Skip to content

Commit

Permalink
fix Workload Identity Federation OIDC
Browse files Browse the repository at this point in the history
  • Loading branch information
@kinfinity
kinfinity committed Mar 5, 2024
1 parent bc407b9 commit c374e89
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 8 deletions.
9 changes: 7 additions & 2 deletions .github/workflows/buildandpush-app.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,12 @@ jobs:

images:
name: ImageBuild
permissions:
contents: read
issues: read
checks: write
pull-requests: write
id-token: 'write'
needs: build_apps
runs-on: ubuntu-latest
environment: Dev
Expand All @@ -49,9 +55,8 @@ jobs:
- name: Authenticate with Google Cloud
uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ secrets.PROJECT_ID }}
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITYPROVIDER }}
credentials_json: ${{ secrets.GCP_CREDENTIALS }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}

- name: Build and Push Image
run: |
Expand Down
13 changes: 9 additions & 4 deletions .github/workflows/infra-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@ on:

jobs:
terraform-release:
permissions:
contents: read
issues: read
checks: write
pull-requests: write
id-token: 'write'
name: "Terraform Release"
runs-on: ubuntu-latest
environment: Dev
Expand Down Expand Up @@ -41,18 +47,17 @@ jobs:
- name: Authenticate with Google Cloud
uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ secrets.PROJECT_ID }}
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITYPROVIDER }}
credentials_json: ${{ secrets.GCP_CREDENTIALS }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}

- name: Terraform Plan
if: ${{ github.event_name == 'pull_request' }}
run: |
chmod +x ci/scripts/*.sh
python ci/scripts/execute-terraform.py --config ci/configs/pipeline-config.json --command plan --env dev
python3 ci/scripts/execute-terraform.py --config ci/configs/pipeline-config.json --command plan --env dev
- name: Terraform Apply
if: ${{ github.event_name != 'pull_request' }}
run: |
chmod +x ci/scripts/*.sh
python ci/scripts/execute-terraform.py --config ci/configs/pipeline-config.json --command apply --env dev
python3 ci/scripts/execute-terraform.py --config ci/configs/pipeline-config.json --command apply --env dev
9 changes: 7 additions & 2 deletions .github/workflows/k8s-apps-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@ env:
jobs:
deploy:
name: DeployApps
permissions:
contents: read
issues: read
checks: write
pull-requests: write
id-token: 'write'
runs-on: ubuntu-latest
environment: Dev
steps:
Expand All @@ -22,9 +28,8 @@ jobs:
- name: Authenticate with Google Cloud
uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ secrets.PROJECT_ID }}
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITYPROVIDER }}
credentials_json: ${{ secrets.GCP_CREDENTIALS }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}

- name: Configure kubectl
uses: google-github-actions/setup-gcloud@v0
Expand Down
1 change: 1 addition & 0 deletions ci/scripts/cmd-terraform-generic.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ ENV_NAME=$3
WORKSPACE=$4

# Get absolute path of terraform environment
ls
ENV_DIR="$(cd "${TERRAFORM_DIRECTORY}/environments/${ENV_NAME}/"; pwd -P)"
pushd ${ENV_DIR} > /dev/null

Expand Down

0 comments on commit c374e89

Please sign in to comment.