Implement Google Plugin

[rtamalin]

Start/Create Google meter billing plugin. Expectation is to follow the pluggy plugin style and implement the csp billing hooks that are defined in hookspec. Naming should reference the provider not the platform. E.g. google not GCP.

Also, the naming would match other plugins and exist in SUSE-Enceladus. And we want to follow the same project setup as other repos. Such as the amazon plugin. This will simplify packaging workflow.

SUSE-Enceladus/csp-billing-adapter-google

• hookspec: devel/csp_billing_adapter/hookspecs.py
• Example: SUSE-Enceladus/csp-billing-adapter-amazon@develop

[rtamalin]

Note that while the normal metadata URLs work automatically for GCE VMs, to retrieve the service account identity via http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=http://smt-gce-susecloud.net&format=full requires additional "plumbing" work:

# curl -H "Metadata-Flavor: Google" 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=http://smt-gce-susecloud.net&format=full' && echo
Your Kubernetes service account (default/default) is not annotated with a target Google service account, which is a requirement for retrieving Identity Tokens using Workload Identity.
Please add the iam.gke.io/gcp-service-account=[GSA_NAME]@[PROJECT_ID] annotation to your Kubernetes service account.
Refer to https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

[rtamalin]

Testing using gcloud (in my personal account, using the $300 new user credit) to deploy a GKE cluster in a freshly created project space, using mostly defaults, but with the GKE_METADATA option selected for metadata service, I've identified the following minimum requirements to ensure that deployed container instances can obtain valid metadata:

• The project needs to be billing enabled, and enable the compute and container APIs
• Once the GKE cluster is created the default compute instance service account needs to be updated to bind the default Kubernetes service account as a member with the roles/iam.workloadIdentityUser role to permit retrieval of the metadata:

  $ gcloud iam \
  --project ${PROJ_ID} \
  service-accounts add-iam-policy-binding ${SERVICE_ACCOUNT} \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${PROJ_ID}.svc.id.goog[default/default]"

• The Kubernetes default service account needs to be annotated to reference the GKE Compute Instance Service account:

  kubectl annotate serviceaccount default --overwrite --namespace default "iam.gke.io/gcp-service-account=${SERVICE_ACCOUNT}"

This represents the subset of the steps outlines in the https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity related to enabling the relevant privileges for existing GKE Compute Service accounts and Kubernetes default service accounts, rather than creating entirely new GKE and Kubernetes services accounts. However, it may be necessary to create new SA accounts for a product deployment into an existing GKE...

Note also that if the GKE Cluster is created with the GCE_METADATA (enabling pass-through of metadata requests to the underlying compute instance's metadata service) no additional setup should be required...

Therefore we will likely need to come up with a way to detect if the GKE cluster that the product is being deployed into is configured with GKE_METADATA or GCE_METADATA to determine if we need the additional service account plumbing to be able to leverage the metadata service within deployed containers.