Drop GCP credentials env if user-gcp-sa secret is not present

[Bobgy]

This is part of #2589

@IronPan @jingzhang36
Can you help me review?

Behavior summary:

1. When user's workflow uses user-gcp-sa secret
2. Backend checks if the secret exists
3. If the secret doesn't -> drop GOOGLE_APPLICATION_CREDENTIALS env and mark user-gcp-sa volume as optional for templates that mount user-gcp-sa.
4. If the secret does exist -> do nothing
5. If an error occurred when fetching the secret -> propagate the error above

Verified

• When cluster's namespace doesn't have user-gcp-sa secret, this can drop env and mark the secret as optional. Therefore, tfx and xgboost samples run successfully.
• When cluster's namespace have user-gcp-sa, this keeps env variables, and let pipelines run as normal.

TODO: add some unit tests
Done

TODO2: apply manifest changes here to Kubeflow too

/cc @rmgogogo
/assign @IronPan
/area backend

---

This change is 

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign ironpan
You can assign the PR to them by writing /assign @ironpan in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• backend/OWNERS
• manifests/gcp_marketplace/OWNERS
• manifests/kustomize/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rmgogogo]

would that possible: no steps/components mounted secret but set the ADC env?

[Bobgy]

Let me explain. We only handle the default case of using use_gcp_secret with all default arguments.

If user doesn't have this secret, but have ADC env, they may have mounted secret as a different name. So we shouldn't break them

[rmgogogo]

https://github.com/kubeflow/pipelines/blob/master/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/mysql.yaml#L46

would you help remove the line in one shot?

[rmgogogo]

it's OK if no test for now.

[rmgogogo]

so does MINIO.
I think MySQL and MINIO won't hit the createRun to allow you remove it.
https://github.com/kubeflow/pipelines/blob/master/manifests/gcp_marketplace/chart/kubeflow-pipelines/templates/minio.yaml#L46

[Bobgy]

Thanks for pointing them out. I prefer a separate one because this is complex enough.
Will do that shortly after this.

[rmgogogo]

OK, or feel free to leave it to me if multi-user is busy

[Bobgy]

/assign @jingzhang36
for early review

[Bobgy]

Ask for review. Call out that this is probably something that would be controversial. I discussed with @jingzhang36 about this. We concluded that because only users whose workflow contains use_gcp_secret can possibly hit this error. It's clearer if the error is returned to user, instead of silently swallowed (probably with a warning message that no user will ever see).

[rmgogogo]

nit: here also can break
if someStepHasGcpSecretVolume is true, it also can break in outer "for".

[Bobgy]

In fact, I would prefer writing no breaks here to keep it simple and easy to read. (because this cannot impact performance)

WDYT?

[rmgogogo]

sure

[rmgogogo]

FYI, only remove the ENV Var is enough, but OK here you also do these clean up.

[rmgogogo]

ack, got your meaning to have more info for debugging

[Bobgy]

I prefer leaving the secret optional here to give them a clue what happened, just in case they may hit this unexepectedly.

[rmgogogo]

/lgtm

[rmgogogo]

/lgtm

not sure whether you tested this CL via CLI deployment. We can do the test via creating a full scope cluster with "gcloud".

[IronPan]

Why do we need this change? If you really just want to unblock the marketplace samples from being running, isn't it better just to fork the sample in mkp to not mounting the secret?

This change introduce "magical" behavior to the kfp backend. How do you plan to convey this behavior to the end user?

[IronPan]

/hold

[Bobgy]

Synced with @IronPan, because I don't have bandwidth on finishing workload identity documentation for samples and standalone deployment. He prefers finding someone else to finish those, so that we don't need this PR.

[Bobgy]

/close
in favor of #2619

[k8s-ci-robot]

@Bobgy: Closed this PR.

In response to this:

/close
in favor of #2619

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.