Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SPIKE] DT-909: Can we switch to using workload identity to auth as SAs across TDR GHAs? #1838

Closed
wants to merge 49 commits into from
Closed

[SPIKE] DT-909: Can we switch to using workload identity to auth as SAs across TDR GHAs? #1838

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
2ad8a33
Use workload identity
snf2ye Oct 16, 2024
1edd29d
code review: move to job level
snf2ye Oct 17, 2024
6b91784
try just the test runner sa
snf2ye Oct 17, 2024
6975da7
wip
snf2ye Oct 17, 2024
8fdf3fe
What happens if I auth as both test runner and k8 sa?
snf2ye Oct 17, 2024
9f2ba72
<undo before merge> Comment out slack notification
snf2ye Oct 17, 2024
4df0a69
Enable defining credentials in env variable for test runner
snf2ye Oct 17, 2024
1f83507
spotlessApply
snf2ye Oct 17, 2024
5654ae5
<undo before merge> Checkout local branch
snf2ye Oct 17, 2024
1ef2f17
wip
snf2ye Oct 17, 2024
4bddac4
wip
snf2ye Oct 17, 2024
004cb70
wip
snf2ye Oct 17, 2024
ddab782
wip
snf2ye Oct 17, 2024
88c4ba2
try out unit tests
snf2ye Oct 18, 2024
ae35ba6
try with scopes
snf2ye Oct 18, 2024
af3354d
Enable the external account type
snf2ye Oct 18, 2024
8a3bde8
Remove other calls that are specific to "ServiceAccountCredentials"
snf2ye Oct 18, 2024
445f769
wip - add in connected and integration tests
snf2ye Oct 18, 2024
dff1347
cherry pick action
snf2ye Oct 18, 2024
1e0898a
update gcr
snf2ye Oct 18, 2024
ba41a7b
update name of step
snf2ye Oct 18, 2024
73df747
spotless
snf2ye Oct 18, 2024
61cd834
update to other gcr
snf2ye Oct 18, 2024
33a3871
wrong SA
snf2ye Oct 21, 2024
61a60cd
try using ExternalAccountCredentials instead of GoogleCredentials
snf2ye Oct 21, 2024
c03aa68
try impersonating service account rather than pulling creds from file
snf2ye Oct 22, 2024
b767c76
make sure using RBS tools; remove auth as rbs sa
snf2ye Oct 22, 2024
35efcfa
try with scoped
snf2ye Oct 22, 2024
50d27d8
spotless
snf2ye Oct 22, 2024
2356a8b
Now that TDR SA is added to the RBS proxy allow list, we can directly…
snf2ye Oct 23, 2024
f0ac938
encountered error in connected tests appears to be a known issue with…
snf2ye Oct 23, 2024
50041ea
just use credentials
snf2ye Oct 23, 2024
026c930
Add logging
snf2ye Oct 24, 2024
0db617f
set Google cloud project env variable
snf2ye Oct 24, 2024
97707cb
test updating dev image update
snf2ye Nov 8, 2024
d2aac4d
wip
snf2ye Nov 8, 2024
2b018fb
need permission
snf2ye Nov 8, 2024
d490880
wip
snf2ye Nov 8, 2024
576025d
wip
snf2ye Nov 8, 2024
48e5cd6
wip
snf2ye Nov 19, 2024
05e7bb0
Merge branch 'develop' into sh/dcj-755-staging-testrunnersa
snf2ye Dec 13, 2024
5b45212
Revert "Merge branch 'develop' into sh/dcj-755-staging-testrunnersa"
snf2ye Dec 13, 2024
1da7fb6
Revert "wip"
snf2ye Dec 13, 2024
2fe6af3
try adding scope for cloud-billing
snf2ye Dec 13, 2024
133d169
scopes only gets set if token_format is set to "access_token"
snf2ye Dec 13, 2024
f9c2158
Merge branch 'develop' into sh/dcj-755-staging-testrunnersa
snf2ye Dec 17, 2024
cc8d08c
Reset datarepo-clienttests - didn't work to use a single service account
snf2ye Dec 17, 2024
200768f
branch got out of sync with develop
snf2ye Dec 17, 2024
4645fca
a few more things out of sync
snf2ye Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions .github/workflows/cherry-pick-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,20 @@ on:
jobs:
cherry-pick-image:
runs-on: ubuntu-latest
# Needed for integration with workload identity
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: "Authenticate with GCR SA Credentials"
env:
GOOGLE_APPLICATION_CREDENTIALS: /tmp/gcr-sa.json
run: |
# write token
base64 --decode <<< ${{ secrets.GCR_SA_B64_CREDENTIALS }} > ${GOOGLE_APPLICATION_CREDENTIALS}
gcloud auth activate-service-account --key-file ${GOOGLE_APPLICATION_CREDENTIALS}
# Needed for integration with workload identity
- name: Checkout code
uses: actions/checkout@v4
- name: 'Auth as gcr-sa'
uses: 'google-github-actions/auth@v2'
with:
# Centralized in dsp-tools-k8s; ask in #dsp-devops-champions for help troubleshooting
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
service_account: '[email protected]'
- name: "Perform cherry-pick"
run: |
SOURCE_IMAGE="${{ inputs.source_gcr_url }}:${{ inputs.gcr_tag }}"
Expand Down
166 changes: 88 additions & 78 deletions .github/workflows/dev-image-update.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,45 +24,53 @@ jobs:
with:
ref: develop
token: ${{ secrets.BROADBOT_TOKEN }}
- name: "Bump the tag to a new version"
# - name: "Bump the tag to a new version"
# id: bumperstep
# uses: broadinstitute/datarepo-actions/actions/[email protected]
# with:
# actions_subcommand: 'bumper'
# sa_b64_credentials: ${{ secrets.SA_B64_CREDENTIALS }}
# version_file_path: build.gradle
# version_variable_name: version
# # Sets the author of the version bump commit to broadbot. This is used in our skip job logic.
# GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }}
- name: "Write api_image_tag to output"
id: bumperstep
uses: broadinstitute/datarepo-actions/actions/[email protected]
with:
actions_subcommand: 'bumper'
sa_b64_credentials: ${{ secrets.SA_B64_CREDENTIALS }}
version_file_path: build.gradle
version_variable_name: version
# Sets the author of the version bump commit to broadbot. This is used in our skip job logic.
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }}
run: |
echo "api_image_tag=2.173.0" >> "$GITHUB_OUTPUT"

build_client_and_publish:
runs-on: ubuntu-latest
needs:
- bump_version
steps:
- name: Checkout tagged branch of jade-data-repo
uses: actions/checkout@v3
with:
ref: ${{ needs.bump_version.outputs.api_image_tag }}
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: "Publish to Artifactory"
uses: gradle/gradle-build-action@v2
with:
arguments: ':datarepo-client:artifactoryPublish'
env:
ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
ENABLE_SUBPROJECT_TASKS: true
# build_client_and_publish:
# runs-on: ubuntu-latest
# needs:
# - bump_version
# steps:
# - name: Checkout tagged branch of jade-data-repo
# uses: actions/checkout@v3
# with:
# ref: ${{ needs.bump_version.outputs.api_image_tag }}
# - name: Set up JDK
# uses: actions/setup-java@v3
# with:
# java-version: '17'
# distribution: 'temurin'
# cache: 'gradle'
# - name: "Publish to Artifactory"
# uses: gradle/gradle-build-action@v2
# with:
# arguments: ':datarepo-client:artifactoryPublish'
# env:
# ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
# ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
# ENABLE_SUBPROJECT_TASKS: true

build_container_and_publish:
runs-on: ubuntu-latest
needs:
- bump_version
# Needed for integration with workload identity
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout tagged branch of jade-data-repo
uses: actions/checkout@v3
Expand All @@ -74,56 +82,58 @@ jobs:
distribution: 'temurin'
java-version: '17'
cache: 'gradle'
- name: 'Auth as TDR Service Account'
uses: 'google-github-actions/auth@v2'
with:
# Centralized in dsp-tools-k8s; ask in #dsp-devops-champions for help troubleshooting
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
service_account: '[email protected]'
- name: 'Release Candidate Container Build: Create release candidate images'
run: |
# extract service account credentials
base64 --decode <<< ${{ secrets.SA_B64_CREDENTIALS }} > ${GOOGLE_APPLICATION_CREDENTIALS}
jq -r .private_key ${GOOGLE_APPLICATION_CREDENTIALS} > ${GOOGLE_SA_CERT}
chmod 644 ${GOOGLE_SA_CERT}
# Set tag to semver version
export GCR_TAG=${{ needs.bump_version.outputs.api_image_tag }}
# Build, tag and push the image
./gradlew jib

cherry_pick_image_to_production_gcr:
needs: [bump_version, build_container_and_publish]
uses: ./.github/workflows/cherry-pick-image.yaml
secrets: inherit
with:
gcr_tag: ${{ needs.bump_version.outputs.api_image_tag }}
source_gcr_url: 'gcr.io/broad-jade-dev/jade-data-repo'
target_gcr_url: 'gcr.io/datarepo-public-gcr/jade-data-repo'

report-to-sherlock:
name: Report App Version to DevOps
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: [bump_version, cherry_pick_image_to_production_gcr]
with:
new-version: ${{ needs.bump_version.outputs.api_image_tag }}
chart-name: datarepo
permissions:
contents: read
id-token: write

set-app-version-in-dev:
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main
needs:
- bump_version
- report-to-sherlock
with:
new-version: ${{ needs.bump_version.outputs.api_image_tag }}
chart-name: datarepo
environment-name: dev
secrets:
sync-git-token: ${{ secrets.BROADBOT_TOKEN }}
permissions:
id-token: write

helm_tag_bumper:
needs:
- build_container_and_publish
# We block bumping the tag in datarepo-helm because that will cause a deployment to datarepo-dev
# too, and we don't want to be deploying to datarepo-dev twice simultaneously
- set-app-version-in-dev
uses: ./.github/workflows/helmtagbumper.yaml
secrets: inherit
# cherry_pick_image_to_production_gcr:
# needs: [bump_version, build_container_and_publish]
# uses: ./.github/workflows/cherry-pick-image.yaml
# secrets: inherit
# with:
# gcr_tag: ${{ needs.bump_version.outputs.api_image_tag }}
# source_gcr_url: 'gcr.io/broad-jade-dev/jade-data-repo'
# target_gcr_url: 'gcr.io/datarepo-public-gcr/jade-data-repo'
#
# report-to-sherlock:
# name: Report App Version to DevOps
# uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
# needs: [bump_version, cherry_pick_image_to_production_gcr]
# with:
# new-version: ${{ needs.bump_version.outputs.api_image_tag }}
# chart-name: datarepo
# permissions:
# contents: read
# id-token: write
#
# set-app-version-in-dev:
# uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main
# needs:
# - bump_version
# - report-to-sherlock
# with:
# new-version: ${{ needs.bump_version.outputs.api_image_tag }}
# chart-name: datarepo
# environment-name: dev
# secrets:
# sync-git-token: ${{ secrets.BROADBOT_TOKEN }}
# permissions:
# id-token: write
#
# helm_tag_bumper:
# needs:
# - build_container_and_publish
# # We block bumping the tag in datarepo-helm because that will cause a deployment to datarepo-dev
# # too, and we don't want to be deploying to datarepo-dev twice simultaneously
# - set-app-version-in-dev
# uses: ./.github/workflows/helmtagbumper.yaml
# secrets: inherit
Loading
Loading