From 20915c0f10c6b2089189584b7971f2594cd7ed56 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Wed, 9 Jun 2021 11:13:05 +0200
Subject: [PATCH 1/2] gcp-vpc-move-route: add serviceaccount JSON file support

---
 heartbeat/gcp-vpc-move-route.in | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-route.in
index fd2d2ec59..dac6e4ea8 100644
--- a/heartbeat/gcp-vpc-move-route.in
+++ b/heartbeat/gcp-vpc-move-route.in
@@ -47,6 +47,10 @@ from ocf import *
 try:
   import googleapiclient.discovery
   import pyroute2
+  try:
+    from google.oauth2.service_account import Credentials as ServiceAccountCredentials
+  except ImportError:
+    from oauth2client.service_account import ServiceAccountCredentials
 except ImportError:
   pass
 
@@ -132,6 +136,12 @@ Route name
 <content type="string" default="ra-%s" />
 </parameter>
 
+<parameter name="serviceaccount">
+<longdesc lang="en">Path to Service account JSON file</longdesc>
+<shortdesc lang="en">Service account JSONfile</shortdesc>
+<content type="string" default="" />
+</parameter>
+
 <parameter name="stackdriver_logging" unique="0" required="0">
 <longdesc lang="en">If enabled (set to true), IP failover logs will be posted to stackdriver logging</longdesc>
 <shortdesc lang="en">Stackdriver-logging support</shortdesc>
@@ -212,7 +222,25 @@ def validate(ctx):
     sys.exit(OCF_ERR_PERM)
 
   try:
-    ctx.conn = googleapiclient.discovery.build('compute', 'v1')
+    serviceaccount = os.environ.get("OCF_RESKEY_serviceaccount")
+    if not serviceaccount:
+      try:
+        from googleapiclient import _auth
+        credentials = _auth.default_credentials();
+      except:
+        credentials = GoogleCredentials.get_application_default()
+      logging.debug("using application default credentials")
+    else:
+      scope = ['https://www.googleapis.com/auth/cloud-platform']
+      logging.debug("using credentials from service account")
+      try:
+        credentials = ServiceAccountCredentials.from_service_account_file(filename=serviceaccount, scopes=scope)
+      except AttributeError:
+        credentials = ServiceAccountCredentials.from_json_keyfile_name(serviceaccount, scope)
+      except Exception as e:
+        logging.error(str(e))
+        sys.exit(OCF_ERR_GENERIC)
+    ctx.conn = googleapiclient.discovery.build('compute', 'v1', credentials=credentials, cache_discovery=False)
   except Exception as e:
     logger.error('Couldn\'t connect with google api: ' + str(e))
     sys.exit(OCF_ERR_CONFIGURED)

From 28e0d428db1fdd9d5270a2916bb9b0064115c11c Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Wed, 9 Jun 2021 11:22:09 +0200
Subject: [PATCH 2/2] gcp-vpc-move-vip: add serviceaccount JSON file support

---
 heartbeat/gcp-vpc-move-vip.in | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/heartbeat/gcp-vpc-move-vip.in b/heartbeat/gcp-vpc-move-vip.in
index c41155511..7e9d61f55 100755
--- a/heartbeat/gcp-vpc-move-vip.in
+++ b/heartbeat/gcp-vpc-move-vip.in
@@ -30,6 +30,10 @@ from ocf import *
 
 try:
   import googleapiclient.discovery
+  try:
+    from google.oauth2.service_account import Credentials as ServiceAccountCredentials
+  except ImportError:
+    from oauth2client.service_account import ServiceAccountCredentials
 except ImportError:
   pass
 
@@ -87,6 +91,11 @@ METADATA = \
       <shortdesc lang="en">Project ID</shortdesc>
       <content type="string" default="default" />
     </parameter>
+    <parameter name="serviceaccount">
+      <longdesc lang="en">Path to Service account JSON file</longdesc>
+      <shortdesc lang="en">Service account JSONfile</shortdesc>
+      <content type="string" default="" />
+    </parameter>
     <parameter name="stackdriver_logging" unique="0" required="0">
       <longdesc lang="en">If enabled (set to true), IP failover logs will be posted to stackdriver logging</longdesc>
       <shortdesc lang="en">Stackdriver-logging support</shortdesc>
@@ -136,7 +145,26 @@ def get_metadata(metadata_key, params=None, timeout=None):
 def create_api_connection():
   for i in range(MAX_RETRIES):
     try:
+      serviceaccount = os.environ.get("OCF_RESKEY_serviceaccount")
+      if not serviceaccount:
+        try:
+          from googleapiclient import _auth
+          credentials = _auth.default_credentials();
+        except:
+          credentials = GoogleCredentials.get_application_default()
+          logging.debug("using application default credentials")
+      else:
+        scope = ['https://www.googleapis.com/auth/cloud-platform']
+        logging.debug("using credentials from service account")
+        try:
+          credentials = ServiceAccountCredentials.from_service_account_file(filename=serviceaccount, scopes=scope)
+        except AttributeError:
+          credentials = ServiceAccountCredentials.from_json_keyfile_name(serviceaccount, scope)
+        except Exception as e:
+          logging.error(str(e))
+          sys.exit(OCF_ERR_GENERIC)
       return googleapiclient.discovery.build('compute', 'v1',
+                                             credentials=credentials,
                                              cache_discovery=False)
     except Exception as e:
       logger.error('Couldn\'t connect with google api: ' + str(e))