Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-06-17 10:49:33 -04:00
Code Issues Projects Releases Packages Wiki Activity

ci: update GCP service accounts for CI (#2629)

Browse source 
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-11-27 13:04:41 +01:00 committed by GitHub
parent 98673b0983
commit 97aea98e77
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 33 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/actions/e2e_test/action.yml vendored
View file

@ -37,9 +37,6 @@ inputs:
gcpClusterCreateServiceAccount: gcpClusterCreateServiceAccount:
description: "Service account with permissions to create a Constellation cluster on GCP." description: "Service account with permissions to create a Constellation cluster on GCP."
required: true required: true
gcpInClusterServiceAccountKey:
description: "Service account to use inside the created Constellation cluster on GCP."
required: true
awsOpenSearchDomain: awsOpenSearchDomain:
description: "AWS OpenSearch Endpoint Domain to upload the benchmark results." description: "AWS OpenSearch Endpoint Domain to upload the benchmark results."
awsOpenSearchUsers: awsOpenSearchUsers:

2
.github/workflows/build-os-image.yml vendored
View file

@ -273,7 +273,7 @@ jobs:
if: matrix.csp == 'gcp' if: matrix.csp == 'gcp'
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
with: with:
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" service_account: "image-uploader@constellation-images.iam.gserviceaccount.com"
- name: Upload AWS image - name: Upload AWS image
if: matrix.csp == 'aws' if: matrix.csp == 'aws'

9
.github/workflows/e2e-test-daily.yml vendored
View file

@ -74,10 +74,9 @@ jobs:
isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }} isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }} cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
refStream: ${{ matrix.refStream }} refStream: ${{ matrix.refStream }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
kubernetesVersion: ${{ matrix.kubernetesVersion }} kubernetesVersion: ${{ matrix.kubernetesVersion }}
test: ${{ matrix.test }} test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
@ -109,7 +108,7 @@ jobs:
with: with:
cloudProvider: ${{ matrix.provider }} cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Notify about failure - name: Notify about failure
if: | if: |

9
.github/workflows/e2e-test-release.yml vendored
View file

@ -226,10 +226,9 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ matrix.test }} test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -258,7 +257,7 @@ jobs:
with: with:
cloudProvider: ${{ matrix.provider }} cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
e2e-upgrade: e2e-upgrade:
strategy: strategy:

5
.github/workflows/e2e-test-tf-module.yml vendored
View file

@ -159,7 +159,8 @@ jobs:
run: | run: |
cat > terraform.tfvars <<EOF cat > terraform.tfvars <<EOF
name = "${{ steps.create-prefix.outputs.prefix }}" name = "${{ steps.create-prefix.outputs.prefix }}"
project = "${{ secrets.GCP_E2E_PROJECT }}" # project = "${{ secrets.GCP_E2E_PROJECT }}"
project = "constellation-e2e"
service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa" service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
image = "${{ steps.find-latest-image.outputs.image }}" image = "${{ steps.find-latest-image.outputs.image }}"
zone = "${{ inputs.regionZone || 'europe-west3-b' }}" zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
@ -245,7 +246,7 @@ jobs:
if: inputs.cloudProvider == 'gcp' if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
with: with:
service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com" service_account: "terraform-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Apply Terraform Cluster - name: Apply Terraform Cluster
id: apply_terraform id: apply_terraform

9
.github/workflows/e2e-test-weekly.yml vendored
View file

@ -243,10 +243,9 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ matrix.test }} test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -277,7 +276,7 @@ jobs:
with: with:
cloudProvider: ${{ matrix.provider }} cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Notify about failure - name: Notify about failure
if: | if: |

9
.github/workflows/e2e-test.yml vendored
View file

@ -215,10 +215,9 @@ jobs:
cloudProvider: ${{ inputs.cloudProvider }} cloudProvider: ${{ inputs.cloudProvider }}
machineType: ${{ inputs.machineType }} machineType: ${{ inputs.machineType }}
regionZone: ${{ inputs.regionZone }} regionZone: ${{ inputs.regionZone }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ inputs.test }} test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }} kubernetesVersion: ${{ inputs.kubernetesVersion }}
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
@ -256,4 +255,4 @@ jobs:
with: with:
cloudProvider: ${{ inputs.cloudProvider }} cloudProvider: ${{ inputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

13
.github/workflows/e2e-upgrade.yml vendored
View file

@ -170,10 +170,9 @@ jobs:
isDebugImage: "false" isDebugImage: "false"
cliVersion: ${{ inputs.fromVersion }} cliVersion: ${{ inputs.fromVersion }}
regionZone: ${{ inputs.regionZone }} regionZone: ${{ inputs.regionZone }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: "upgrade" test: "upgrade"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -196,7 +195,7 @@ jobs:
if: inputs.cloudProvider == 'gcp' if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
with: with:
service_account: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" service_account: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Login to AWS (IAM role) - name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws' if: inputs.cloudProvider == 'aws'
@ -226,7 +225,7 @@ jobs:
if: always() && inputs.cloudProvider == 'gcp' if: always() && inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
with: with:
service_account: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com" service_account: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Login to AWS (Cluster role) - name: Login to AWS (Cluster role)
if: always() && inputs.cloudProvider == 'aws' if: always() && inputs.cloudProvider == 'aws'
@ -300,7 +299,7 @@ jobs:
with: with:
cloudProvider: ${{ inputs.cloudProvider }} cloudProvider: ${{ inputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com" gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Notify about failure - name: Notify about failure
if: | if: |

2
.github/workflows/versionsapi.yml vendored
View file

@ -178,7 +178,7 @@ jobs:
if: steps.check-rights.outputs.auth == 'true' if: steps.check-rights.outputs.auth == 'true'
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
with: with:
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" service_account: "image-deleter@constellation-images.iam.gserviceaccount.com"
- name: Execute versionsapi CLI - name: Execute versionsapi CLI
id: run id: run

22
dev-docs/workflows/github-actions.md
View file

@ -30,11 +30,11 @@ When using `--mode` be aware that `--e2e-focus` and `e2e-skip` will be overwritt
## Local Development ## Local Development
Using [***act***](https://github.com/nektos/act) you can run GitHub actions locally. Using [`act`](https://github.com/nektos/act) you can run GitHub actions locally.
**These instructions are for internal use.** **These instructions are for internal use.**
In case you want to use the E2E actions externally, you need to adjust other configuration parameters. In case you want to use the E2E actions externally, you need to adjust other configuration parameters.
Check the assignments made in the [/.github/actions/e2e_test/action.yml](E2E action) and adjust any hard-coded values. Check the assignments made in the [E2E action](/.github/actions/e2e_test/action.yml) and adjust any hard-coded values.
### Specific Jobs ### Specific Jobs
@ -59,7 +59,7 @@ Create a new JSON file to describe the event ([relevant issue](https://github.co
} }
``` ```
Then run *act* with the event as input: Then run `act` with the event as input:
```bash ```bash
act -j e2e-test-manual --eventpath event.json act -j e2e-test-manual --eventpath event.json
@ -67,20 +67,8 @@ act -j e2e-test-manual --eventpath event.json
### Authorizing GCP ### Authorizing GCP
For creating Kubernetes clusters in GCP a local copy of the service account secret is required. For GCP, OIDC is used to authenticate the CI runner.
This means the workflow cannot be run locally, as the runner created by `act` is not authenticated.
1. [Create a new service account key](https://console.cloud.google.com/iam-admin/serviceaccounts/details/112741463528383500960/keys?authuser=0&project=constellation-331613&supportedpurview=project)
2. Create a compact (one line) JSON representation of the file `jq -c`
3. Store in a GitHub Action Secret called `GCP_SERVICE_ACCOUNT` or create a local secret file for *act* to consume:
```bash
$ cat secrets.env
GCP_SERVICE_ACCOUNT={"type":"service_account", ... }
$ act --secret-file secrets.env
```
In addition, you need to create a Service Account which Constellation itself is supposed to use. Refer to [First steps](https://docs.edgeless.systems/constellation/getting-started/first-steps#create-a-cluster) in the documentation on how to create it. What you need here specifically is the `gcpServiceAccountKey`, which needs to be stored in a secret called `GCP_CLUSTER_SERVICE_ACCOUNT`.
### Authorizing Azure ### Authorizing Azure

2
image/upload/internal/cmd/gcp.go
View file

@ -30,7 +30,7 @@ func newGCPCommand() *cobra.Command {
cmd.Flags().String("gcp-project", "constellation-images", "GCP project to use") cmd.Flags().String("gcp-project", "constellation-images", "GCP project to use")
cmd.Flags().String("gcp-location", "europe-west3", "GCP location to use") cmd.Flags().String("gcp-location", "europe-west3", "GCP location to use")
cmd.Flags().String("gcp-bucket", "constellation-images", "GCP bucket to use") cmd.Flags().String("gcp-bucket", "constellation-os-images", "GCP bucket to use")
return cmd return cmd
} }