Use workload identity to push boskos and prow

kubernetes · Feb 12, 2020 · 24a0584 · 24a0584
1 parent 1f0e4d5
commit 24a0584
Showing 1 changed file with 3 additions and 19 deletions.
diff --git a/config/jobs/kubernetes/test-infra/test-infra-trusted.yaml b/config/jobs/kubernetes/test-infra/test-infra-trusted.yaml
@@ -131,22 +131,14 @@ postsubmits:
     run_if_changed: '^(prow|ghproxy|label_sync|robots/commenter|robots/pr-creator|robots/issue-creator|testgrid/cmd/transfigure)/'
     decorate: true
     spec:
+      serviceAccountName: pusher
       containers:
       - image: gcr.io/k8s-testimages/bazelbuild:v20200212-b304d89-2.0.0 # whatever image you use here must have bash 4.4+
         command:
         - prow/push.sh
         env:
         - name: USE_BAZEL_VERSION
           value: real  # Ignore .bazelversion
-        - name: GOOGLE_APPLICATION_CREDENTIALS
-          value: /creds/service-account.json
-        volumeMounts:
-        - name: creds
-          mountPath: /creds
-      volumes:
-      - name: creds
-        secret:
-          secretName: pusher-service-account
     annotations:
       testgrid-dashboards: sig-testing-prow
       testgrid-tab-name: push-prow
@@ -200,22 +192,14 @@ postsubmits:
     branches:
     - master
     spec:
+      serviceAccountName: pusher
       containers:
       - image: gcr.io/k8s-testimages/bazelbuild:v20200212-b304d89-2.0.0 # whatever image you use here must have bash 4.4+
         command:
         - boskos/push.sh
         env:
         - name: USE_BAZEL_VERSION
           value: real  # Ignore .bazelversion
-        - name: GOOGLE_APPLICATION_CREDENTIALS
-          value: /creds/service-account.json
-        volumeMounts:
-        - name: creds
-          mountPath: /creds
-      volumes:
-      - name: creds
-        secret:
-          secretName: pusher-service-account
   - name: post-test-infra-push-kettle
     cluster: test-infra-trusted
     annotations:
@@ -849,7 +833,7 @@ postsubmits:
       volumes:
       - name: service-account
         secret:
-          secretName: pusher-service-account
+          secretName: pusher-service-account # TODO(fejta): use pusher serviceAccountName
     annotations:
       testgrid-dashboards: sig-testing-prow
       testgrid-tab-name: cip-prow