Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use GCP SA json for auth #33151

Closed
wants to merge 5 commits into from
Closed

Use GCP SA json for auth #33151

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1ff6ba3
Use SA json to authenticate gcp IAM
NaMNDV Jul 29, 2024
73fb264
Merge branch 'kubernetes:master' into master
NaMNDV Jul 29, 2024
58a1497
Add blank line at the end of presets
NaMNDV Jul 29, 2024
feda621
Use SA json for the gcp auth
NaMNDV Jul 30, 2024
045d007
Merge branch 'kubernetes:master' into master
NaMNDV Jul 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions config/jobs/kubernetes-sigs/secrets-store-csi-driver/secrets-store-csi-driver-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,8 +266,9 @@ presubmits:
preset-dind-enabled: "true"
# this is required to make CNI installation to succeed for kind
preset-kind-volume-mounts: "true"
# sets up the gcp parameters used for testing
preset-gcp-secrets-store-creds: "true"
spec:
serviceAccountName: secrets-store-csi-driver-gcp
containers:
- image: gcr.io/k8s-staging-test-infra/kubekins-e2e:v20240725-1d8ea3e909-master
command:
Expand Down Expand Up @@ -809,6 +810,8 @@ presubmits:
preset-dind-enabled: "true"
# this is required to make CNI installation to succeed for kind
preset-kind-volume-mounts: "true"
# sets up the gcp parameters used for testing
preset-gcp-secrets-store-creds: "true"
spec:
serviceAccountName: secrets-store-csi-driver-gcp
containers:
Expand Down Expand Up @@ -933,8 +936,9 @@ postsubmits:
preset-dind-enabled: "true"
# this is required to make CNI installation to succeed for kind
preset-kind-volume-mounts: "true"
# sets up the gcp parameters used for testing
preset-gcp-secrets-store-creds: "true"
spec:
serviceAccountName: secrets-store-csi-driver-gcp
containers:
- image: gcr.io/k8s-staging-test-infra/kubekins-e2e:v20240725-1d8ea3e909-master
command:
Expand Down
9 changes: 9 additions & 0 deletions config/jobs/kubernetes-sigs/secrets-store-csi-driver/secrets-store-csi-driver-presets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,12 @@ presets:
secretKeyRef:
name: akeyless-test-cred
key: credentials

- labels:
preset-gcp-secrets-store-creds: "true"
env:
- name: GCP_SA_JSON
valueFrom:
secretKeyRef:
name: gcp-secrets-store-cred
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this secret going to be created in the eks prow cluster?

Copy link
Author

@NaMNDV NaMNDV Jul 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the environment variable we need for GCP auth. For this there should be a k8s secret called gcp-secrets-store-cred available before in the cluster. kubernetes-sigs/secrets-store-csi-driver#1588 will later consume the secret into the k8s secret for the driver crd

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BenTheElder @ameukam Do we have a way to pre-create a Kubernetes secret with creds in eks prow cluster that can be used for tests?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably don't want to use k8s secrets but switch to GKE Workload identity ? There is no obligation to run this on EKS.
There is no indication that EKS is mandatory for E2E tests focus on GCP

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commented kubernetes-sigs/secrets-store-csi-driver#1588 (comment)

we generally run things same-cloud when possible (in the future it would be good to see this for azure as well) to minimize cross cloud traffic etc.

however, we aren't allowing the creation of arbitrary secrets in any clusters, only secrets that reference other community controlled accounts and resources, to avoid digging that hole again.

what does this secret contain? can we please discuss the GCP infra requirements in kubernetes-sigs/secrets-store-csi-driver#1583 ?

also, again, any non migrated jobs are going to be shut down in the coming days / week to prepare to migrate the CI control plane (See the dev@kubernetes.io announcements, chairs and techleads meetings, etc.)

key: key.json
9 changes: 0 additions & 9 deletions config/prow/cluster/build/build_serviceaccounts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,6 @@ metadata:
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
# Used by the gcp provider tests for secrets-store-csi-driver
iam.gke.io/gcp-service-account: k8s-csi-test@secretmanager-csi-build.iam.gserviceaccount.com
name: secrets-store-csi-driver-gcp
namespace: test-pods
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
# Used by the metrics-kettle job. (Note that for some reason this job uses the triage SA not the kettle SA.)
Expand Down