gcp: support projects with no default permissions

[3u13r]

Context

When creating VMs we used to rely on the following points:

1. The default project service account is automatically attached to every VM in the project, which doesn't override it
2. The default service account used to have many permissions due having the Editor role attached by default (see: https://cloud.google.com/iam/docs/service-account-types#default)
3. Though, the scopes added to the VM filtered how this service account could be used

Since GCP now doesn't give the project service account Editor by default, we need to create our own service account with minimal permissions. Note that the filtering over scopes is deprecated, one should simply attach a service account with minimal permissions and maximum scope.

Not only the Bootstrapper on the VM but also the constellation-operator and join-service automatically used the project service account per default, since we didn't explicitly set the service account already create for (and used by) other cluster components.
Since we want the VMs permissions to be as narrow as possible, we need to pass the in-cluster service account to also the constellation-operator and join-service.

Proposed change(s)

• Create a second very narrow, read-only service account and attach it to VMs
• Don't filter via scope anymore
• Attach the in-cluster service account to the constellation-operator and join-service

Checklist

• Run the E2E tests that are relevant to this PR's changes
  • e2e upgrade. gcp, snp: https://github.com/edgelesssys/constellation/actions/runs/13443379097
  • e2e upgrade. gcp, snp: https://github.com/edgelesssys/constellation/actions/runs/13755459817
  • https://github.com/edgelesssys/constellation/actions/runs/13762021363
  • https://github.com/edgelesssys/constellation/actions/runs/13763556980
• Update docs
• Add labels (e.g., for changelog category)
• Is PR title adequate for changelog?
• Link to Milestone

How to test:

• Create/upgrade your gcp iam credentials
• Successfully start a cluster, neither the bootstrapper, operator or the joinservice should error

[netlify]

✅ Deploy Preview for constellation-docs canceled.

Name	Link
🔨 Latest commit	ce22bed
🔍 Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/67cee5c9cf4c420008533221

[msanft]

For the sake of not further complicating the iam create command, should we make it default to use the serviceAccountID for the serviceAccountVMID if the latter is not present? (i.e. the current behavior)

[3u13r]

Yeah, was also not sure about that. I think we can go with not having a flag at all and just appending "-vm" to the other one. Though of course something like "my-in-cluster-service-account-vm" is also weird. In a ideal goal scenario, we'd just have a given prefix as for the cluster creation and we can just derive everything from there.

Though, I'm interested about hearing opinions about what to implement in this PR. If we get one more vote for falling back to the other flag, then I'll go with that.

[msanft]

Just making it a prefix is a great idea. Would also resemble what we currently have on AWS.

[3u13r]

I guess then I add a prefix flag to the command. While this is counter-intuitive behavior: should we make it have precedence over the serviceAccountID if both are set, so we can set both in the CI and deprecate the old one slowly?

[msanft]

Id not have both but remove serviceAccountID directly. (we can have breaking changes)

Having both would indeed be counter-intuitive. Or what was your point for that?

[3u13r]

I don't think we should have such breaking changes. One example is the upgrade CI e2e test. If you specify too many flags during iam create it just fails, therefore, I think we need to have a migration plan (In my opinion not only for the e2e test but also for users).

[github-actions]

Coverage report

Package	Old	New	Trend
cli/internal/cloudcmd	63.90%	63.70%	↘️
cli/internal/cmd	57.90%	57.90%	↔️
cli/internal/terraform	69.60%	69.80%	↗️
internal/config	77.10%	77.20%	↗️

[daniel-weisse]

Does the new service account attached to the VMs have sufficient permissions for the GCP CSI driver?

[daniel-weisse]

Please add a TODO to remove this after the next release (just in case)

[daniel-weisse]

Suggested change

	cmd.Flags().String("serviceAccountID", "", "[Deprecated use \"--prefix\"]ID for the service account that will be created (required)\n"+
	"Must be 6 to 30 lowercase letters, digits, or hyphens. This flag is mutually exclusive with --prefix.")
	cmd.Flags().String("serviceAccountID", "", "ID for the service account that will be created\n"+
	"Must be 6 to 30 lowercase letters, digits, or hyphens. This flag is mutually exclusive with --prefix.")
	must(cmd.Flags().MarkDeprecated("serviceAccountID", "use \"--prefix\" instead"]

Use MarkDeprecated instead of manually adding a deprecation note.
This will cause the flag to not show up when running the command with --help and will print Flag --serviceAccountID has been deprecated, use "--prefix" instead when using it.

[daniel-weisse]

Suggested change

	cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID)
	if c.flags.serviceAccountID != "" {
	cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID)
	}

Should now only be printed when the --prefix flag wasn't set
Similarly, we might want to omit the output for name prefix if only --serviceAccountID was set

[daniel-weisse]

Suggested change

	constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountVMID=constell-test-vm --serviceAccountID=constell-test --update-config
	constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --prefix=constell-test --update-config

[elchead]

owned files lgtm

[elchead]

Suggested change

	sproject_id = local.project_id
	project_id = local.project_id