adding gcp workload management

Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
splunk · Oct 11, 2024 · 3b7d327 · 3b7d327
1 parent 46b4c6a
commit 3b7d327
Showing 1 changed file with 30 additions and 27 deletions.
diff --git a/.github/workflows/int-test-gcp-workflow.yml b/.github/workflows/int-test-gcp-workflow.yml
@@ -7,13 +7,17 @@ on:
       - main
       - google-object-storage-support
 
+permissions:
+  id-token: write     # Required for OIDC
+  contents: read
+
 jobs:
   build-operator-image:
     runs-on: ubuntu-latest
     env:
       SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }}
       SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
-      ARTIFACT_REGISTRY: ${{ secrets.GCP_ARTIFACT_REGISTRY }}  # Updated for Artifact Registry
+      ARTIFACT_REGISTRY: ${{ secrets.GCP_ARTIFACT_REGISTRY }}
     steps:
       - name: Checkout Code
         uses: actions/checkout@v2
@@ -45,25 +49,22 @@ jobs:
           chmod +x operator-sdk_${OS}_${ARCH}
           sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
 
-      - name: Authenticate to GCP
+      - name: Authenticate to GCP with Workload Identity Federation
         uses: google-github-actions/auth@v1
         with:
-          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+          token_format: "access_token"
+          workload_identity_provider: "projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider"
+          service_account: "github-actions-sa@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com"
 
-      #- name: Configure Docker for Artifact Registry
-      #  run: |
-      #    echo ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} | docker login -u _json_key --password-stdin https://${{ secrets.GCP_ARTIFACT_REGISTRY }}
-      - name: Login to GCR
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ secrets.GCP_ARTIFACT_REGISTRY }}
-          username: _json_key
-          password: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+      - name: Configure Docker to Use GCP Credentials
+        run: |
+          gcloud auth configure-docker us-west2-docker.pkg.dev --quiet
 
       - name: Build Splunk Operator Image
         run: |
           make docker-buildx IMG=${{ secrets.GCP_ARTIFACT_REGISTRY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
 
+      # Uncomment and adjust if you need to push images
       #- name: Push Splunk Operator Image to Artifact Registry
       #  run: |
       #    echo "Uploading Image to Artifact Registry :: ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA"
@@ -94,10 +95,12 @@ jobs:
         with:
           path: .env
 
-      - name: Authenticate to GCP
+      - name: Authenticate to GCP with Workload Identity Federation
         uses: google-github-actions/auth@v1
         with:
-          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+          token_format: "access_token"
+          workload_identity_provider: "projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider"
+          service_account: "github-actions-sa@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com"
 
       - name: Set GCP Project
         run: |
@@ -120,7 +123,7 @@ jobs:
 
       - name: Allow Pulling from Artifact Registry
         run: |
-          gcloud auth configure-docker ${{ secrets.GCP_ARTIFACT_REGISTRY }}
+          gcloud auth configure-docker ${{ secrets.GCP_ARTIFACT_REGISTRY }} --quiet
 
   int-tests-appframeworkgcp:
     runs-on: ubuntu-latest
@@ -173,11 +176,12 @@ jobs:
         run: |
           echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV
 
-      - name: Authenticate to GCP
+      - name: Authenticate to GCP with Workload Identity Federation
         uses: google-github-actions/auth@v1
         with:
-          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
-
+          token_format: "access_token"
+          workload_identity_provider: "projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider"
+          service_account: "github-actions-sa@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com"
       - name: Set GCP Project
         run: |
           gcloud config set project ${{ env.GCP_PROJECT_ID }}
@@ -196,7 +200,7 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: ${{ steps.dotenv.outputs.GO_VERSION }}
-
+      
       - name: Install Go Lint
         run: |
           go version
@@ -209,12 +213,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2.5.0
 
-      - name: Login to GCR
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ secrets.GCP_ARTIFACT_REGISTRY }}
-          username: _json_key
-          password: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+      - name: Configure Docker to Use GCP Credentials
+        run: |
+          gcloud auth configure-docker us-west2-docker.pkg.dev --quiet
 
       - name: Pull Splunk Enterprise Image 
         run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }}
@@ -284,10 +285,12 @@ jobs:
       CLUSTER_NAME: gke-integration-test-cluster-${{ github.run_id }}
     if: always()  # Ensures this job runs regardless of previous job outcomes
     steps:
-      - name: Authenticate to GCP
+      - name: Authenticate to GCP with Workload Identity Federation
         uses: google-github-actions/auth@v1
         with:
-          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+          token_format: "access_token"
+          workload_identity_provider: "projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider"
+          service_account: "github-actions-sa@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com"
 
       - name: Delete GKE Cluster
         run: |