-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/build: move to Workload Identity #48263
Comments
Change https://golang.org/cl/348433 mentions this issue: |
Create a new service account, and move the deployment over to the prod namespace. Also fix AutoCert configuration so we can serve our happy little home page. Fixes golang/go#37377. For golang/go#48263. Change-Id: I9d0a5e49db53c0224379f448b49c9b679d59d23b Reviewed-on: https://go-review.googlesource.com/c/build/+/348433 Trust: Heschi Kreinick <heschi@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Change https://golang.org/cl/348434 mentions this issue: |
Change https://golang.org/cl/349056 mentions this issue: |
Create a new service account, and move the deployment over to the prod namespace. Update build image to Go 1.17, and use a GCS bucket for autocert cache storage rather than a PD. For golang/go#48263. Change-Id: I33db02695f08ebdf9ef8b958bfd0b81567931b73 Reviewed-on: https://go-review.googlesource.com/c/build/+/348434 Trust: Heschi Kreinick <heschi@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Create a new service account, and move the deployment over to the prod namespace. Also update the build image to Go 1.17. For golang/go#48263. Change-Id: I9c7776b294ee78c2745670f805ec70cab1ae4573 Reviewed-on: https://go-review.googlesource.com/c/build/+/349056 Trust: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>
Change https://golang.org/cl/349570 mentions this issue: |
Create a new service account, and move the deployment over to the prod namespace. Also update the build image to Go 1.17. Since I've been moving to Uniform Bucket Access as I do these, also remove the per-object ACL setting that now fails. For golang/go#48263. Change-Id: Ifab7041cdc905884a22bad67e35d2ac1cfabfdb0 Reviewed-on: https://go-review.googlesource.com/c/build/+/349570 Trust: Heschi Kreinick <heschi@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Change https://golang.org/cl/349950 mentions this issue: |
Create a new service account, and move the deployment over to the prod namespace. The network metadata entry we look for isn't available under Workload Identity (https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#gke_mds) so use the hostname instead, which works fine. For golang/go#48263. Change-Id: I91ef091de3e0a923b4a96c56a7f8e7c9e614be8f Reviewed-on: https://go-review.googlesource.com/c/build/+/349950 Trust: Heschi Kreinick <heschi@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Done. There's a fair amount of cleanup that could be done but we're fully migrated. |
Our GCP project currently has coarse-grained permissions that apply to all our services. We should move to Workload Identity, and switch over to per-service service accounts.
The text was updated successfully, but these errors were encountered: