Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: switch gcp accounts to oidc (#983)

Browse Source
This commit is contained in:
Malte Poll 2023-01-16 18:15:17 +01:00 committed by GitHub
parent 7902dc470f
commit fa7bac3868
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/actions/e2e_test/action.yml vendored
View File

@ -32,7 +32,7 @@ inputs:
gcpProject: gcpProject:
description: "The GCP project to deploy Constellation in." description: "The GCP project to deploy Constellation in."
required: false required: false
gcp_service_account_json: gcp_service_account:
description: "Service account with permissions to create Constellation on GCP." description: "Service account with permissions to create Constellation on GCP."
required: false required: false
gcpClusterServiceAccountKey: gcpClusterServiceAccountKey:
@ -129,7 +129,7 @@ runs:
if: inputs.cloudProvider == 'gcp' if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
with: with:
gcp_service_account_json: ${{ inputs.gcp_service_account_json }} service_account: ${{ inputs.gcp_service_account }}
- name: Login to AWS - name: Login to AWS
if: inputs.cloudProvider == 'aws' if: inputs.cloudProvider == 'aws'

7
.github/actions/login_gcp/action.yml vendored
View File

@ -1,8 +1,8 @@
name: GCP login name: GCP login
description: "Login to GCP & configure gcloud CLI." description: "Login to GCP & configure gcloud CLI."
inputs: inputs:
gcp_service_account_json: service_account:
description: "Service account with permissions to create Constellation on GCP." description: "GCP service account name. Format: <account-name>@<project-name>.iam.gserviceaccount.com"
required: true required: true
runs: runs:
using: "composite" using: "composite"
@ -12,7 +12,8 @@ runs:
- name: Authorize GCP access - name: Authorize GCP access
uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0 uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0
with: with:
credentials_json: ${{ inputs.gcp_service_account_json }} workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
service_account: ${{ inputs.service_account }}
# Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil. # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
- name: Set up Cloud SDK - name: Set up Cloud SDK

2
.github/workflows/build-os-image.yml vendored
View File

@ -422,7 +422,7 @@ jobs:
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
if: matrix.csp == 'gcp' if: matrix.csp == 'gcp'
with: with:
gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
- name: Prepare PKI for image upload - name: Prepare PKI for image upload
id: prepare-pki id: prepare-pki

2
.github/workflows/e2e-test-daily.yml vendored
View File

@ -93,7 +93,7 @@ jobs:
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: "sonobuoy full" test: "sonobuoy full"

2
.github/workflows/e2e-test-manual.yml vendored
View File

@ -279,7 +279,7 @@ jobs:
cloudProvider: ${{ inputs.cloudProvider }} cloudProvider: ${{ inputs.cloudProvider }}
machineType: ${{ inputs.machineType }} machineType: ${{ inputs.machineType }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ inputs.test }} test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }} kubernetesVersion: ${{ inputs.kubernetesVersion }}

2
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -131,7 +131,7 @@ jobs:
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ matrix.test }} test: ${{ matrix.test }}

2
.github/workflows/generate-measurements.yml vendored
View File

@ -120,7 +120,7 @@ jobs:
controlNodesCount: 1 controlNodesCount: 1
cloudProvider: ${{ matrix.provider }} cloudProvider: ${{ matrix.provider }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }} azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }} azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}

2
.github/workflows/versionsapi.yml vendored
View File

@ -170,7 +170,7 @@ jobs:
if: steps.check-rights.outputs.auth == 'true' if: steps.check-rights.outputs.auth == 'true'
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
with: with:
gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
- name: Execute versionsapi CLI - name: Execute versionsapi CLI
id: run id: run