LOG-9171: Add support for GCP workload identity federation v0.54

[vparfonov]

Following PR: #249

Core changes (src/gcp.rs)

• Replace goauth + smpl_jwt libraries with official google-cloud-auth v1.6
• Implement scopes for External Account credentials (Workload Identity Federation)
• Add token refresh logic with 1-hour expiry
• Maintain backward compatibility with all existing authentication methods

New changes:

• Compilation fix:
  • PUBSUB_ADDRESS static was accidentally removed from src/gcp.rs but is still referenced in 4 integration test files (src/sinks/gcp/pubsub.rs, src/sources/gcp_pubsub.rs). This was causing the unit: FAILED CI status.
  • Restored the LazyLock static and its import.
• Security (least-privilege):
  • Chronicle sink was changed from Scope::MalachiteIngestion to scopes::CLOUD_PLATFORM, which grants access to all GCP APIs. Restored the original narrow scope by adding MALACHITE_INGESTION (https://www.googleapis.com/auth/malachite-ingestion) as a scope constant.
• Test coverage:
  • The fails_missing_creds test was removed from gcp::tests without replacement.
  • Added a falls_back_to_adc test that verifies the ADC fallback path doesn't panic.
• Code cleanup:
  • Applied cargo fmt
  • Fix the cargo-fmt-check

/assign @jcantrill
/cc @cahartma @Clee2691

https://redhat.atlassian.net/browse/LOG-9171

[vparfonov]

/hold

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vparfonov
Once this PR has been reviewed and has the lgtm label, please assign jcantrill for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jcantrill]

Is this correct in there is no way for us to support isolating credentials for multiple GCP outputs?

[vparfonov]

Yes, this is a limitation of the google-cloud-auth library — its Builder has no with_credentials_file() method, so the GOOGLE_APPLICATION_CREDENTIALS env var is the only way to pass a credentials path.
The env var is only set temporarily during build_access_token_credentials() call. After that the ScopedEnv guard drops, restores the original value, and each GCP output holds its own independent AccessTokenCredentials instance with its own credentials. So at runtime, multiple GCP outputs with different credentials work fine.
The only theoretical risk is during initialization: if two GCP outputs with different credentials_path values call build() concurrently, they could race on the env var. In practice Vector builds sink configs sequentially during startup, so this doesn't happen.

[openshift-ci-robot]

@vparfonov: This pull request references LOG-9171 which is a valid jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@vparfonov: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	6f9bc51	link	true	/test unit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.