Enable Goole WIF Support for Tecton-Caches #71
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| #!/usr/bin/env bash | ||
| set -x | ||
| #Step 0 - Define Common Variables | ||
|
|
||
| POOL_ID=openshift-pool | ||
| PROVIDER_ID=opeshift-wif | ||
| NAMESPACE=default | ||
| SERVICE_ACCOUNT=default | ||
| PROJECT_ID=pipelines-qe | ||
| PROJECT_NUMBER=272779626560 | ||
| MAPPED_SUBJECT=system:serviceaccount:$NAMESPACE:$SERVICE_ACCOUNT | ||
|
|
||
| #Step 1 - Enable IAM APIs on Google Cloud | ||
|
|
||
| # Step 2 - Define an attribute mapping and condition | ||
| MAPPINGS=google.subject=assertion.sub | ||
|
|
||
|
|
||
| #Step 3 - Create workload identity pool and provider | ||
| ISSUER=$(kubectl get --raw /.well-known/openid-configuration | jq -r .issuer) | ||
|
|
||
|
|
||
| # Download the cluster's JSON Web Key Set (JWKS): | ||
| kubectl get --raw /openid/v1/jwks > cluster-jwks.json | ||
|
|
||
|
|
||
| # Create a new workload identity pool: | ||
| gcloud iam workload-identity-pools create $POOL_ID \ | ||
| --location="global" \ | ||
| --description="DESCRIPTION" \ | ||
| --display-name="DISPLAY_NAME" | ||
|
|
||
|
|
||
| # Add the Kubernetes cluster as a workload identity pool provider and upload the cluster's JWKS: | ||
|
|
||
| gcloud iam workload-identity-pools providers create-oidc $PROVIDER_ID \ | ||
| --location="global" \ | ||
| --workload-identity-pool=$POOL_ID \ | ||
| --issuer-uri=$ISSUER \ | ||
| --attribute-mapping=$MAPPINGS \ | ||
| --jwk-json-path="cluster-jwks.json" | ||
|
|
||
|
|
||
| # Create Service Account or use default one | ||
|
|
||
| # kubectl create serviceaccount $KSA_NAME --namespace $NAMESPACE | ||
|
|
||
| # Grant IAM access to the Kubernetes ServiceAccount for a Google Cloud resource. | ||
| gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ | ||
| --role=roles/owner \ | ||
| --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/$MAPPED_SUBJECT \ | ||
| --condition=None | ||
|
|
||
| gcloud iam workload-identity-pools create-cred-config \ | ||
| projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID \ | ||
| --credential-source-file=/workspace/token/token \ | ||
| --credential-source-type=text \ | ||
| --output-file=credential-configuration.json | ||
|
|
||
|
|
||
|
|
||
| kubectl -n $NAMESPACE create secret generic gcs-cred --from-file=credential-configuration.json | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,29 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| # Create a Kind Cluster if dont have sone | ||
| #kind create cluster --name tekton-caches --config kind/kind-config.yaml | ||
|
|
||
|
|
||
| # Install Pipelines if not already installed. | ||
| #kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml | ||
|
|
||
| #Enable Step Actions Feature | ||
| kubectl patch configmap -n tekton-pipelines --type merge -p '{"data":{"enable-step-actions": "true"}}' feature-flags | ||
|
|
||
| # Create Docker creds secret Specifc to OCI Images | ||
| #kubectl create secret generic regcred --from-file=config.json=${HOME}/.docker/config.json | ||
|
|
||
| # Create Secret for AWS S3 | ||
| #kubectl create secret generic aws-cred --from-file=${HOME}/.aws/config --from-file=${HOME}/.aws/credentials | ||
|
|
||
| #Deploy Step Actions | ||
| ko apply -BRf ./step-action | ||
|
|
||
| # Deploy Pipelines | ||
| kubectl apply -f ./pipeline | ||
|
|
||
| #Create PipelineRuns using this command | ||
| kubectl create -f ./pr | ||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| kind: Cluster | ||
| apiVersion: kind.x-k8s.io/v1alpha4 | ||
| nodes: | ||
| - role: control-plane | ||
| - role: worker | ||
| - role: worker | ||
| - role: worker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| --- | ||
| apiVersion: tekton.dev/v1 | ||
| kind: Pipeline | ||
| metadata: | ||
| name: pipeline-wif | ||
| spec: | ||
| params: | ||
| - name: repo_url | ||
| type: string | ||
| - name: revision | ||
| type: string | ||
| - name: registry | ||
| type: string | ||
| - name: buildCommand | ||
| type: string | ||
| default: go build -v . | ||
| - name: cachePatterns | ||
| type: array | ||
| default: [ "**go.mod", "**go.sum" ] | ||
| - name: image | ||
| type: string | ||
| default: golang:latest | ||
| - name: force-cache-upload | ||
| type: string | ||
| default: "false" | ||
| workspaces: | ||
| - name: source | ||
| - name: cred | ||
| - name: token | ||
| tasks: | ||
| - displayName: Build go application | ||
| name: build-task | ||
| workspaces: | ||
| - name: source | ||
| - name: cred | ||
| - name: token | ||
| taskSpec: | ||
| params: | ||
| - name: buildCommand | ||
| default: $(params.buildCommand) | ||
| - name: cachePatterns | ||
| default: $(params.cachePatterns) | ||
| - name: image | ||
| default: $(params.image) | ||
| steps: | ||
| - name: create-repo | ||
| image: $(params.image) | ||
| script: | | ||
| mkdir -p $(workspaces.source.path)/repo | ||
| chmod 777 $(workspaces.source.path)/repo | ||
| - name: fetch-repo | ||
| ref: | ||
| resolver: http | ||
| params: | ||
| - name: url | ||
| value: https://raw.githubusercontent.com/tektoncd/catalog/main/stepaction/git-clone/0.1/git-clone.yaml | ||
| params: | ||
| - name: output-path | ||
| value: $(workspaces.source.path)/repo | ||
| - name: url | ||
| value: $(params.repo_url) | ||
| - name: revision | ||
| value: $(params.revision) | ||
| - name: cache-fetch | ||
| ref: | ||
| name: cache-fetch | ||
| params: | ||
| - name: patterns | ||
| value: $(params.cachePatterns) | ||
| - name: source | ||
| value: $(params.registry)/cache-go:{{hash}} | ||
| - name: cachePath | ||
| value: $(workspaces.source.path)/cache | ||
| - name: workingdir | ||
| value: $(workspaces.source.path)/repo | ||
| - name: googleCredentialsPath | ||
| value: $(workspaces.cred.path)/credential-configuration.json | ||
|
|
||
| - name: run-go-build | ||
| workingDir: $(workspaces.source.path)/repo | ||
| image: $(params.image) | ||
| env: | ||
| - name: GOCACHE | ||
| value: $(workspaces.source.path)/cache/gocache | ||
| - name: GOMODCACHE | ||
| value: $(workspaces.source.path)/cache/gomodcache | ||
| script: | | ||
| set -x | ||
| git config --global --add safe.directory $(workspaces.source.path)/repo | ||
| $(params.buildCommand) | ||
| echo "Cache size is $(du -sh $(workspaces.source.path)/cache)" | ||
| - name: cache-upload | ||
| ref: | ||
| name: cache-upload | ||
| params: | ||
| - name: patterns | ||
| value: $(params.cachePatterns) | ||
| - name: target | ||
| value: $(params.registry)/cache-go:{{hash}} | ||
| - name: cachePath | ||
| value: $(workspaces.source.path)/cache | ||
| - name: workingdir | ||
| value: $(workspaces.source.path)/repo | ||
| - name: googleCredentialsPath | ||
| value: $(workspaces.cred.path)/credential-configuration.json | ||
| - name: force-cache-upload | ||
| value: $(params.force-cache-upload) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| --- | ||
|
There was a problem hiding this comment. This file should ideally be in example folder. |
||
| apiVersion: tekton.dev/v1 | ||
| kind: PipelineRun | ||
| metadata: | ||
| generateName: pipelinerun-gcs- | ||
| spec: | ||
| pipelineRef: | ||
| name: pipeline-wif | ||
| params: | ||
| - name: repo_url | ||
| value: https://github.com/chmouel/go-helloworld | ||
| - name: revision | ||
| value: main | ||
| # This uses GCS bucket to upload Caches | ||
| - name: registry | ||
| value: gs://tekton-caches | ||
| - name: buildCommand | ||
| value: go build -v ./ | ||
| - name: image | ||
| value: golang:1.21 | ||
| workspaces: | ||
| - name: source | ||
| emptyDir: { } | ||
| - name: cred | ||
| secret: | ||
| secretName: gcs-cred | ||
| - name: token | ||
| projected: | ||
| sources: | ||
| - serviceAccountToken: | ||
| audience: https://iam.googleapis.com/projects/272779626560/locations/global/workloadIdentityPools/openshift-pool/providers/opeshift-wif | ||
|
There was a problem hiding this comment. Can you please put this in conventional format for k8s and OpenShift? There was a problem hiding this comment. Some of our customers will complain that WIF isn't properly supported if do this. We already have a mail on this for OpenShift Logging. There was a problem hiding this comment. They way it was setup audience is getting generated like this only. Will check if this can be simplified There was a problem hiding this comment. Yes, that and location where we project should also be similar. |
||
| expirationSeconds: 3600 | ||
| path: token | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should have this script in e2e section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now we dont have have e2e for GCS and AWS as that will require test accounts configuration in Github action. once that is done we can move it to e2e.