Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Annotate grandmatriarch service-account #224

Merged
merged 1 commit into from
Jan 11, 2020
Merged

Annotate grandmatriarch service-account #224

merged 1 commit into from
Jan 11, 2020

Conversation

fejta
Copy link
Contributor

@fejta fejta commented Jan 10, 2020

ref #202

This will allow me to bind the service accounts together and send a PR to switch it over to using workload-identity

@fejta fejta mentioned this pull request Jan 10, 2020
Open
7 tasks
@fejta fejta requested review from BenTheElder and removed request for krzyzacy January 11, 2020 00:55
@BenTheElder
Copy link
Contributor

/lgtm
/approve

@google-oss-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: BenTheElder, fejta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-robot google-oss-robot merged commit b4e6e2f into GoogleCloudPlatform:master Jan 11, 2020
@fejta fejta deleted the bake branch January 13, 2020 06:33
@fejta
Copy link
Contributor Author

fejta commented Jan 13, 2020 

fejta@fejta3:~/src/gh/oss-test-infra$ ../test-infra/experiment/workload-identity/bind-service-accounts.sh oss-prow us-west1-a prow default grandmatriarch [email protected]
ALREADY MEMBER: serviceAccount:oss-prow.svc.id.goog[default/grandmatriarch] has roles/iam.workloadIdentityUser for [email protected].
+++ kubectl run --rm=true -i --generator=run-pod/v1 --context=gke_oss-prow_us-west1-a_prow --namespace=default --serviceaccount=grandmatriarch --image=google/cloud-sdk:slim workload-identity-test-22
DONE: --context=gke_oss-prow_us-west1-a_prow --namespace=default serviceaccounts/grandmatriarch acts as [email protected]
fejta@fejta3:~/src/gh/oss-test-infra$ ../test-infra/experiment/workload-identity/bind-service-accounts.sh oss-prow us-west1-a prow test-pods grandmatriarch [email protected]
+ gcloud iam service-accounts add-iam-policy-binding --project=oss-prow --role=roles/iam.workloadIdentityUser '--member=serviceAccount:oss-prow.svc.id.goog[test-pods/grandmatriarch]' [email protected]
Updated IAM policy for serviceAccount [[email protected]].
Sleeping 2m to allow credentials to propagate..
+++ kubectl run --rm=true -i --generator=run-pod/v1 --context=gke_oss-prow_us-west1-a_prow --namespace=test-pods --serviceaccount=grandmatriarch --image=google/cloud-sdk:slim workload-identity-test-06
DONE: --context=gke_oss-prow_us-west1-a_prow --namespace=test-pods serviceaccounts/grandmatriarch acts as [email protected]

@fejta
Copy link
Contributor Author

fejta commented Jan 13, 2020 

fejta@fejta3:~/src/gh/oss-test-infra$ ../test-infra/experiment/workload-identity/enable-workload-identity.sh oss-prow-builds us-west1-a prow
++ gcloud beta container clusters describe prow '--format=value(workloadIdentityConfig.identityNamespace)' --project=oss-prow-builds --zone=us-west1-a
++ gcloud beta container node-pools list --cluster=prow '--format=value(name,config.workloadMetadataConfig.nodeMetadata)' --project=oss-prow-builds --zone=us-west1-a
Enable workload identity on:
  cluster: prow
  pool: default-pool
Proceed [y/N]:y
+ gcloud beta container clusters update prow --identity-namespace=oss-prow-builds.svc.id.goog --project=oss-prow-builds --zone=us-west1-a
Updating prow...done.                                                          
Updated [https://container.googleapis.com/v1beta1/projects/oss-prow-builds/zones/us-west1-a/clusters/prow].
To inspect the contents of your cluster, go to: https://console.cloud.google.com/kubernetes/workload_/gcloud/us-west1-a/prow?project=oss-prow-builds
+ gcloud beta container node-pools update --cluster=prow default-pool --workload-metadata-from-node=GKE_METADATA_SERVER --project=oss-prow-builds --zone=us-west1-a
Updating node pool default-pool... Done with 0 out of 3 nodes (0.0%): 1 being p
rocessed...⠼                                                                   
Updating node pool default-pool... Done with 1 out of 3 nodes (33.3%): 1 being 
processed, 1 succeeded...⠼                                                     
Updating node pool default-pool... Done with 2 out of 3 nodes (66.7%): 1 being 
processed, 2 succeeded...⠛                                                     
Updating node pool default-pool... Done with 3 out of 3 nodes (100.0%): 3 succe
eded...done.                                                                   
Updated [https://container.googleapis.com/v1beta1/projects/oss-prow-builds/zones/us-west1-a/clusters/prow/nodePools/default-pool].
DONE
fejta@fejta3:~/src/gh/oss-test-infra$ ../test-infra/experiment/workload-identity/bind-service-accounts.sh oss-prow-builds us-west1-a prow test-pods grandmatriarch [email protected]
+ gcloud iam service-accounts add-iam-policy-binding --project=oss-prow --role=roles/iam.workloadIdentityUser '--member=serviceAccount:oss-prow-builds.svc.id.goog[test-pods/grandmatriarch]' [email protected]
Updated IAM policy for serviceAccount [[email protected]].
Sleeping 2m to allow credentials to propagate..
+++ kubectl run --rm=true -i --generator=run-pod/v1 --context=gke_oss-prow-builds_us-west1-a_prow --namespace=test-pods --serviceaccount=grandmatriarch --image=google/cloud-sdk:slim workload-identity-test-15
DONE: --context=gke_oss-prow-builds_us-west1-a_prow --namespace=test-pods serviceaccounts/grandmatriarch acts as [email protected]

@fejta fejta mentioned this pull request Jan 13, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffxp spiffxp Awaiting requested review from spiffxp

@BenTheElder BenTheElder Awaiting requested review from BenTheElder

Assignees

@BenTheElder BenTheElder

Labels
approved lgtm size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fejta @BenTheElder @google-oss-robot