Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use workload identity for prow #202

Open
6 of 7 tasks
fejta opened this issue Jan 7, 2020 · 4 comments
Open
6 of 7 tasks

Use workload identity for prow #202

fejta opened this issue Jan 7, 2020 · 4 comments

Comments

@fejta
Copy link
Contributor

fejta commented Jan 7, 2020
edited
Loading

We should stop sending this flag:

oss-test-infra/prow/cluster/cluster.yaml

Line 344 in bc1c6b9

- --gcs-credentials-file=/etc/robot/service-account.json

We already define a service account:

oss-test-infra/prow/cluster/cluster.yaml

Line 335 in bc1c6b9

serviceAccountName: gerrit

We should annotate it with GCP SA rights: https://github.com/kubernetes/test-infra/tree/master/experiment/workload-identity

If the flag is unset then it will use default creds:
https://github.com/kubernetes/test-infra/blob/master/prow/cmd/gerrit/main.go#L240

https://github.com/kubernetes/test-infra/blob/164c5e85105f85bb8fd8c181a085911a3d1010fd/pkg/io/opener.go#L57-L60

https://godoc.org/cloud.google.com/go/storage#hdr-Creating_a_Client

Work:
@fejta fejta mentioned this issue Jan 7, 2020
Merged
@fejta
Copy link
Contributor Author

fejta commented Jan 8, 2020

Merged #204

Binding:

fejta@fejta3:~/src/gh/test-infra$ experiment/workload-identity/bind-service-accounts.sh oss-prow us-west1-a prow default gerrit [email protected]
+ gcloud iam service-accounts add-iam-policy-binding --project=oss-prow --role=roles/iam.workloadIdentityUser '--member=serviceAccount:oss-prow.svc.id.goog[default/gerrit]' [email protected]
Updated IAM policy for serviceAccount [[email protected]].

@fejta fejta mentioned this issue Jan 9, 2020
Merged
@fejta
Copy link
Contributor Author

fejta commented Jan 9, 2020

Well that failed miserably, apparently because I cannot follow instructions: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_workload_identity_on_an_existing_cluster

This was referenced Jan 9, 2020
Merged
Merged
Closed
Merged
Merged
@fejta
Copy link
Contributor Author

fejta commented Jan 10, 2020

oss-test-infra/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml

Lines 114 to 116 in 4a64286

GoogleCloudPlatform/testgrid:
- name: push-testgrid-images
cluster: test-infra-trusted

now uses

oss-test-infra/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml

Line 124 in 4a64286

serviceAccountName: testgrid-pusher

which authenticates as

oss-test-infra/prow/serviceaccounts/GoogleCloudPlatform_testgrid_serviceaccounts.yaml

Lines 5 to 6 in 4a64286

iam.gke.io/gcp-service-account: [email protected]
name: testgrid-pusher

@fejta
Copy link
Contributor Author

fejta commented Jan 10, 2020
edited
Loading

Now will migrate the prow updater to use workload identity:

console
bash-3.2$ ../test-infra/experiment/workload-identity/bind-service-accounts.sh oss-prow us-west1-a prow test-pods prow-deployer [email protected]
Error from server (NotFound): serviceaccounts "prow-deployer" not found
Service account has wrong/missing annotation, please declare the following to test-pods/prow-deployer in gke_oss-prow_us-west1-a_prow:
"{"metadata": {"annotations": "iam.gke.io/gcp-service-account": "[email protected]"}}

#221

This was referenced Jan 10, 2020
Merged
Closed
Open
Merged
Merged
Merged
Merged
@fejta fejta mentioned this issue Jan 17, 2020
Merged
@fejta fejta mentioned this issue Feb 20, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fejta