package gcp
-
-import (
-	"context"
-	"fmt"
-	"os"
-
-	compute "cloud.google.com/go/compute/apiv1"
-	"cloud.google.com/go/storage"
-	"golang.org/x/oauth2/google"
-)
-
-// GCPCredentialsEnvName contains name of the environment variable used
-// to specify the path to file with CGP service account credentials
-const (
-	//nolint:gosec
-	GCPCredentialsEnvName string = "GOOGLE_APPLICATION_CREDENTIALS"
-)
-
-// GCP structure holds necessary information to authenticate and interact with GCP.
-type GCP struct {
-	creds *google.Credentials
-}
-
-// New returns an authenticated GCP instance, allowing to interact with GCP API.
-func New(credentials []byte) (*GCP, error) {
-	scopes := []string{storage.ScopeReadWrite}              // file upload
-	scopes = append(scopes, compute.DefaultAuthScopes()...) // permissions to image
-
-	var getCredsFunc func() (*google.Credentials, error)
-	if credentials != nil {
-		getCredsFunc = func() (*google.Credentials, error) {
-			return google.CredentialsFromJSON(
-				context.Background(),
-				credentials,
-				scopes...,
-			)
-		}
-	} else {
-		getCredsFunc = func() (*google.Credentials, error) {
-			return google.FindDefaultCredentials(
-				context.Background(),
-				scopes...,
-			)
-		}
-	}
-
-	creds, err := getCredsFunc()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get Google credentials: %v", err)
-	}
-
-	return &GCP{creds}, nil
-}
-
-// NewFromFile loads the credentials from a file and returns an authenticated
-// *GCP object instance.
-func NewFromFile(path string) (*GCP, error) {
-	gcpCredentials, err := os.ReadFile(path)
-	if err != nil {
-		return nil, fmt.Errorf("cannot load GCP credentials from file %q: %v", path, err)
-	}
-	return New(gcpCredentials)
-}
-
-// GetProjectID returns a string with the Project ID of the project, used for
-// all GCP operations.
-func (g *GCP) GetProjectID() string {
-	return g.creds.ProjectID
-}
--- a/internal/cloud/gcp/storage.go
+++ b/internal/cloud/gcp/storage.go
@ -1,99 +0,0 @@
-package gcp
-
-import (
-	"context"
-	// gcp uses MD5 hashes
-	/* #nosec G501 */
-	"crypto/md5"
-	"fmt"
-	"io"
-	"os"
-
-	"cloud.google.com/go/storage"
-	"google.golang.org/api/option"
-)
-
-const (
-	// MetadataKeyImageName contains a key name used to store metadata on
-	// a Storage object with the intended name of the image.
-	// The metadata can be then used to associate the object with actual
-	// image build using the image name.
-	MetadataKeyImageName string = "osbuild-composer-image-name"
-)
-
-// StorageObjectUpload uploads an OS image to specified Cloud Storage bucket and object.
-// The bucket must exist. MD5 sum of the image file and uploaded object is
-// compared after the upload to verify the integrity of the uploaded image.
-//
-// The ObjectAttrs is returned if the object has been created.
-//
-// Uses:
-//   - Storage API
-func (g *GCP) StorageObjectUpload(ctx context.Context, filename, bucket, object string, metadata map[string]string) (*storage.ObjectAttrs, error) {
-	storageClient, err := storage.NewClient(ctx, option.WithCredentials(g.creds))
-	if err != nil {
-		return nil, fmt.Errorf("failed to get Storage client: %v", err)
-	}
-	defer storageClient.Close()
-
-	// Open the image file
-	imageFile, err := os.Open(filename)
-	if err != nil {
-		return nil, fmt.Errorf("cannot open the image: %v", err)
-	}
-	defer imageFile.Close()
-
-	// Compute MD5 checksum of the image file for later verification
-	// gcp uses MD5 hashes
-	/* #nosec G401 */
-	imageFileHash := md5.New()
-	if _, err := io.Copy(imageFileHash, imageFile); err != nil {
-		return nil, fmt.Errorf("cannot create md5 of the image: %v", err)
-	}
-	// Move the cursor of opened file back to the start
-	if _, err := imageFile.Seek(0, 0); err != nil {
-		return nil, fmt.Errorf("cannot seek the image: %v", err)
-	}
-
-	// Upload the image
-	// The Bucket MUST exist and be of a STANDARD storage class
-	obj := storageClient.Bucket(bucket).Object(object)
-	wc := obj.NewWriter(ctx)
-
-	// Uploaded data is rejected if its MD5 hash does not match the set value.
-	wc.MD5 = imageFileHash.Sum(nil)
-
-	if metadata != nil {
-		wc.ObjectAttrs.Metadata = metadata
-	}
-
-	if _, err = io.Copy(wc, imageFile); err != nil {
-		return nil, fmt.Errorf("uploading the image failed: %v", err)
-	}
-
-	// The object will not be available until Close has been called.
-	if err := wc.Close(); err != nil {
-		return nil, fmt.Errorf("Writer.Close: %v", err)
-	}
-
-	return wc.Attrs(), nil
-}
-
-// StorageObjectDelete deletes the given object from a bucket.
-//
-// Uses:
-//   - Storage API
-func (g *GCP) StorageObjectDelete(ctx context.Context, bucket, object string) error {
-	storageClient, err := storage.NewClient(ctx, option.WithCredentials(g.creds))
-	if err != nil {
-		return fmt.Errorf("failed to get Storage client: %v", err)
-	}
-	defer storageClient.Close()
-
-	objectHandle := storageClient.Bucket(bucket).Object(object)
-	if err = objectHandle.Delete(ctx); err != nil {
-		return fmt.Errorf("failed to delete image file object: %v", err)
-	}
-
-	return nil
-}