From fa7bac386850ee67b76c00bfadac3621a24ed615 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 16 Jan 2023 18:15:17 +0100 Subject: [PATCH] ci: switch gcp accounts to oidc (#983) --- .github/actions/e2e_test/action.yml | 4 ++-- .github/actions/login_gcp/action.yml | 7 ++++--- .github/workflows/build-os-image.yml | 2 +- .github/workflows/e2e-test-daily.yml | 2 +- .github/workflows/e2e-test-manual.yml | 2 +- .github/workflows/e2e-test-weekly.yml | 2 +- .github/workflows/generate-measurements.yml | 2 +- .github/workflows/versionsapi.yml | 2 +- 8 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index 0c1c426b0..7457a0ab1 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -32,7 +32,7 @@ inputs: gcpProject: description: "The GCP project to deploy Constellation in." required: false - gcp_service_account_json: + gcp_service_account: description: "Service account with permissions to create Constellation on GCP." required: false gcpClusterServiceAccountKey: @@ -129,7 +129,7 @@ runs: if: inputs.cloudProvider == 'gcp' uses: ./.github/actions/login_gcp with: - gcp_service_account_json: ${{ inputs.gcp_service_account_json }} + service_account: ${{ inputs.gcp_service_account }} - name: Login to AWS if: inputs.cloudProvider == 'aws' diff --git a/.github/actions/login_gcp/action.yml b/.github/actions/login_gcp/action.yml index c705eae40..86a301e38 100644 --- a/.github/actions/login_gcp/action.yml +++ b/.github/actions/login_gcp/action.yml @@ -1,8 +1,8 @@ name: GCP login description: "Login to GCP & configure gcloud CLI." inputs: - gcp_service_account_json: - description: "Service account with permissions to create Constellation on GCP." + service_account: + description: "GCP service account name. Format: @.iam.gserviceaccount.com" required: true runs: using: "composite" @@ -12,7 +12,8 @@ runs: - name: Authorize GCP access uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0 with: - credentials_json: ${{ inputs.gcp_service_account_json }} + workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider + service_account: ${{ inputs.service_account }} # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil. - name: Set up Cloud SDK diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 65a6bd140..2988f801c 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -422,7 +422,7 @@ jobs: uses: ./.github/actions/login_gcp if: matrix.csp == 'gcp' with: - gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} + service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" - name: Prepare PKI for image upload id: prepare-pki diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 38cc9af89..470e93936 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -93,7 +93,7 @@ jobs: azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }} - gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} + gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} test: "sonobuoy full" diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index abb04b444..9584256f8 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -279,7 +279,7 @@ jobs: cloudProvider: ${{ inputs.cloudProvider }} machineType: ${{ inputs.machineType }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }} - gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} + gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} test: ${{ inputs.test }} kubernetesVersion: ${{ inputs.kubernetesVersion }} diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 5ae60ef3e..45a75dccb 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -131,7 +131,7 @@ jobs: azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }} - gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} + gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} test: ${{ matrix.test }} diff --git a/.github/workflows/generate-measurements.yml b/.github/workflows/generate-measurements.yml index 76f597530..9758118ad 100644 --- a/.github/workflows/generate-measurements.yml +++ b/.github/workflows/generate-measurements.yml @@ -120,7 +120,7 @@ jobs: controlNodesCount: 1 cloudProvider: ${{ matrix.provider }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }} - gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} + gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }} azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }} diff --git a/.github/workflows/versionsapi.yml b/.github/workflows/versionsapi.yml index d42fd5aa4..70b0cc15b 100644 --- a/.github/workflows/versionsapi.yml +++ b/.github/workflows/versionsapi.yml @@ -170,7 +170,7 @@ jobs: if: steps.check-rights.outputs.auth == 'true' uses: ./.github/actions/login_gcp with: - gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} + service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" - name: Execute versionsapi CLI id: run