Skip to content

GCP: conditionally create bootstrap service account #6853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 2 commits into from
Mar 2, 2023
Merged

GCP: conditionally create bootstrap service account #6853

openshift-merge-robot merged 2 commits into from
Mar 2, 2023

Conversation

@patrickdillon
Copy link
Contributor

@patrickdillon patrickdillon commented Feb 14, 2023

#6330, which introduced environmental auth, changed the default behavior of all installs to create a new service account for signing the ignition URL. Instead, we should only create that service account when using environmental auth (or for some other reason don't have a service account with a key).

@patrickdillon
GCP TFVars: Refactor credential parsing
e9b9faa 
We need to read GCP service account credentials for the GCP XPN
passthrough use case. This commit moves the logic into the gcp tfvars
package so that as the service account parsing logic becomes more
complex it is contained within the gcp package--not the general tfvars.
@patrickdillon
Copy link
Contributor Author

patrickdillon commented Feb 28, 2023

/retest

@barbacbd
Copy link
Contributor

barbacbd commented Feb 28, 2023

/cc @barbacbd

@openshift-ci openshift-ci bot requested a review from barbacbd February 28, 2023 20:23
@patrickdillon patrickdillon force-pushed the bootstrap-sa-passthrough branch from a387765 to 9bdb61e Compare February 28, 2023 20:42
barbacbd
barbacbd reviewed Feb 28, 2023
View reviewed changes
data/data/gcp/bootstrap/main.tf Outdated
Copy link
Contributor

@barbacbd barbacbd Feb 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only used once, should we bother making a local variable?

@patrickdillon
GCP: conditionally create bootstrap service acct
7deb657 
This changes the default behavior of always generating a service account
to sign the ignition URL, to only generating the service account when
it is needed; i.e. when authenticating with environmental
authentication. Most of the time users provide a service account with
key so we can just use that, as we did before environmental auth was
recently introduced.
@patrickdillon patrickdillon force-pushed the bootstrap-sa-passthrough branch from 9bdb61e to 7deb657 Compare March 1, 2023 19:24
@patrickdillon patrickdillon requested a review from barbacbd March 1, 2023 19:24
barbacbd
barbacbd reviewed Mar 1, 2023
View reviewed changes
Copy link
Contributor

@barbacbd barbacbd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 1, 2023
@patrickdillon
Copy link
Contributor Author

patrickdillon commented Mar 1, 2023

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 1, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 1, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 1, 2023

/retest-required

Remaining retests: 0 against base HEAD 664311c and 2 for PR HEAD 7deb657 in total

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 2, 2023

@patrickdillon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-e2e-aws-ovn 7deb657 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-workers-rhel8 7deb657 link false /test e2e-aws-ovn-workers-rhel8
ci/prow/okd-scos-e2e-aws-upgrade 7deb657 link false /test okd-scos-e2e-aws-upgrade
ci/prow/okd-e2e-aws-ovn-upgrade 7deb657 link false /test okd-e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-ovn-shared-vpc 7deb657 link false /test e2e-gcp-ovn-shared-vpc
ci/prow/okd-e2e-aws-ovn 7deb657 link false /test okd-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit c5e3266 into openshift:master Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AnnaZivkovic AnnaZivkovic Awaiting requested review from AnnaZivkovic

@sadasu sadasu Awaiting requested review from sadasu

1 more reviewer

@barbacbd barbacbd barbacbd left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@barbacbd barbacbd

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@patrickdillon @barbacbd @openshift-ci-robot @openshift-merge-robot