debuggery

.github/workflows/deploy.yml

@@ -49,14 +49,15 @@ jobs:
       - name: Google Cloud auth
         uses: google-github-actions/auth@v0
         with:
-          service_account: ${{ secrets.GOOGLE_SERVICE_ACCOUNT }}
-          workload_identity_provider: ${{ secrets.GOOGLE_WORKLOAD_ID_PROVIDER }}
+          # Auth with the *keskne* project because that's where the cluster is hosted
+          service_account: ${{ secrets.KESKNE_GOOGLE_SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ secrets.KESKNE_GOOGLE_WORKLOAD_ID_PROVIDER }}
 
       - name: Set up Cloud SDK
         uses: google-github-actions/[email protected]
 
       - name: Save kubeconfig
-        run: gcloud container clusters get-credentials --project keskne ${{ vars.CLUSTER_NAME }} --location ${{ vars.CLUSTER_LOCATION }}
+        run: gcloud container clusters get-credentials ${{ vars.KESKNE_CLUSTER_NAME }} --location ${{ vars.KESKNE_CLUSTER_LOCATION }}
 
       - name: Helm deploy
         # The two TLS secrets have to be put in files because they're multi-line

deploy/terraform/core/github.tf

@@ -2,26 +2,22 @@
 
 locals {
   # Use a mapping so we don't have to repeat a ton of boilerplate
-  variables = {
-    CLUSTER_NAME     = var.kubernetes_cluster_name
-    CLUSTER_LOCATION = var.kubernetes_cluster_location
-  }
   secrets = {
     GOOGLE_WORKLOAD_ID_PROVIDER = module.oidc.provider_name
     GOOGLE_SERVICE_ACCOUNT      = google_service_account.service_account.email
   }
 }
 
-resource "github_actions_variable" "variables" {
-  for_each      = local.variables
-  repository    = var.github_repository
-  variable_name = each.key
-  value         = each.value
-}
-
 resource "github_actions_secret" "secrets" {
   for_each        = local.secrets
   repository      = var.github_repository
   secret_name     = each.key
   plaintext_value = each.value
 }
+
+# Create a service account for the keskne project, to access GKE
+module "keskne" {
+  source             = "./keskne"
+  github_repository  = "beta-spray"
+  service_account_id = "beta-spray-github-ci-sa"
+}

deploy/terraform/core/keskne/README.md

@@ -0,0 +1,38 @@
+# Keskne GitHub CI Terraform Module
+
+A module to help access the Keskne GKE cluster from GitHub CI. This creates the following resources:
+
+- Service account
+- Workload ID provider that allows GitHub to act as the service account (see [gh-oidc module](https://registry.terraform.io/modules/terraform-google-modules/github-actions-runners/google/latest/submodules/gh-oidc))
+- Repository-wide GitHub variables containing the cluster name/location (for the `gcloud` command)
+- Repository-wide GitHub secrets containing the service account/workload provider ID
+
+## Usage
+
+This requires that you already have the Google Terraform provider configured (with access to Keskne), as well as the GitHub Terraform provider authenticated to the repository's owner.
+
+Add this to your Terraform, replacing the obvious parts:
+
+```
+module "keskne" {
+  source             = "./keskne" # TODO update
+  github_repository  = "my-repository"
+  service_account_id = "my-repository-github-ci-sa"
+}
+```
+
+Then add this to your deployment CI:
+
+```yaml
+- name: Google Cloud auth
+  uses: google-github-actions/auth@v0
+  with:
+    service_account: ${{ secrets.KESKNE_GOOGLE_SERVICE_ACCOUNT }}
+    workload_identity_provider: ${{ secrets.KESKNE_GOOGLE_WORKLOAD_ID_PROVIDER }}
+- name: Set up Cloud SDK
+  uses: google-github-actions/[email protected]
+- name: Save kubeconfig
+  run: gcloud container clusters get-credentials ${{ vars.KESKNE_CLUSTER_NAME }} --location ${{ vars.KESKNE_CLUSTER_LOCATION }}
+```
+
+The names of these GitHub variables are configurable in the module variables.

deploy/terraform/core/keskne/main.tf

@@ -0,0 +1,48 @@
+# Create a new service account to access GKE creds
+resource "google_service_account" "service_account" {
+  # Make sure to override project from the parent provider
+  project      = var.gcp_project_id
+  account_id   = var.service_account_id
+  display_name = "${var.github_repository} GitHub CI Service Account"
+  description  = "Service account for ${var.github_repository} to access GKE creds from GitHub CI"
+}
+
+module "oidc" {
+  source      = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
+  project_id  = var.gcp_project_id
+  pool_id     = "github-pool"
+  provider_id = "github-provider"
+  sa_mapping = {
+    (google_service_account.service_account.account_id) = {
+      sa_name   = google_service_account.service_account.name
+      attribute = "attribute.repository/${var.github_repository}"
+    }
+  }
+}
+
+# Create variables/secrets in Github to access the SA and cluster
+
+locals {
+  variables = {
+    (var.github_cluster_name_variable)     = var.kubernetes_cluster_name
+    (var.github_cluster_location_variable) = var.kubernetes_cluster_location
+  }
+  secrets = {
+    (var.github_service_account_secret)      = module.oidc.provider_name
+    (var.github_workload_id_provider_secret) = google_service_account.service_account.email
+  }
+}
+
+resource "github_actions_variable" "variables" {
+  for_each      = local.variables
+  repository    = var.github_repository
+  variable_name = each.key
+  value         = each.value
+}
+
+resource "github_actions_secret" "secrets" {
+  for_each        = local.secrets
+  repository      = var.github_repository
+  secret_name     = each.key
+  plaintext_value = each.value
+}

deploy/terraform/core/keskne/outputs.tf

@@ -0,0 +1,9 @@
+output "service_account_id" {
+  description = "ID of the created service account"
+  value       = google_service_account.service_account.account_id
+}
+
+output "service_account_email" {
+  description = "Email of the created service account"
+  value       = google_service_account.service_account.email
+}

deploy/terraform/core/keskne/variables.tf

@@ -0,0 +1,51 @@
+variable "gcp_project_id" {
+  description = "ID of the Keskne GCP project"
+  type        = string
+  default     = "keskne-347510"
+}
+
+variable "kubernetes_cluster_name" {
+  description = "Name of the Kubernetes cluster (within GCP) that we'll deploy to"
+  type        = string
+  default     = "keskne-gke"
+}
+
+variable "kubernetes_cluster_location" {
+  description = "Location (region or zone ) of the Kubernetes cluster (within GCP) that we'll deploy to"
+  type        = string
+  default     = "us-east1-c"
+}
+
+variable "github_cluster_name_variable" {
+  description = "Name of the variable to create in GitHub that will hold the Keskne cluster name"
+  type        = string
+  default     = "KESKNE_CLUSTER_NAME"
+}
+
+variable "github_cluster_location_variable" {
+  description = "Name of the variable to create in GitHub that will hold the Keskne cluster location"
+  type        = string
+  default     = "KESKNE_CLUSTER_LOCATION"
+}
+
+variable "github_service_account_secret" {
+  description = "Name of the secret to create in GitHub that will hold the service account email"
+  type        = string
+  default     = "KESKNE_GOOGLE_SERVICE_ACCOUNT"
+}
+
+variable "github_workload_id_provider_secret" {
+  description = "Name of the secret to create in GitHub that will hold the workload ID provider"
+  type        = string
+  default     = "KESKNE_GOOGLE_WORKLOAD_ID_PROVIDER"
+}
+
+variable "github_repository" {
+  description = "ID of the *consuming* GitHub repository, e.g. LucasPickering/keskne"
+  type        = string
+}
+
+variable "service_account_id" {
+  description = "ID of the service account to create in the Keskne project"
+  type        = string
+}

deploy/terraform/core/variables.tf

@@ -30,18 +30,6 @@ variable "gcp_region" {
   type        = string
 }
 
-variable "kubernetes_cluster_name" {
-  description = "Name of the Kubernetes cluster (within GCP) that we'll deploy to"
-  type        = string
-  default     = "keskne-gke"
-}
-
-variable "kubernetes_cluster_location" {
-  description = "Location (region or zone ) of the Kubernetes cluster (within GCP) that we'll deploy to"
-  type        = string
-  default     = "us-east1-c"
-}
-
 variable "static_assets_bucket" {
   description = "Name of storage bucket to store static assets"
   default     = "beta-spray-static"