From 38951dc1fb5d8ffa5db1ae9e6620b29376036f3d Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:25:06 -0800 Subject: [PATCH 01/13] Switch apisnoop to use workload identity --- .../image-pushing/k8s-staging-apisnoop.yaml | 55 ++----------------- 1 file changed, 5 insertions(+), 50 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-apisnoop.yaml b/config/jobs/image-pushing/k8s-staging-apisnoop.yaml index 5d7882df1c9c..c6164c099e41 100644 --- a/config/jobs/image-pushing/k8s-staging-apisnoop.yaml +++ b/config/jobs/image-pushing/k8s-staging-apisnoop.yaml @@ -11,6 +11,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -21,16 +22,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-apisnoop-gcb - --env-passthrough=PULL_BASE_REF - apps/webapp/ - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account - name: apisnoop-push-kubemacs-images cluster: test-infra-trusted annotations: @@ -42,6 +33,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -52,16 +44,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-apisnoop-gcb - --env-passthrough=PULL_BASE_REF - apps/kubemacs/ - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account - name: apisnoop-push-auditlogger-images cluster: test-infra-trusted annotations: @@ -73,6 +55,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -83,16 +66,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-apisnoop-gcb - --env-passthrough=PULL_BASE_REF - apps/auditlogger/ - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account - name: apisnoop-push-postgres-images cluster: test-infra-trusted annotations: @@ -104,6 +77,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -114,16 +88,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-apisnoop-gcb - --env-passthrough=PULL_BASE_REF - apps/postgres/ - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account - name: apisnoop-push-hasura-images cluster: test-infra-trusted annotations: @@ -135,6 +99,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -145,13 +110,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-apisnoop-gcb - --env-passthrough=PULL_BASE_REF - apps/hasura/ - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From 5c9acba291ed5c03424c1410a43ba052bd2bfb07 Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:25:30 -0800 Subject: [PATCH 02/13] Update README.md to use workload-identity --- config/jobs/image-pushing/README.md | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/README.md b/config/jobs/image-pushing/README.md index 09604f7738b1..66d501302549 100644 --- a/config/jobs/image-pushing/README.md +++ b/config/jobs/image-pushing/README.md @@ -137,6 +137,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20190906-d5d7ce3 command: @@ -149,16 +150,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-cluster-api-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account ``` [gcr instructions]: https://github.com/kubernetes/k8s.io/blob/master/k8s.gcr.io/README.md From f941ee28031fb39278431e1e818a0477f86ae352 Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:25:40 -0800 Subject: [PATCH 03/13] Update network-proxy to use workload-identity --- .../k8s-staging-apiserver-network-proxy.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-apiserver-network-proxy.yaml b/config/jobs/image-pushing/k8s-staging-apiserver-network-proxy.yaml index e23589546d7b..6f925ac47aee 100644 --- a/config/jobs/image-pushing/k8s-staging-apiserver-network-proxy.yaml +++ b/config/jobs/image-pushing/k8s-staging-apiserver-network-proxy.yaml @@ -10,6 +10,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -20,13 +21,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-kas-network-proxy-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From cd32a5098388255cd650d443e8cf6f97d6073d68 Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:25:54 -0800 Subject: [PATCH 04/13] Update artifact promoter to use workload-identity --- .../image-pushing/k8s-staging-artifact-promoter.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-artifact-promoter.yaml b/config/jobs/image-pushing/k8s-staging-artifact-promoter.yaml index a2412f7a2a5b..69d65ba79373 100644 --- a/config/jobs/image-pushing/k8s-staging-artifact-promoter.yaml +++ b/config/jobs/image-pushing/k8s-staging-artifact-promoter.yaml @@ -10,6 +10,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -20,13 +21,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-artifact-promoter-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From 29c6ecf3018f39d11759408cf4104d3ff3f50e7b Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:26:07 -0800 Subject: [PATCH 05/13] update openstack to use workload identity --- .../image-pushing/k8s-staging-capi-openstack.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-capi-openstack.yaml b/config/jobs/image-pushing/k8s-staging-capi-openstack.yaml index 8316f75bcf16..c599778b5ef5 100644 --- a/config/jobs/image-pushing/k8s-staging-capi-openstack.yaml +++ b/config/jobs/image-pushing/k8s-staging-capi-openstack.yaml @@ -10,6 +10,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -20,13 +21,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-capi-openstack-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From 30d84ae4770c9ae25a68133d9042d0104a8e3aa7 Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:26:19 -0800 Subject: [PATCH 06/13] Update cluster api to use workload identity --- .../k8s-staging-cluster-api.yaml | 55 ++----------------- 1 file changed, 5 insertions(+), 50 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-cluster-api.yaml b/config/jobs/image-pushing/k8s-staging-cluster-api.yaml index 6ccda1077c0d..4dfe60999679 100644 --- a/config/jobs/image-pushing/k8s-staging-cluster-api.yaml +++ b/config/jobs/image-pushing/k8s-staging-cluster-api.yaml @@ -13,6 +13,7 @@ postsubmits: # this is a regex for semver, from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string - ^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -23,16 +24,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-cluster-api-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account kubernetes-sigs/cluster-api-provider-aws: - name: post-cluster-api-provider-aws-push-images cluster: test-infra-trusted @@ -46,6 +37,7 @@ postsubmits: # this is a regex for semver, from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string - ^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -56,16 +48,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-cluster-api-aws-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account kubernetes-sigs/cluster-api-provider-azure: - name: post-cluster-api-provider-azure-push-images cluster: test-infra-trusted @@ -76,6 +58,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -85,16 +68,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-cluster-api-azure-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account kubernetes-sigs/cluster-api-provider-gcp: - name: post-cluster-api-provider-gcp-push-images cluster: test-infra-trusted @@ -108,6 +81,7 @@ postsubmits: # this is a regex for semver, from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string - ^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -118,16 +92,6 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-cluster-api-gcp-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account kubernetes-sigs/cluster-api-bootstrap-provider-kubeadm: - name: post-cluster-api-bootstrap-provider-push-images cluster: test-infra-trusted @@ -140,6 +104,7 @@ postsubmits: # this is a regex for semver, from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string - ^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -150,13 +115,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-capi-kubeadm-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From 142b6afd1594ba0811d635e8ab33ad726b86e39f Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:26:33 -0800 Subject: [PATCH 07/13] Update descheduler to use workload identity --- .../jobs/image-pushing/k8s-staging-descheduler.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-descheduler.yaml b/config/jobs/image-pushing/k8s-staging-descheduler.yaml index 6a7d2baa98d9..0937fda518cc 100644 --- a/config/jobs/image-pushing/k8s-staging-descheduler.yaml +++ b/config/jobs/image-pushing/k8s-staging-descheduler.yaml @@ -14,6 +14,7 @@ postsubmits: # this is a regex for semver, from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string - ^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -26,13 +27,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-descheduler-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From f5ad866e5d0639bb80cf49e96804daee2b98c1cc Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:26:45 -0800 Subject: [PATCH 08/13] Update e2e-test-images to use workload identity --- .../jobs/image-pushing/k8s-staging-e2e-test-images.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-e2e-test-images.yaml b/config/jobs/image-pushing/k8s-staging-e2e-test-images.yaml index f28af8455e37..bd5a047ea094 100644 --- a/config/jobs/image-pushing/k8s-staging-e2e-test-images.yaml +++ b/config/jobs/image-pushing/k8s-staging-e2e-test-images.yaml @@ -19,6 +19,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta)- use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -32,12 +33,7 @@ postsubmits: - --env-passthrough=PULL_BASE_REF - --build-dir=. - test/images - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json volumeMounts: - - name: creds - mountPath: /creds - name: windows-cert mountPath: /root/.docker-1809 - name: windows-cert @@ -45,9 +41,6 @@ postsubmits: - name: windows-cert mountPath: /root/.docker-1909 volumes: - - name: creds - secret: - secretName: deployer-service-account - name: windows-cert secret: secretName: windows-img-promoter-cert From 7917f041b204b19a0476232f63e1b33edcee9e9b Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:26:58 -0800 Subject: [PATCH 09/13] Update external-dns to use workload identity --- .../jobs/image-pushing/k8s-staging-external-dns.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-external-dns.yaml b/config/jobs/image-pushing/k8s-staging-external-dns.yaml index 363504da83f0..45754600fcb5 100644 --- a/config/jobs/image-pushing/k8s-staging-external-dns.yaml +++ b/config/jobs/image-pushing/k8s-staging-external-dns.yaml @@ -11,6 +11,7 @@ postsubmits: - ^master$ - ^v[0-9].* spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -21,13 +22,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-external-dns-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From 6015d8277e8fd75fddcea09eeefcb1a68c613045 Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:27:14 -0800 Subject: [PATCH 10/13] Update kops to use workload identity --- config/jobs/image-pushing/k8s-staging-kops.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-kops.yaml b/config/jobs/image-pushing/k8s-staging-kops.yaml index 8f61c32256a0..d331cafa576a 100644 --- a/config/jobs/image-pushing/k8s-staging-kops.yaml +++ b/config/jobs/image-pushing/k8s-staging-kops.yaml @@ -11,6 +11,7 @@ postsubmits: - ^master$ - ^release-.* spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -21,13 +22,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-kops-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From 55272d62c17bbeed61f92467f96b89da267c5b3d Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:27:25 -0800 Subject: [PATCH 11/13] Update azure to use workload identity --- .../image-pushing/k8s-staging-provider-azure.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-provider-azure.yaml b/config/jobs/image-pushing/k8s-staging-provider-azure.yaml index 46dd48e70dda..d29e9c9c7ba7 100644 --- a/config/jobs/image-pushing/k8s-staging-provider-azure.yaml +++ b/config/jobs/image-pushing/k8s-staging-provider-azure.yaml @@ -19,6 +19,7 @@ postsubmits: # this is a regex for semver, from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string - ^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -31,13 +32,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-provider-azure-gcb - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account From e8ebcdf0f93076365e488e4ad96d8627c89b767f Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:27:38 -0800 Subject: [PATCH 12/13] Update release-test to use workload identity --- .../k8s-staging-release-test.yaml | 50 ++----------------- 1 file changed, 5 insertions(+), 45 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-release-test.yaml b/config/jobs/image-pushing/k8s-staging-release-test.yaml index 91d5360b5ba4..d6c12e7787a4 100644 --- a/config/jobs/image-pushing/k8s-staging-release-test.yaml +++ b/config/jobs/image-pushing/k8s-staging-release-test.yaml @@ -11,6 +11,7 @@ periodics: base_ref: master path_alias: "k8s.io/release" spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -22,17 +23,8 @@ periodics: - --no-source - gcb/build env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - name: LOG_TO_STDOUT value: "y" - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account rerun_auth_config: github_team_ids: - 2241179 # release-managers @@ -54,6 +46,7 @@ periodics: base_ref: master path_alias: "k8s.io/release" spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -65,17 +58,8 @@ periodics: - --no-source - gcb/build env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - name: LOG_TO_STDOUT value: "y" - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account rerun_auth_config: github_team_ids: - 2241179 # release-managers @@ -97,6 +81,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -107,17 +92,8 @@ postsubmits: - --env-passthrough=PULL_BASE_REF - images/k8s-cloud-builder env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - name: LOG_TO_STDOUT value: "y" - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account rerun_auth_config: github_team_ids: - 2241179 # release-managers @@ -131,6 +107,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -141,17 +118,8 @@ postsubmits: - --env-passthrough=PULL_BASE_REF - images/releng-ci-bazel env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - name: LOG_TO_STDOUT value: "y" - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account rerun_auth_config: github_team_ids: - 2241179 # release-managers @@ -164,6 +132,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -175,17 +144,8 @@ postsubmits: - --gcb-config=./cloudbuild-kubepkg.yaml - . env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - name: LOG_TO_STDOUT value: "y" - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account rerun_auth_config: github_team_ids: - 2241179 # release-managers From 7bccce24590e8de709e63688f29eedf3a9f8e5ad Mon Sep 17 00:00:00 2001 From: Erick Fejta Date: Thu, 20 Feb 2020 10:27:54 -0800 Subject: [PATCH 13/13] Update service-apis to use workload identity --- .../jobs/image-pushing/k8s-staging-service-apis.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/config/jobs/image-pushing/k8s-staging-service-apis.yaml b/config/jobs/image-pushing/k8s-staging-service-apis.yaml index 387d1aa02a43..e8e0c1a7a991 100644 --- a/config/jobs/image-pushing/k8s-staging-service-apis.yaml +++ b/config/jobs/image-pushing/k8s-staging-service-apis.yaml @@ -10,6 +10,7 @@ postsubmits: branches: - ^master$ spec: + serviceAccountName: deployer # TODO(fejta): use pusher containers: - image: gcr.io/k8s-testimages/image-builder:v20200213-0032cdb command: @@ -20,13 +21,3 @@ postsubmits: - --scratch-bucket=gs://k8s-staging-service-apis - --env-passthrough=PULL_BASE_REF - . - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /creds/service-account.json - volumeMounts: - - name: creds - mountPath: /creds - volumes: - - name: creds - secret: - secretName: deployer-service-account