Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build: move to Workload Identity #48263

Closed
heschi opened this issue Sep 8, 2021 · 6 comments
Closed

x/build: move to Workload Identity #48263

heschi opened this issue Sep 8, 2021 · 6 comments
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@heschi
Copy link
Contributor

heschi commented Sep 8, 2021

Our GCP project currently has coarse-grained permissions that apply to all our services. We should move to Workload Identity, and switch over to per-service service accounts.

@gopherbot gopherbot added the Builders x/build issues (builders, bots, dashboards) label Sep 8, 2021
@gopherbot gopherbot added this to the Unreleased milestone Sep 8, 2021
@heschi heschi self-assigned this Sep 8, 2021
@gopherbot
Copy link

Change https://golang.org/cl/348433 mentions this issue: cmd/gerritbot: move to Workload Identity

gopherbot pushed a commit to golang/build that referenced this issue Sep 8, 2021
Create a new service account, and move the deployment over to the prod
namespace.

Also fix AutoCert configuration so we can serve our happy little home
page.

Fixes golang/go#37377.
For golang/go#48263.

Change-Id: I9d0a5e49db53c0224379f448b49c9b679d59d23b
Reviewed-on: https://go-review.googlesource.com/c/build/+/348433
Trust: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link

Change https://golang.org/cl/348434 mentions this issue: cmd/pubsubhelper: move to Workload Identity

@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 8, 2021
@dmitshur dmitshur added this to In Progress in Go Release Team Sep 8, 2021
@gopherbot
Copy link

Change https://golang.org/cl/349056 mentions this issue: cmd/gopherbot: move to Workload Identity

gopherbot pushed a commit to golang/build that referenced this issue Sep 10, 2021
Create a new service account, and move the deployment over to the prod
namespace.

Update build image to Go 1.17, and use a GCS bucket for autocert cache
storage rather than a PD.

For golang/go#48263.

Change-Id: I33db02695f08ebdf9ef8b958bfd0b81567931b73
Reviewed-on: https://go-review.googlesource.com/c/build/+/348434
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot pushed a commit to golang/build that referenced this issue Sep 10, 2021
Create a new service account, and move the deployment over to the prod
namespace. Also update the build image to Go 1.17.

For golang/go#48263.

Change-Id: I9c7776b294ee78c2745670f805ec70cab1ae4573
Reviewed-on: https://go-review.googlesource.com/c/build/+/349056
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
@gopherbot
Copy link

Change https://golang.org/cl/349570 mentions this issue: maintner/maintnerd: move to Workload Identity

gopherbot pushed a commit to golang/build that referenced this issue Sep 13, 2021
Create a new service account, and move the deployment over to the prod
namespace. Also update the build image to Go 1.17.

Since I've been moving to Uniform Bucket Access as I do these, also
remove the per-object ACL setting that now fails.

For golang/go#48263.

Change-Id: Ifab7041cdc905884a22bad67e35d2ac1cfabfdb0
Reviewed-on: https://go-review.googlesource.com/c/build/+/349570
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link

Change https://golang.org/cl/349950 mentions this issue: cmd/coordinator: move to Workload Identity

gopherbot pushed a commit to golang/build that referenced this issue Sep 14, 2021
Create a new service account, and move the deployment over to the prod
namespace.

The network metadata entry we look for isn't available under Workload
Identity
(https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#gke_mds)
so use the hostname instead, which works fine.

For golang/go#48263.

Change-Id: I91ef091de3e0a923b4a96c56a7f8e7c9e614be8f
Reviewed-on: https://go-review.googlesource.com/c/build/+/349950
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@heschi
Copy link
Contributor Author

heschi commented Sep 15, 2021

Done. There's a fair amount of cleanup that could be done but we're fully migrated.

@heschi heschi closed this as completed Sep 15, 2021
Go Release Team automation moved this from In Progress to Done Sep 15, 2021
@rsc rsc unassigned heschi Jun 23, 2022
@golang golang locked and limited conversation to collaborators Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
Archived in project
Development

No branches or pull requests

3 participants