Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-04-03 04:26:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: update GCP service accounts for CI ()

Browse Source 
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-11-27 13:04:41 +01:00 committed by GitHub
parent 98673b0983
commit 97aea98e77
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 33 additions and 52 deletions

3
.github/actions/e2e_test/action.yml vendored

@ -37,9 +37,6 @@ inputs:
gcpClusterCreateServiceAccount:
description: "Service account with permissions to create a Constellation cluster on GCP."
required: true
gcpInClusterServiceAccountKey:
description: "Service account to use inside the created Constellation cluster on GCP."
required: true
awsOpenSearchDomain:
description: "AWS OpenSearch Endpoint Domain to upload the benchmark results."
awsOpenSearchUsers:

2
.github/workflows/build-os-image.yml vendored

@ -273,7 +273,7 @@ jobs:
if: matrix.csp == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
service_account: "image-uploader@constellation-images.iam.gserviceaccount.com"
- name: Upload AWS image
if: matrix.csp == 'aws'

9
.github/workflows/e2e-test-daily.yml vendored

@ -74,10 +74,9 @@ jobs:
isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
refStream: ${{ matrix.refStream }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
kubernetesVersion: ${{ matrix.kubernetesVersion }}
test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
@ -109,7 +108,7 @@ jobs:
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Notify about failure
if: |

9
.github/workflows/e2e-test-release.yml vendored

@ -226,10 +226,9 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -258,7 +257,7 @@ jobs:
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
e2e-upgrade:
strategy:

5
.github/workflows/e2e-test-tf-module.yml vendored

@ -159,7 +159,8 @@ jobs:
run: |
cat > terraform.tfvars <<EOF
name = "${{ steps.create-prefix.outputs.prefix }}"
project = "${{ secrets.GCP_E2E_PROJECT }}"
# project = "${{ secrets.GCP_E2E_PROJECT }}"
project = "constellation-e2e"
service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
image = "${{ steps.find-latest-image.outputs.image }}"
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
@ -245,7 +246,7 @@ jobs:
if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com"
service_account: "terraform-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Apply Terraform Cluster
id: apply_terraform

9
.github/workflows/e2e-test-weekly.yml vendored

@ -243,10 +243,9 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -277,7 +276,7 @@ jobs:
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Notify about failure
if: |

9
.github/workflows/e2e-test.yml vendored

@ -215,10 +215,9 @@ jobs:
cloudProvider: ${{ inputs.cloudProvider }}
machineType: ${{ inputs.machineType }}
regionZone: ${{ inputs.regionZone }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
@ -256,4 +255,4 @@ jobs:
with:
cloudProvider: ${{ inputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

13
.github/workflows/e2e-upgrade.yml vendored

@ -170,10 +170,9 @@ jobs:
isDebugImage: "false"
cliVersion: ${{ inputs.fromVersion }}
regionZone: ${{ inputs.regionZone }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
test: "upgrade"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -196,7 +195,7 @@ jobs:
if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
service_account: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws'
@ -226,7 +225,7 @@ jobs:
if: always() && inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
service_account: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Login to AWS (Cluster role)
if: always() && inputs.cloudProvider == 'aws'
@ -300,7 +299,7 @@ jobs:
with:
cloudProvider: ${{ inputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Notify about failure
if: |

2
.github/workflows/versionsapi.yml vendored

@ -178,7 +178,7 @@ jobs:
if: steps.check-rights.outputs.auth == 'true'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
service_account: "image-deleter@constellation-images.iam.gserviceaccount.com"
- name: Execute versionsapi CLI
id: run

22
dev-docs/workflows/github-actions.md

@ -30,11 +30,11 @@ When using `--mode` be aware that `--e2e-focus` and `e2e-skip` will be overwritt
## Local Development
Using [***act***](https://github.com/nektos/act) you can run GitHub actions locally.
Using [`act`](https://github.com/nektos/act) you can run GitHub actions locally.
**These instructions are for internal use.**
In case you want to use the E2E actions externally, you need to adjust other configuration parameters.
Check the assignments made in the [/.github/actions/e2e_test/action.yml](E2E action) and adjust any hard-coded values.
Check the assignments made in the [E2E action](/.github/actions/e2e_test/action.yml) and adjust any hard-coded values.
### Specific Jobs
@ -59,7 +59,7 @@ Create a new JSON file to describe the event ([relevant issue](https://github.co
}
```
Then run *act* with the event as input:
Then run `act` with the event as input:
```bash
act -j e2e-test-manual --eventpath event.json
@ -67,20 +67,8 @@ act -j e2e-test-manual --eventpath event.json
### Authorizing GCP
For creating Kubernetes clusters in GCP a local copy of the service account secret is required.
1. [Create a new service account key](https://console.cloud.google.com/iam-admin/serviceaccounts/details/112741463528383500960/keys?authuser=0&project=constellation-331613&supportedpurview=project)
2. Create a compact (one line) JSON representation of the file `jq -c`
3. Store in a GitHub Action Secret called `GCP_SERVICE_ACCOUNT` or create a local secret file for *act* to consume:
```bash
$ cat secrets.env
GCP_SERVICE_ACCOUNT={"type":"service_account", ... }
$ act --secret-file secrets.env
```
In addition, you need to create a Service Account which Constellation itself is supposed to use. Refer to [First steps](https://docs.edgeless.systems/constellation/getting-started/first-steps#create-a-cluster) in the documentation on how to create it. What you need here specifically is the `gcpServiceAccountKey`, which needs to be stored in a secret called `GCP_CLUSTER_SERVICE_ACCOUNT`.
For GCP, OIDC is used to authenticate the CI runner.
This means the workflow cannot be run locally, as the runner created by `act` is not authenticated.
### Authorizing Azure

2
image/upload/internal/cmd/gcp.go

@ -30,7 +30,7 @@ func newGCPCommand() *cobra.Command {
cmd.Flags().String("gcp-project", "constellation-images", "GCP project to use")
cmd.Flags().String("gcp-location", "europe-west3", "GCP location to use")
cmd.Flags().String("gcp-bucket", "constellation-images", "GCP bucket to use")
cmd.Flags().String("gcp-bucket", "constellation-os-images", "GCP bucket to use")
return cmd
}