Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DCJ-755: Use workload identity to auth as staging test runner SA for staging smoke tests #1838

Open
wants to merge 34 commits into
base: develop
Choose a base branch
from
Open

DCJ-755: Use workload identity to auth as staging test runner SA for staging smoke tests #1838

wants to merge 34 commits into from

Conversation

snf2ye
Copy link
Contributor

@snf2ye snf2ye commented Oct 16, 2024
edited
Loading

Jira ticket: https://broadworkbench.atlassian.net/browse/DCJ-755

Addresses

Yale manages the key for the test runner service account. This does not automatically sync with the terraform that manages the secrets for github actions.

Switching to workload identity fixes this problem: Yale can manage the key and key rotation and it will sync with workload identity.

Summary of changes

  • Following these instructions
  • Update staging smoke tests to use workload identity instead of github secret

Related Changes

Testing Strategy

  • Run action from branch once terraform change is applied

Cherry pick action

Successful test run: https://github.com/DataBiosphere/jade-data-repo/actions/runs/11441504960/job/31829699245

@snf2ye snf2ye requested a review from a team as a code owner October 16, 2024 20:22
fboulnois
fboulnois reviewed Oct 17, 2024
View reviewed changes
Copy link
Contributor

@fboulnois fboulnois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor early suggestion:

.github/workflows/staging-smoke-tests.yaml Outdated
Comment on lines 9 to 11
permissions:
contents: 'read'
id-token: 'write'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can put these permissions at the job level:

jobs:
  test-runner-staging:
    runs-on: ubuntu-latest
    permissions:
      contents: 'read'
      id-token: 'write'

@snf2ye
code review: move to job level
76558fa
@snf2ye
try just the test runner sa
6f54626
@snf2ye
wip
75330dd
@snf2ye
What happens if I auth as both test runner and k8 sa?
e6c87fd
@snf2ye
<undo before merge> Comment out slack notification
eda9931
@snf2ye
Enable defining credentials in env variable for test runner
fb7863a
@snf2ye
spotlessApply
4a9545f
@snf2ye
<undo before merge> Checkout local branch
9244364
@snf2ye
wip
8d2a738
@snf2ye
wip
4e5fec7
@snf2ye
wip
287d1ad
@snf2ye
wip
cd23760
@snf2ye
try out unit tests
2a041e9
@snf2ye
try with scopes
ff640f7
@snf2ye
Enable the external account type
8f0ff39
@snf2ye
Remove other calls that are specific to "ServiceAccountCredentials"
e928436
@snf2ye
wip - add in connected and integration tests
cfbb4f9
@snf2ye
cherry pick action
0d97fb7
@snf2ye
update gcr
c982484
@snf2ye
update name of step
31230c4
@snf2ye
spotless
fd9519b
@snf2ye
update to other gcr
c946d1c
@snf2ye
wrong SA
7823074
@snf2ye
try using ExternalAccountCredentials instead of GoogleCredentials
4e15e49 
spotless
@snf2ye snf2ye force-pushed the sh/dcj-755-staging-testrunnersa branch from ead90ca to 4e15e49 Compare October 21, 2024 13:58
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 24, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
27.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fboulnois fboulnois fboulnois left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@snf2ye @fboulnois