Make Workload Identity optional (#27189)

* Make Workload Identity optional

* Update tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py

Co-authored-by: Sergii Tkachenko <hi@sergii.org>

* Update tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py

Co-authored-by: Sergii Tkachenko <hi@sergii.org>

* Flip the bool flag naming

* Correct the flag help description

Co-authored-by: Sergii Tkachenko <hi@sergii.org>

tools/internal_ci/linux/grpc_xds_url_map.sh

@@ -18,8 +18,8 @@ set -ex -o igncr || set -ex
 # Constants
 readonly GITHUB_REPOSITORY_NAME="grpc"
 # GKE Cluster
-readonly GKE_CLUSTER_NAME="interop-test-psm-sec-v2-us-central1-a"
-readonly GKE_CLUSTER_ZONE="us-central1-a"
+readonly GKE_CLUSTER_NAME="interop-test-psm-basic"
+readonly GKE_CLUSTER_ZONE="us-central1-c"
 ## xDS test client Docker images
 readonly CLIENT_IMAGE_NAME="gcr.io/grpc-testing/xds-interop/cpp-client"
 readonly FORCE_IMAGE_BUILD="${FORCE_IMAGE_BUILD:-0}"

tools/internal_ci/linux/grpc_xds_url_map_python.sh

@@ -18,8 +18,8 @@ set -eo pipefail
 # Constants
 readonly GITHUB_REPOSITORY_NAME="grpc"
 # GKE Cluster
-readonly GKE_CLUSTER_NAME="interop-test-psm-sec-v2-us-central1-a"
-readonly GKE_CLUSTER_ZONE="us-central1-a"
+readonly GKE_CLUSTER_NAME="interop-test-psm-basic"
+readonly GKE_CLUSTER_ZONE="us-central1-c"
 ## xDS test client Docker images
 readonly CLIENT_IMAGE_NAME="gcr.io/grpc-testing/xds-interop/python-client"
 readonly FORCE_IMAGE_BUILD="${FORCE_IMAGE_BUILD:-0}"

tools/run_tests/xds_k8s_test_driver/config/url-map.cfg

@@ -6,3 +6,7 @@
 # 2. All UrlMap tests today are testing client-side logic.
 # grpc-java master: 438f8d9e7880b2f6ae2b376a35a9f5f32b4dbeaa TODO: use v1.40.0
 --server_image=gcr.io/grpc-testing/xds-interop/java-server:438f8d9e7880b2f6ae2b376a35a9f5f32b4dbeaa
+# Disables the GCP Workload Identity feature to simplify permission control
+--gcp_service_account=None
+--private_api_key_secret_name=None
+--noenable_workload_identity

tools/run_tests/xds_k8s_test_driver/framework/test_app/client_app.py

@@ -244,7 +244,8 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner):
                  service_account_template='service-account.yaml',
                  reuse_namespace=False,
                  namespace_template=None,
-                 debug_use_port_forwarding=False):
+                 debug_use_port_forwarding=False,
+                 enable_workload_identity=True):
         super().__init__(k8s_namespace, namespace_template, reuse_namespace)
 
         # Settings
@@ -257,10 +258,15 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner):
         self.network = network
         self.deployment_template = deployment_template
         self.debug_use_port_forwarding = debug_use_port_forwarding
+        self.enable_workload_identity = enable_workload_identity
         # Service account settings:
         # Kubernetes service account
-        self.service_account_name = service_account_name or deployment_name
-        self.service_account_template = service_account_template
+        if self.enable_workload_identity:
+            self.service_account_name = service_account_name or deployment_name
+            self.service_account_template = service_account_template
+        else:
+            self.service_account_name = None
+            self.service_account_template = None
         # GCP.
         self.gcp_project = gcp_project
         self.gcp_ui_url = gcp_api_manager.gcp_ui_url
@@ -296,19 +302,20 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner):
 
         super().run()
 
-        # Allow Kubernetes service account to use the GCP service account
-        # identity.
-        self._grant_workload_identity_user(
-            gcp_iam=self.gcp_iam,
-            gcp_service_account=self.gcp_service_account,
-            service_account_name=self.service_account_name)
+        if self.enable_workload_identity:
+            # Allow Kubernetes service account to use the GCP service account
+            # identity.
+            self._grant_workload_identity_user(
+                gcp_iam=self.gcp_iam,
+                gcp_service_account=self.gcp_service_account,
+                service_account_name=self.service_account_name)
 
-        # Create service account
-        self.service_account = self._create_service_account(
-            self.service_account_template,
-            service_account_name=self.service_account_name,
-            namespace_name=self.k8s_namespace.name,
-            gcp_service_account=self.gcp_service_account)
+            # Create service account
+            self.service_account = self._create_service_account(
+                self.service_account_template,
+                service_account_name=self.service_account_name,
+                namespace_name=self.k8s_namespace.name,
+                gcp_service_account=self.gcp_service_account)
 
         # Always create a new deployment
         self.deployment = self._create_deployment(
@@ -356,7 +363,7 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner):
         if self.deployment or force:
             self._delete_deployment(self.deployment_name)
             self.deployment = None
-        if self.service_account or force:
+        if self.enable_workload_identity and (self.service_account or force):
             self._revoke_workload_identity_user(
                 gcp_iam=self.gcp_iam,
                 gcp_service_account=self.gcp_service_account,

tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py

@@ -181,7 +181,8 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner):
                  reuse_service=False,
                  reuse_namespace=False,
                  namespace_template=None,
-                 debug_use_port_forwarding=False):
+                 debug_use_port_forwarding=False,
+                 enable_workload_identity=False):
         super().__init__(k8s_namespace, namespace_template, reuse_namespace)
 
         # Settings
@@ -200,10 +201,16 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner):
         self.service_template = service_template
         self.reuse_service = reuse_service
         self.debug_use_port_forwarding = debug_use_port_forwarding
+        self.enable_workload_identity = enable_workload_identity
         # Service account settings:
         # Kubernetes service account
-        self.service_account_name = service_account_name or deployment_name
-        self.service_account_template = service_account_template
+        if self.enable_workload_identity:
+            self.service_account_name = service_account_name or deployment_name
+            self.service_account_template = service_account_template
+        else:
+            self.service_account_name = None
+            self.service_account_template = None
+
         # GCP.
         self.gcp_project = gcp_project
         self.gcp_ui_url = gcp_api_manager.gcp_ui_url
@@ -271,19 +278,20 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner):
                 test_port=test_port)
         self._wait_service_neg(self.service_name, test_port)
 
-        # Allow Kubernetes service account to use the GCP service account
-        # identity.
-        self._grant_workload_identity_user(
-            gcp_iam=self.gcp_iam,
-            gcp_service_account=self.gcp_service_account,
-            service_account_name=self.service_account_name)
+        if self.enable_workload_identity:
+            # Allow Kubernetes service account to use the GCP service account
+            # identity.
+            self._grant_workload_identity_user(
+                gcp_iam=self.gcp_iam,
+                gcp_service_account=self.gcp_service_account,
+                service_account_name=self.service_account_name)
 
-        # Create service account
-        self.service_account = self._create_service_account(
-            self.service_account_template,
-            service_account_name=self.service_account_name,
-            namespace_name=self.k8s_namespace.name,
-            gcp_service_account=self.gcp_service_account)
+            # Create service account
+            self.service_account = self._create_service_account(
+                self.service_account_template,
+                service_account_name=self.service_account_name,
+                namespace_name=self.k8s_namespace.name,
+                gcp_service_account=self.gcp_service_account)
 
         # Always create a new deployment
         self.deployment = self._create_deployment(
@@ -351,7 +359,7 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner):
         if (self.service and not self.reuse_service) or force:
             self._delete_service(self.service_name)
             self.service = None
-        if self.service_account or force:
+        if self.enable_workload_identity and (self.service_account or force):
             self._revoke_workload_identity_user(
                 gcp_iam=self.gcp_iam,
                 gcp_service_account=self.gcp_service_account,

tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py

@@ -41,9 +41,12 @@ DEBUG_USE_PORT_FORWARDING = flags.DEFINE_bool(
     "debug_use_port_forwarding",
     default=False,
     help="Development only: use kubectl port-forward to connect to test app")
+ENABLE_WORKLOAD_IDENTITY = flags.DEFINE_bool(
+    "enable_workload_identity",
+    default=True,
+    help="Enable the WorkloadIdentity feature")
 
 flags.mark_flags_as_required([
-    "gcp_service_account",
     "kube_context",
     "td_bootstrap_image",
     "server_image",

tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_testcase.py

@@ -114,6 +114,7 @@ class XdsKubernetesTestCase(absltest.TestCase, metaclass=abc.ABCMeta):
         cls.force_cleanup = _FORCE_CLEANUP.value
         cls.debug_use_port_forwarding = \
             xds_k8s_flags.DEBUG_USE_PORT_FORWARDING.value
+        cls.enable_workload_identity = xds_k8s_flags.enable_workload_identity.value
         cls.check_local_certs = _CHECK_LOCAL_CERTS.value
 
         # Resource managers
@@ -346,7 +347,8 @@ class RegularXdsKubernetesTestCase(XdsKubernetesTestCase):
             gcp_service_account=self.gcp_service_account,
             xds_server_uri=self.xds_server_uri,
             network=self.network,
-            debug_use_port_forwarding=self.debug_use_port_forwarding)
+            debug_use_port_forwarding=self.debug_use_port_forwarding,
+            enable_workload_identity=self.enable_workload_identity)
 
     def initKubernetesClientRunner(self) -> KubernetesClientRunner:
         return KubernetesClientRunner(
@@ -361,6 +363,7 @@ class RegularXdsKubernetesTestCase(XdsKubernetesTestCase):
             xds_server_uri=self.xds_server_uri,
             network=self.network,
             debug_use_port_forwarding=self.debug_use_port_forwarding,
+            enable_workload_identity=self.enable_workload_identity,
             stats_port=self.client_port,
             reuse_namespace=self.server_namespace == self.client_namespace)
 

tools/run_tests/xds_k8s_test_driver/framework/xds_url_map_test_resources.py

@@ -173,7 +173,8 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags):
             gcp_service_account=self.gcp_service_account,
             td_bootstrap_image=self.td_bootstrap_image,
             xds_server_uri=self.xds_server_uri,
-            network=self.network)
+            network=self.network,
+            enable_workload_identity=self.enable_workload_identity)
         self.test_server_alternative_runner = server_app.KubernetesServerRunner(
             self.k8s_namespace,
             deployment_name=self.server_name + '-alternative',
@@ -184,6 +185,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags):
             td_bootstrap_image=self.td_bootstrap_image,
             xds_server_uri=self.xds_server_uri,
             network=self.network,
+            enable_workload_identity=self.enable_workload_identity,
             reuse_namespace=True)
         self.test_server_affinity_runner = server_app.KubernetesServerRunner(
             self.k8s_namespace,
@@ -195,6 +197,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags):
             td_bootstrap_image=self.td_bootstrap_image,
             xds_server_uri=self.xds_server_uri,
             network=self.network,
+            enable_workload_identity=self.enable_workload_identity,
             reuse_namespace=True)
         logging.info('Strategy of GCP resources management: %s', self.strategy)
 
@@ -221,6 +224,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags):
             xds_server_uri=self.xds_server_uri,
             network=self.network,
             debug_use_port_forwarding=self.debug_use_port_forwarding,
+            enable_workload_identity=self.enable_workload_identity,
             stats_port=self.client_port)
 
     def _pre_cleanup(self):

tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/client.deployment.yaml

@@ -18,7 +18,9 @@ spec:
         app: ${deployment_name}
         owner: xds-k8s-interop-test
     spec:
+      % if service_account_name:
       serviceAccountName: ${service_account_name}
+      % endif
       containers:
       - name: ${deployment_name}
         image: ${image_name}

tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/server.deployment.yaml

@@ -18,7 +18,9 @@ spec:
         app: ${deployment_name}
         owner: xds-k8s-interop-test
     spec:
+      % if service_account_name:
       serviceAccountName: ${service_account_name}
+      % endif
       containers:
       - name: ${deployment_name}
         image: ${image_name}