From feaf0f2ad56fc32b37e6ebf21e0a8b1fded066b5 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Thu, 12 Nov 2020 09:56:58 -0800
Subject: [PATCH] Support the project argument in GCS

The Google credential object now requires that the project be supplied,
so plumb that through in the GCS log upload role.

Change-Id: I4519fbcb9ac7b8bbd34ab7f17aada3e50c1aaa4b
---
 .../library/zuul_google_storage_upload.py     | 21 ++++++++++++++-----
 roles/upload-logs-gcs/README.rst              | 19 +++++++++++++++++
 roles/upload-logs-gcs/tasks/main.yaml         |  1 +
 3 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/roles/upload-logs-base/library/zuul_google_storage_upload.py b/roles/upload-logs-base/library/zuul_google_storage_upload.py
index 178c164ef..8e615eff1 100755
--- a/roles/upload-logs-base/library/zuul_google_storage_upload.py
+++ b/roles/upload-logs-base/library/zuul_google_storage_upload.py
@@ -22,6 +22,10 @@ __metaclass__ = type
 
 """
 Utility to upload files to google
+
+Run this from the CLI from the zuul-jobs/roles directory with:
+
+  python -m upload-logs-base.library.zuul_google_storage_upload
 """
 
 import argparse
@@ -190,11 +194,12 @@ class Uploader():
 def run(container, files,
         indexes=True, parent_links=True, topdir_parent_link=False,
         partition=False, footer='index_footer.html',
-        prefix=None, dry_run=False, credentials_file=None):
+        prefix=None, dry_run=False, credentials_file=None,
+        project=None):
 
     if credentials_file:
         cred = Credentials(credentials_file)
-        client = storage.Client(credentials=cred)
+        client = storage.Client(credentials=cred, project=project)
     else:
         client = storage.Client()
 
@@ -242,6 +247,7 @@ def ansible_main():
             footer=dict(type='str'),
             prefix=dict(type='str'),
             credentials_file=dict(type='str'),
+            project=dict(type='str'),
         )
     )
 
@@ -253,7 +259,8 @@ def ansible_main():
               partition=p.get('partition'),
               footer=p.get('footer'),
               prefix=p.get('prefix'),
-              credentials_file=p.get('credentials_file'))
+              credentials_file=p.get('credentials_file'),
+              project=p.get('project'))
     module.exit_json(changed=True,
                      url=url)
 
@@ -285,7 +292,10 @@ def cli_main():
                         help='do not attempt to create containers or upload, '
                              'useful with --verbose for debugging')
     parser.add_argument('--credentials_file',
-                        help='A file with Google cloud credentials')
+                        help='A file with Google Cloud credentials')
+    parser.add_argument('--project',
+                        help='Name of the Google Cloud project (required for '
+                             'credential file)')
     parser.add_argument('container',
                         help='Name of the container to use when uploading')
     parser.add_argument('files', nargs='+',
@@ -310,7 +320,8 @@ def cli_main():
               footer=append_footer,
               prefix=args.prefix,
               dry_run=args.dry_run,
-              credentials_file=args.credentials_file)
+              credentials_file=args.credentials_file,
+              project=args.project)
     print(url)
 
 
diff --git a/roles/upload-logs-gcs/README.rst b/roles/upload-logs-gcs/README.rst
index 1919d4917..bc9dea17c 100644
--- a/roles/upload-logs-gcs/README.rst
+++ b/roles/upload-logs-gcs/README.rst
@@ -59,3 +59,22 @@ Google Cloud Application Default Credentials.
 
    More details can be found at
    :zuul:rolevar:`set-zuul-log-path-fact.zuul_log_path_shard_build`.
+
+.. zuul:rolevar:: zuul_log_credentials_file
+
+   This log upload role normally uses Google Cloud Application Default
+   Credentials, however it can also operate in a mode where it uses a
+   credential file written by gcp-authdaemon:
+   https://opendev.org/zuul/gcp-authdaemon
+
+   To use this mode of operation, supply a path to the credentials
+   file previously written by gcp-authdaemon.
+
+   Also supply :zuul:rolevar:`upload-logs-gcs.zuul_log_project`.
+
+.. zuul:rolevar:: zuul_log_project
+
+   When using
+   :zuul:rolevar:`upload-logs-gcs.zuul_log_credentials_file`, the name
+   of the Google Cloud project of the log container must also be
+   supplied.
diff --git a/roles/upload-logs-gcs/tasks/main.yaml b/roles/upload-logs-gcs/tasks/main.yaml
index 53746e949..594f8431c 100644
--- a/roles/upload-logs-gcs/tasks/main.yaml
+++ b/roles/upload-logs-gcs/tasks/main.yaml
@@ -24,6 +24,7 @@
         prefix: "{{ zuul_log_path }}"
         indexes: "{{ zuul_log_create_indexes }}"
         credentials_file: "{{ zuul_log_credentials_file }}"
+        project: "{{ zuul_log_project }}"
         files:
           - "{{ zuul.executor.log_root }}/"
       register: upload_results