ci: switch gcp accounts to oidc (#983)

2024-10-01 01:36:09 -04:00 · 2023-01-16 18:15:17 +01:00 · 2023-01-16 18:15:17 +01:00 · fa7bac3868
commit fa7bac3868
parent 7902dc470f
8 changed files with 12 additions and 11 deletions
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -32,7 +32,7 @@ inputs:
  gcpProject:
    description: "The GCP project to deploy Constellation in."
    required: false
-  gcp_service_account_json:
+  gcp_service_account:
    description: "Service account with permissions to create Constellation on GCP."
    required: false
  gcpClusterServiceAccountKey:
@ -129,7 +129,7 @@ runs:
      if: inputs.cloudProvider == 'gcp'
      uses: ./.github/actions/login_gcp
      with:
-        gcp_service_account_json: ${{ inputs.gcp_service_account_json }}
+        service_account: ${{ inputs.gcp_service_account }}

    - name: Login to AWS
      if: inputs.cloudProvider == 'aws'
--- a/.github/actions/login_gcp/action.yml
+++ b/.github/actions/login_gcp/action.yml
@ -1,8 +1,8 @@
 name: GCP login
 description: "Login to GCP & configure gcloud CLI."
 inputs:
-  gcp_service_account_json:
-    description: "Service account with permissions to create Constellation on GCP."
+  service_account:
+    description: "GCP service account name. Format: <account-name>@<project-name>.iam.gserviceaccount.com"
    required: true
 runs:
  using: "composite"
@ -12,7 +12,8 @@ runs:
    - name: Authorize GCP access
      uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0
      with:
-        credentials_json: ${{ inputs.gcp_service_account_json }}
+        workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
+        service_account: ${{ inputs.service_account }}

    # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
    - name: Set up Cloud SDK
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@ -422,7 +422,7 @@ jobs:
        uses: ./.github/actions/login_gcp
        if: matrix.csp == 'gcp'
        with:
-          gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }}
+          service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"

      - name: Prepare PKI for image upload
        id: prepare-pki
--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@ -93,7 +93,7 @@ jobs:
          azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
          azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
          gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
          test: "sonobuoy full"

--- a/.github/workflows/e2e-test-manual.yml
+++ b/.github/workflows/e2e-test-manual.yml
@ -279,7 +279,7 @@ jobs:
          cloudProvider: ${{ inputs.cloudProvider }}
          machineType: ${{ inputs.machineType }}
          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
          gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
          test: ${{ inputs.test }}
          kubernetesVersion: ${{ inputs.kubernetesVersion }}
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@ -131,7 +131,7 @@ jobs:
          azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
          azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
          gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
          test: ${{ matrix.test }}

--- a/.github/workflows/generate-measurements.yml
+++ b/.github/workflows/generate-measurements.yml
@ -120,7 +120,7 @@ jobs:
          controlNodesCount: 1
          cloudProvider: ${{ matrix.provider }}
          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
          gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
          azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
          azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
--- a/.github/workflows/versionsapi.yml
+++ b/.github/workflows/versionsapi.yml
@ -170,7 +170,7 @@ jobs:
        if: steps.check-rights.outputs.auth == 'true'
        uses: ./.github/actions/login_gcp
        with:
-          gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }}
+          service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"

      - name: Execute versionsapi CLI
        id: run