ci: update GCP service accounts for CI (#2629)

* Update CI to use different GCP project for e2e tests * Update GCP image project service accounts * Update default GCP bucket name for image builds --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-04-25 01:29:14 -04:00 · 2023-11-27 13:04:41 +01:00 · 2023-11-27 13:04:41 +01:00 · 97aea98e77
commit 97aea98e77
parent 98673b0983
11 changed files with 33 additions and 52 deletions
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -37,9 +37,6 @@ inputs:
  gcpClusterCreateServiceAccount:
    description: "Service account with permissions to create a Constellation cluster on GCP."
    required: true
-  gcpInClusterServiceAccountKey:
-    description: "Service account to use inside the created Constellation cluster on GCP."
-    required: true
  awsOpenSearchDomain:
    description: "AWS OpenSearch Endpoint Domain to upload the benchmark results."
  awsOpenSearchUsers:
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@ -273,7 +273,7 @@ jobs:
        if: matrix.csp == 'gcp'
        uses: ./.github/actions/login_gcp
        with:
-          service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
+          service_account: "image-uploader@constellation-images.iam.gserviceaccount.com"

      - name: Upload AWS image
        if: matrix.csp == 'aws'
--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@ -74,10 +74,9 @@ jobs:
          isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
          cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
          refStream: ${{ matrix.refStream }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
          kubernetesVersion: ${{ matrix.kubernetesVersion }}
          test: ${{ matrix.test }}
          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
@ -109,7 +108,7 @@ jobs:
        with:
          cloudProvider: ${{ matrix.provider }}
          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

      - name: Notify about failure
        if: |
--- a/.github/workflows/e2e-test-release.yml
+++ b/.github/workflows/e2e-test-release.yml
@ -226,10 +226,9 @@ jobs:
          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
          test: ${{ matrix.test }}
          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -258,7 +257,7 @@ jobs:
        with:
          cloudProvider: ${{ matrix.provider }}
          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

  e2e-upgrade:
    strategy:
--- a/.github/workflows/e2e-test-tf-module.yml
+++ b/.github/workflows/e2e-test-tf-module.yml
@ -159,7 +159,8 @@ jobs:
        run: |
          cat > terraform.tfvars <<EOF
          name = "${{ steps.create-prefix.outputs.prefix }}"
-          project = "${{ secrets.GCP_E2E_PROJECT }}"
+          # project = "${{ secrets.GCP_E2E_PROJECT }}"
+          project = "constellation-e2e"
          service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
          image = "${{ steps.find-latest-image.outputs.image }}"
          zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
@ -245,7 +246,7 @@ jobs:
        if: inputs.cloudProvider == 'gcp'
        uses: ./.github/actions/login_gcp
        with:
-          service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com"
+          service_account: "terraform-e2e@constellation-e2e.iam.gserviceaccount.com"

      - name: Apply Terraform Cluster
        id: apply_terraform
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@ -243,10 +243,9 @@ jobs:
          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
          test: ${{ matrix.test }}
          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -277,7 +276,7 @@ jobs:
        with:
          cloudProvider: ${{ matrix.provider }}
          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

      - name: Notify about failure
        if: |
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@ -215,10 +215,9 @@ jobs:
          cloudProvider: ${{ inputs.cloudProvider }}
          machineType: ${{ inputs.machineType }}
          regionZone: ${{ inputs.regionZone }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
          test: ${{ inputs.test }}
          kubernetesVersion: ${{ inputs.kubernetesVersion }}
          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
@ -256,4 +255,4 @@ jobs:
        with:
          cloudProvider: ${{ inputs.cloudProvider }}
          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
--- a/.github/workflows/e2e-upgrade.yml
+++ b/.github/workflows/e2e-upgrade.yml
@ -170,10 +170,9 @@ jobs:
          isDebugImage: "false"
          cliVersion: ${{ inputs.fromVersion }}
          regionZone: ${{ inputs.regionZone }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
          test: "upgrade"
          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -196,7 +195,7 @@ jobs:
        if: inputs.cloudProvider == 'gcp'
        uses: ./.github/actions/login_gcp
        with:
-          service_account: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          service_account: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

      - name: Login to AWS (IAM role)
        if: inputs.cloudProvider == 'aws'
@ -226,7 +225,7 @@ jobs:
        if: always() && inputs.cloudProvider == 'gcp'
        uses: ./.github/actions/login_gcp
        with:
-          service_account: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
+          service_account: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"

      - name: Login to AWS (Cluster role)
        if: always() && inputs.cloudProvider == 'aws'
@ -300,7 +299,7 @@ jobs:
        with:
          cloudProvider: ${{ inputs.cloudProvider }}
          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

      - name: Notify about failure
        if: |
--- a/.github/workflows/versionsapi.yml
+++ b/.github/workflows/versionsapi.yml
@ -178,7 +178,7 @@ jobs:
        if: steps.check-rights.outputs.auth == 'true'
        uses: ./.github/actions/login_gcp
        with:
-          service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
+          service_account: "image-deleter@constellation-images.iam.gserviceaccount.com"

      - name: Execute versionsapi CLI
        id: run
--- a/dev-docs/workflows/github-actions.md
+++ b/dev-docs/workflows/github-actions.md
@ -30,11 +30,11 @@ When using `--mode` be aware that `--e2e-focus` and `e2e-skip` will be overwritt

 ## Local Development

-Using [***act***](https://github.com/nektos/act) you can run GitHub actions locally.
+Using [`act`](https://github.com/nektos/act) you can run GitHub actions locally.

 **These instructions are for internal use.**
 In case you want to use the E2E actions externally, you need to adjust other configuration parameters.
-Check the assignments made in the [/.github/actions/e2e_test/action.yml](E2E action) and adjust any hard-coded values.
+Check the assignments made in the [E2E action](/.github/actions/e2e_test/action.yml) and adjust any hard-coded values.

 ### Specific Jobs

@ -59,7 +59,7 @@ Create a new JSON file to describe the event ([relevant issue](https://github.co
 }
 ```

-Then run *act* with the event as input:
+Then run `act` with the event as input:

 ```bash
 act -j e2e-test-manual --eventpath event.json
@ -67,20 +67,8 @@ act -j e2e-test-manual --eventpath event.json

 ### Authorizing GCP

-For creating Kubernetes clusters in GCP a local copy of the service account secret is required.
-
-1. [Create a new service account key](https://console.cloud.google.com/iam-admin/serviceaccounts/details/112741463528383500960/keys?authuser=0&project=constellation-331613&supportedpurview=project)
-2. Create a compact (one line) JSON representation of the file `jq -c`
-3. Store in a GitHub Action Secret called `GCP_SERVICE_ACCOUNT` or create a local secret file for *act* to consume:
-
-```bash
-$ cat secrets.env
-GCP_SERVICE_ACCOUNT={"type":"service_account", ... }
-
-$ act --secret-file secrets.env
-```
-
-In addition, you need to create a Service Account which Constellation itself is supposed to use. Refer to [First steps](https://docs.edgeless.systems/constellation/getting-started/first-steps#create-a-cluster) in the documentation on how to create it. What you need here specifically is the `gcpServiceAccountKey`, which needs to be stored in a secret called `GCP_CLUSTER_SERVICE_ACCOUNT`.
+For GCP, OIDC is used to authenticate the CI runner.
+This means the workflow cannot be run locally, as the runner created by `act` is not authenticated.

 ### Authorizing Azure

--- a/image/upload/internal/cmd/gcp.go
+++ b/image/upload/internal/cmd/gcp.go
@ -30,7 +30,7 @@ func newGCPCommand() *cobra.Command {

 	cmd.Flags().String("gcp-project", "constellation-images", "GCP project to use")
 	cmd.Flags().String("gcp-location", "europe-west3", "GCP location to use")
-	cmd.Flags().String("gcp-bucket", "constellation-images", "GCP bucket to use")
+	cmd.Flags().String("gcp-bucket", "constellation-os-images", "GCP bucket to use")
 	return cmd
 }