test: remove cross-project fleet workload identity tests (#1511)

The fleet team added a registration guardrail that forces all cluster
projects to be registered to at most one fleet. The cross-project
testcases register the CI clusters to both the same project and a
cross-project, cs-dev-hub. This commit removes the cross-project
testcases because they are covered in platform qualification tests.

Reference: b/364363769

Makefile.oss.prow

@@ -81,11 +81,3 @@ KCC_MANAGED_PROJECT ?= cs-dev-hub
 set-up-kcc-configs:
 	GCP_PROJECT=$(GCP_PROJECT) KCC_MANAGED_PROJECT=$(KCC_MANAGED_PROJECT) \
 	./scripts/set-up-kcc-configs.sh
-
-.PHONY: set-up-workload-identity-test
-FLEET_HOST_PROJECT ?= cs-dev-hub
-PROW_PROJECT ?= oss-prow-build-kpt-config-sync
-set-up-workload-identity-test:
-	GCP_PROJECT=$(GCP_PROJECT) FLEET_HOST_PROJECT=$(FLEET_HOST_PROJECT) \
-	PROW_PROJECT=$(PROW_PROJECT) \
-	./scripts/set-up-workload-identity-configs.sh

e2e/nomostest/testutils/fleet_membership.go

@@ -29,9 +29,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-// TestCrossProjectFleetProjectID is the fleet host project.
-const TestCrossProjectFleetProjectID = "cs-dev-hub"
-
 // RegisterCluster registers a cluster in a fleet.
 func RegisterCluster(nt *nomostest.NT, fleetMembership, fleetProject, gkeURI string) error {
 	_, err := nt.Shell.ExecWithDebug("gcloud", "container", "fleet",

e2e/testcases/workload_identity_test.go

@@ -68,7 +68,6 @@ func TestWorkloadIdentity(t *testing.T) {
 	testCases := []struct {
 		name             string
 		fleetWITest      bool
-		crossProject     bool
 		rootSrcCfg       sourceConfig
 		nsSrcCfg         sourceConfig
 		sourceType       configsync.SourceType
@@ -81,39 +80,26 @@ func TestWorkloadIdentity(t *testing.T) {
 		newNSSrcCfg      sourceConfig
 	}{
 		{
-			name:         "Authenticate to Git repo on CSR with GKE WI",
-			fleetWITest:  false,
-			crossProject: false,
-			rootSrcCfg:   sourceConfig{pkg: "hydration/kustomize-components", dir: "kustomize-components", commitFn: nomostest.RemoteRootRepoSha1Fn},
-			nsSrcCfg:     sourceConfig{pkg: "hydration/namespace-repo", dir: "namespace-repo", commitFn: nomostest.RemoteNsRepoSha1Fn},
-			sourceType:   configsync.GitSource,
-			gsaEmail:     gitproviders.CSRReaderEmail(),
-			requireCSR:   true,
+			name:        "Authenticate to Git repo on CSR with GKE WI",
+			fleetWITest: false,
+			rootSrcCfg:  sourceConfig{pkg: "hydration/kustomize-components", dir: "kustomize-components", commitFn: nomostest.RemoteRootRepoSha1Fn},
+			nsSrcCfg:    sourceConfig{pkg: "hydration/namespace-repo", dir: "namespace-repo", commitFn: nomostest.RemoteNsRepoSha1Fn},
+			sourceType:  configsync.GitSource,
+			gsaEmail:    gitproviders.CSRReaderEmail(),
+			requireCSR:  true,
 		},
 		{
-			name:         "Authenticate to Git repo on CSR with Fleet WI in the same project",
-			fleetWITest:  true,
-			crossProject: false,
-			rootSrcCfg:   sourceConfig{pkg: "hydration/kustomize-components", dir: "kustomize-components", commitFn: nomostest.RemoteRootRepoSha1Fn},
-			nsSrcCfg:     sourceConfig{pkg: "hydration/namespace-repo", dir: "namespace-repo", commitFn: nomostest.RemoteNsRepoSha1Fn},
-			sourceType:   configsync.GitSource,
-			gsaEmail:     gitproviders.CSRReaderEmail(),
-			requireCSR:   true,
-		},
-		{
-			name:         "Authenticate to Git repo on CSR with Fleet WI across project",
-			fleetWITest:  true,
-			crossProject: true,
-			rootSrcCfg:   sourceConfig{pkg: "hydration/kustomize-components", dir: "kustomize-components", commitFn: nomostest.RemoteRootRepoSha1Fn},
-			nsSrcCfg:     sourceConfig{pkg: "hydration/namespace-repo", dir: "namespace-repo", commitFn: nomostest.RemoteNsRepoSha1Fn},
-			sourceType:   configsync.GitSource,
-			gsaEmail:     gitproviders.CSRReaderEmail(),
-			requireCSR:   true,
+			name:        "Authenticate to Git repo on CSR with Fleet WI in the same project",
+			fleetWITest: true,
+			rootSrcCfg:  sourceConfig{pkg: "hydration/kustomize-components", dir: "kustomize-components", commitFn: nomostest.RemoteRootRepoSha1Fn},
+			nsSrcCfg:    sourceConfig{pkg: "hydration/namespace-repo", dir: "namespace-repo", commitFn: nomostest.RemoteNsRepoSha1Fn},
+			sourceType:  configsync.GitSource,
+			gsaEmail:    gitproviders.CSRReaderEmail(),
+			requireCSR:  true,
 		},
 		{
 			name:             "Authenticate to OCI image on AR with GKE WI",
 			fleetWITest:      false,
-			crossProject:     false,
 			rootSrcCfg:       sourceConfig{pkg: "hydration/kustomize-components", dir: ".", version: "v1"},
 			nsSrcCfg:         sourceConfig{pkg: "hydration/namespace-repo", dir: ".", version: "v1"},
 			newRootSrcCfg:    sourceConfig{pkg: "hydration/kustomize-components", dir: "tenant-a", version: "v1"},
@@ -124,9 +110,8 @@ func TestWorkloadIdentity(t *testing.T) {
 			requireOCIGAR:    true,
 		},
 		{
-			name:         "Authenticate to OCI image on GCR with GKE WI",
-			fleetWITest:  false,
-			crossProject: false,
+			name:        "Authenticate to OCI image on GCR with GKE WI",
+			fleetWITest: false,
 			rootSrcCfg: sourceConfig{
 				repo:     privateGCRImage("kustomize-components"),
 				dir:      ".",
@@ -141,35 +126,6 @@ func TestWorkloadIdentity(t *testing.T) {
 		{
 			name:             "Authenticate to OCI image on AR with Fleet WI in the same project",
 			fleetWITest:      true,
-			crossProject:     false,
-			rootSrcCfg:       sourceConfig{pkg: "hydration/kustomize-components", dir: ".", version: "v1"},
-			nsSrcCfg:         sourceConfig{pkg: "hydration/namespace-repo", dir: ".", version: "v1"},
-			newRootSrcCfg:    sourceConfig{pkg: "hydration/kustomize-components", dir: "tenant-a", version: "v1"},
-			newNSSrcCfg:      sourceConfig{pkg: "hydration/namespace-repo", dir: "test-ns", version: "v1"},
-			sourceType:       configsync.OciSource,
-			gsaEmail:         gsaARReaderEmail(),
-			testKSAMigration: true,
-			requireOCIGAR:    true,
-		},
-		{
-			name:         "Authenticate to OCI image on GCR with Fleet WI in the same project",
-			fleetWITest:  true,
-			crossProject: false,
-			rootSrcCfg: sourceConfig{
-				repo:     privateGCRImage("kustomize-components"),
-				dir:      ".",
-				commitFn: imageDigestFuncByName(privateGCRImage("kustomize-components"))},
-			nsSrcCfg: sourceConfig{
-				repo:     privateGCRImage("namespace-repo"),
-				dir:      ".",
-				commitFn: imageDigestFuncByName(privateGCRImage("namespace-repo"))},
-			sourceType: configsync.OciSource,
-			gsaEmail:   gsaGCRReaderEmail(),
-		},
-		{
-			name:             "Authenticate to OCI image on AR with Fleet WI across project",
-			fleetWITest:      true,
-			crossProject:     true,
 			rootSrcCfg:       sourceConfig{pkg: "hydration/kustomize-components", dir: ".", version: "v1"},
 			nsSrcCfg:         sourceConfig{pkg: "hydration/namespace-repo", dir: ".", version: "v1"},
 			newRootSrcCfg:    sourceConfig{pkg: "hydration/kustomize-components", dir: "tenant-a", version: "v1"},
@@ -180,9 +136,8 @@ func TestWorkloadIdentity(t *testing.T) {
 			requireOCIGAR:    true,
 		},
 		{
-			name:         "Authenticate to OCI image on GCR with Fleet WI across project",
-			fleetWITest:  true,
-			crossProject: true,
+			name:        "Authenticate to OCI image on GCR with Fleet WI in the same project",
+			fleetWITest: true,
 			rootSrcCfg: sourceConfig{
 				repo:     privateGCRImage("kustomize-components"),
 				dir:      ".",
@@ -195,34 +150,8 @@ func TestWorkloadIdentity(t *testing.T) {
 			gsaEmail:   gsaGCRReaderEmail(),
 		},
 		{
-			name:         "Authenticate to Helm chart on AR with GKE WI",
-			fleetWITest:  false,
-			crossProject: false,
-			rootSrcCfg: sourceConfig{
-				chart:   privateCoreDNSHelmChart,
-				version: privateCoreDNSHelmChartVersion,
-			},
-			nsSrcCfg: sourceConfig{
-				chart:   privateNSHelmChart,
-				version: "0.1.0",
-			},
-			newRootSrcCfg: sourceConfig{
-				chart:   privateSimpleHelmChart,
-				version: privateSimpleHelmChartVersion,
-			},
-			newNSSrcCfg: sourceConfig{
-				chart:   "simple-ns-chart",
-				version: "1.0.0",
-			},
-			sourceType:       configsync.HelmSource,
-			gsaEmail:         gsaARReaderEmail(),
-			testKSAMigration: true,
-			requireHelmGAR:   true,
-		},
-		{
-			name:         "Authenticate to Helm chart on AR with Fleet WI in the same project",
-			fleetWITest:  true,
-			crossProject: false,
+			name:        "Authenticate to Helm chart on AR with GKE WI",
+			fleetWITest: false,
 			rootSrcCfg: sourceConfig{
 				chart:   privateCoreDNSHelmChart,
 				version: privateCoreDNSHelmChartVersion,
@@ -245,9 +174,8 @@ func TestWorkloadIdentity(t *testing.T) {
 			requireHelmGAR:   true,
 		},
 		{
-			name:         "Authenticate to Helm chart on AR with Fleet WI across project",
-			fleetWITest:  true,
-			crossProject: true,
+			name:        "Authenticate to Helm chart on AR with Fleet WI in the same project",
+			fleetWITest: true,
 			rootSrcCfg: sourceConfig{
 				chart:   privateCoreDNSHelmChart,
 				version: privateCoreDNSHelmChartVersion,
@@ -314,21 +242,16 @@ func TestWorkloadIdentity(t *testing.T) {
 			}
 
 			testutils.ClearMembershipInfo(nt, fleetMembership, *e2e.GCPProject, gkeURI)
-			testutils.ClearMembershipInfo(nt, fleetMembership, testutils.TestCrossProjectFleetProjectID, gkeURI)
 
 			rootSync := k8sobjects.RootSyncObjectV1Beta1(rootSyncID.Name)
 			repoSync := k8sobjects.RepoSyncObjectV1Beta1(repoSyncID.Namespace, repoSyncID.Name)
 			nt.T.Cleanup(func() {
 				testutils.ClearMembershipInfo(nt, fleetMembership, *e2e.GCPProject, gkeURI)
-				testutils.ClearMembershipInfo(nt, fleetMembership, testutils.TestCrossProjectFleetProjectID, gkeURI)
 			})
 
 			// Register the cluster for fleet workload identity test
 			if tc.fleetWITest {
 				fleetProject := *e2e.GCPProject
-				if tc.crossProject {
-					fleetProject = testutils.TestCrossProjectFleetProjectID
-				}
 				nt.T.Logf("Register the cluster to a fleet in project %q", fleetProject)
 				if err = testutils.RegisterCluster(nt, fleetMembership, fleetProject, gkeURI); err != nil {
 					nt.T.Fatalf("Failed to register the cluster to project %q: %v", fleetProject, err)

e2e/testinfra/README.md

@@ -5,7 +5,6 @@ Most GCP resources are managed by [Terraform](./terraform/README.md), but the
 following resources need to be configured separately:
 - Test OCI images on Google Container Registry
 - KCC configurations
-- Workload identity configurations.
 
 ## Required environment variables
 
@@ -21,8 +20,6 @@ Below is a list of environment variables required by the setup scripts:
 prow jobs. The default value is `oss-prow-build-kpt-config-sync`.
 - **KCC_MANAGED_PROJECT**: the project that is created with the config-connector
 addon enabled for KCC test. The default value is `cs-dev-hub`.
-- **FLEET_HOST_PROJECT**: the project that hosts the fleet clusters. The default
-value is `cs-dev-hub`.
 
 ## Usage
 
@@ -34,8 +31,3 @@ value is `cs-dev-hub`.
     ```bash
     GCP_PROJECT=your-gcp-project-name GCP_CLUSTER=your-cluster-name GCP_ZONE=your-cluster-zone make set-up-kcc-configs
     ```
-
-1. Configure workload identity, for example,
-    ```bash
-    GCP_PROJECT=your-gcp-project-name PROW_PROJECT=your-prow-project-name make set-up-workload-identity-test
-    ```

e2e/testinfra/terraform/prow/service_accounts.tf

@@ -37,51 +37,3 @@ resource "google_service_account_iam_member" "admin-account-iam" {
   role               = "roles/iam.serviceAccountKeyAdmin"
   member             = "serviceAccount:e2e-test-runner@oss-prow-build-kpt-config-sync.iam.gserviceaccount.com"
 }
-
-# Grant source reader permissions to the RootSync's KSA with cross-project Fleet workload identity.
-resource "google_project_iam_member" "root-reconciler-fwi-sa-iam-ubermint" {
-  for_each = toset([
-    "roles/source.reader",
-    "roles/artifactregistry.reader",
-    "roles/storage.objectViewer",
-  ])
-  role    = each.value
-  member  = "serviceAccount:cs-dev-hub.svc.id.goog[config-management-system/root-reconciler]"
-  project = data.google_project.project.id
-}
-
-# Grant source reader permissions to the RepoSync's KSA with cross-project Fleet workload identity.
-resource "google_project_iam_member" "ns-reconciler-fwi-sa-iam-ubermint" {
-  for_each = toset([
-    "roles/source.reader",
-    "roles/artifactregistry.reader",
-    "roles/storage.objectViewer",
-  ])
-  role    = each.value
-  member  = "serviceAccount:cs-dev-hub.svc.id.goog[config-management-system/ns-reconciler-test-ns]"
-  project = data.google_project.project.id
-}
-
-# Create IAM binding between the RootSync's KSA and the reader GSAs for cross-project Fleet workload identity.
-resource "google_service_account_iam_member" "root-reconciler-fwi-sa-iam-impersonation" {
-  for_each = toset([
-    "${data.google_project.project.id}/serviceAccounts/e2e-test-csr-reader@${data.google_project.project.project_id}.iam.gserviceaccount.com",
-    "${data.google_project.project.id}/serviceAccounts/e2e-test-ar-reader@${data.google_project.project.project_id}.iam.gserviceaccount.com",
-    "${data.google_project.project.id}/serviceAccounts/e2e-test-gcr-reader@${data.google_project.project.project_id}.iam.gserviceaccount.com",
-  ])
-  service_account_id = each.value
-  role               = "roles/iam.workloadIdentityUser"
-  member             = "serviceAccount:cs-dev-hub.svc.id.goog[config-management-system/root-reconciler]"
-}
-
-# Create IAM binding between the RepoSync's KSA and the reader GSAs for cross-project Fleet workload identity.
-resource "google_service_account_iam_member" "ns-reconciler-fwi-sa-iam-impersonation" {
-  for_each = toset([
-    "${data.google_project.project.id}/serviceAccounts/e2e-test-csr-reader@${data.google_project.project.project_id}.iam.gserviceaccount.com",
-    "${data.google_project.project.id}/serviceAccounts/e2e-test-ar-reader@${data.google_project.project.project_id}.iam.gserviceaccount.com",
-    "${data.google_project.project.id}/serviceAccounts/e2e-test-gcr-reader@${data.google_project.project.project_id}.iam.gserviceaccount.com",
-  ])
-  service_account_id = each.value
-  role               = "roles/iam.workloadIdentityUser"
-  member             = "serviceAccount:cs-dev-hub.svc.id.goog[config-management-system/ns-reconciler-test-ns]"
-}