From 97aea98e7771d916a234707b03ef6b8df9427e3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?=
 <66256922+daniel-weisse@users.noreply.github.com>
Date: Mon, 27 Nov 2023 13:04:41 +0100
Subject: [PATCH] ci: update GCP service accounts for CI (#2629)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 .github/actions/e2e_test/action.yml      |  3 ---
 .github/workflows/build-os-image.yml     |  2 +-
 .github/workflows/e2e-test-daily.yml     |  9 ++++-----
 .github/workflows/e2e-test-release.yml   |  9 ++++-----
 .github/workflows/e2e-test-tf-module.yml |  5 +++--
 .github/workflows/e2e-test-weekly.yml    |  9 ++++-----
 .github/workflows/e2e-test.yml           |  9 ++++-----
 .github/workflows/e2e-upgrade.yml        | 13 ++++++-------
 .github/workflows/versionsapi.yml        |  2 +-
 dev-docs/workflows/github-actions.md     | 22 +++++-----------------
 image/upload/internal/cmd/gcp.go         |  2 +-
 11 files changed, 33 insertions(+), 52 deletions(-)

diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml
index a157b2b925..cd47d1f1cf 100644
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@@ -37,9 +37,6 @@ inputs:
   gcpClusterCreateServiceAccount:
     description: "Service account with permissions to create a Constellation cluster on GCP."
     required: true
-  gcpInClusterServiceAccountKey:
-    description: "Service account to use inside the created Constellation cluster on GCP."
-    required: true
   awsOpenSearchDomain:
     description: "AWS OpenSearch Endpoint Domain to upload the benchmark results."
   awsOpenSearchUsers:
diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index 753ca1ba6e..38804419db 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -273,7 +273,7 @@ jobs:
         if: matrix.csp == 'gcp'
         uses: ./.github/actions/login_gcp
         with:
-          service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
+          service_account: "image-uploader@constellation-images.iam.gserviceaccount.com"
 
       - name: Upload AWS image
         if: matrix.csp == 'aws'
diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml
index 47ad5a605b..0d68d78260 100644
--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@@ -74,10 +74,9 @@ jobs:
           isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
           cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
           refStream: ${{ matrix.refStream }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           kubernetesVersion: ${{ matrix.kubernetesVersion }}
           test: ${{ matrix.test }}
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
@@ -109,7 +108,7 @@ jobs:
         with:
           cloudProvider: ${{ matrix.provider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
       - name: Notify about failure
         if: |
diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml
index 2a9989d211..39b308b00a 100644
--- a/.github/workflows/e2e-test-release.yml
+++ b/.github/workflows/e2e-test-release.yml
@@ -226,10 +226,9 @@ jobs:
           awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
           awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
           awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@@ -258,7 +257,7 @@ jobs:
         with:
           cloudProvider: ${{ matrix.provider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
   e2e-upgrade:
     strategy:
diff --git a/.github/workflows/e2e-test-tf-module.yml b/.github/workflows/e2e-test-tf-module.yml
index 0ea8f91b7c..c55a9dbf71 100644
--- a/.github/workflows/e2e-test-tf-module.yml
+++ b/.github/workflows/e2e-test-tf-module.yml
@@ -159,7 +159,8 @@ jobs:
         run: |
           cat > terraform.tfvars <<EOF
           name = "${{ steps.create-prefix.outputs.prefix }}"
-          project = "${{ secrets.GCP_E2E_PROJECT }}"
+          # project = "${{ secrets.GCP_E2E_PROJECT }}"
+          project = "constellation-e2e"
           service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
           image = "${{ steps.find-latest-image.outputs.image }}"
           zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
@@ -245,7 +246,7 @@ jobs:
         if: inputs.cloudProvider == 'gcp'
         uses: ./.github/actions/login_gcp
         with:
-          service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com"
+          service_account: "terraform-e2e@constellation-e2e.iam.gserviceaccount.com"
 
       - name: Apply Terraform Cluster
         id: apply_terraform
diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml
index 9fda7d3db2..9cdbb29ef9 100644
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@@ -243,10 +243,9 @@ jobs:
           awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
           awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
           awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@@ -277,7 +276,7 @@ jobs:
         with:
           cloudProvider: ${{ matrix.provider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
       - name: Notify about failure
         if: |
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
index 1d0b41f733..6e1a2cecc1 100644
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -215,10 +215,9 @@ jobs:
           cloudProvider: ${{ inputs.cloudProvider }}
           machineType: ${{ inputs.machineType }}
           regionZone: ${{ inputs.regionZone }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ inputs.test }}
           kubernetesVersion: ${{ inputs.kubernetesVersion }}
           awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
@@ -256,4 +255,4 @@ jobs:
         with:
           cloudProvider: ${{ inputs.cloudProvider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml
index 79256fea55..44a1c64d56 100644
--- a/.github/workflows/e2e-upgrade.yml
+++ b/.github/workflows/e2e-upgrade.yml
@@ -170,10 +170,9 @@ jobs:
           isDebugImage: "false"
           cliVersion: ${{ inputs.fromVersion }}
           regionZone: ${{ inputs.regionZone }}
-          gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
-          gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
-          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
+          gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: "upgrade"
           buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@@ -196,7 +195,7 @@ jobs:
         if: inputs.cloudProvider == 'gcp'
         uses: ./.github/actions/login_gcp
         with:
-          service_account: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          service_account: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
       - name: Login to AWS (IAM role)
         if: inputs.cloudProvider == 'aws'
@@ -226,7 +225,7 @@ jobs:
         if: always() && inputs.cloudProvider == 'gcp'
         uses: ./.github/actions/login_gcp
         with:
-          service_account: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
+          service_account: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
 
       - name: Login to AWS (Cluster role)
         if: always() && inputs.cloudProvider == 'aws'
@@ -300,7 +299,7 @@ jobs:
         with:
           cloudProvider: ${{ inputs.cloudProvider }}
           azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
 
       - name: Notify about failure
         if: |
diff --git a/.github/workflows/versionsapi.yml b/.github/workflows/versionsapi.yml
index 2e1712f4e7..f4bc421177 100644
--- a/.github/workflows/versionsapi.yml
+++ b/.github/workflows/versionsapi.yml
@@ -178,7 +178,7 @@ jobs:
         if: steps.check-rights.outputs.auth == 'true'
         uses: ./.github/actions/login_gcp
         with:
-          service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
+          service_account: "image-deleter@constellation-images.iam.gserviceaccount.com"
 
       - name: Execute versionsapi CLI
         id: run
diff --git a/dev-docs/workflows/github-actions.md b/dev-docs/workflows/github-actions.md
index 40accbdfd5..ef97ed3326 100644
--- a/dev-docs/workflows/github-actions.md
+++ b/dev-docs/workflows/github-actions.md
@@ -30,11 +30,11 @@ When using `--mode` be aware that `--e2e-focus` and `e2e-skip` will be overwritt
 
 ## Local Development
 
-Using [***act***](https://github.com/nektos/act) you can run GitHub actions locally.
+Using [`act`](https://github.com/nektos/act) you can run GitHub actions locally.
 
 **These instructions are for internal use.**
 In case you want to use the E2E actions externally, you need to adjust other configuration parameters.
-Check the assignments made in the [/.github/actions/e2e_test/action.yml](E2E action) and adjust any hard-coded values.
+Check the assignments made in the [E2E action](/.github/actions/e2e_test/action.yml) and adjust any hard-coded values.
 
 ### Specific Jobs
 
@@ -59,7 +59,7 @@ Create a new JSON file to describe the event ([relevant issue](https://github.co
 }
 ```
 
-Then run *act* with the event as input:
+Then run `act` with the event as input:
 
 ```bash
 act -j e2e-test-manual --eventpath event.json
@@ -67,20 +67,8 @@ act -j e2e-test-manual --eventpath event.json
 
 ### Authorizing GCP
 
-For creating Kubernetes clusters in GCP a local copy of the service account secret is required.
-
-1. [Create a new service account key](https://console.cloud.google.com/iam-admin/serviceaccounts/details/112741463528383500960/keys?authuser=0&project=constellation-331613&supportedpurview=project)
-2. Create a compact (one line) JSON representation of the file `jq -c`
-3. Store in a GitHub Action Secret called `GCP_SERVICE_ACCOUNT` or create a local secret file for *act* to consume:
-
-```bash
-$ cat secrets.env
-GCP_SERVICE_ACCOUNT={"type":"service_account", ... }
-
-$ act --secret-file secrets.env
-```
-
-In addition, you need to create a Service Account which Constellation itself is supposed to use. Refer to [First steps](https://docs.edgeless.systems/constellation/getting-started/first-steps#create-a-cluster) in the documentation on how to create it. What you need here specifically is the `gcpServiceAccountKey`, which needs to be stored in a secret called `GCP_CLUSTER_SERVICE_ACCOUNT`.
+For GCP, OIDC is used to authenticate the CI runner.
+This means the workflow cannot be run locally, as the runner created by `act` is not authenticated.
 
 ### Authorizing Azure
 
diff --git a/image/upload/internal/cmd/gcp.go b/image/upload/internal/cmd/gcp.go
index a4dc139f8e..2cf1bc7e87 100644
--- a/image/upload/internal/cmd/gcp.go
+++ b/image/upload/internal/cmd/gcp.go
@@ -30,7 +30,7 @@ func newGCPCommand() *cobra.Command {
 
 	cmd.Flags().String("gcp-project", "constellation-images", "GCP project to use")
 	cmd.Flags().String("gcp-location", "europe-west3", "GCP location to use")
-	cmd.Flags().String("gcp-bucket", "constellation-images", "GCP bucket to use")
+	cmd.Flags().String("gcp-bucket", "constellation-os-images", "GCP bucket to use")
 	return cmd
 }