diff --git a/tools/internal_ci/linux/grpc_xds_url_map.sh b/tools/internal_ci/linux/grpc_xds_url_map.sh index 6f7e9db4971..ea173c4d5dc 100755 --- a/tools/internal_ci/linux/grpc_xds_url_map.sh +++ b/tools/internal_ci/linux/grpc_xds_url_map.sh @@ -18,8 +18,8 @@ set -ex -o igncr || set -ex # Constants readonly GITHUB_REPOSITORY_NAME="grpc" # GKE Cluster -readonly GKE_CLUSTER_NAME="interop-test-psm-sec-v2-us-central1-a" -readonly GKE_CLUSTER_ZONE="us-central1-a" +readonly GKE_CLUSTER_NAME="interop-test-psm-basic" +readonly GKE_CLUSTER_ZONE="us-central1-c" ## xDS test client Docker images readonly CLIENT_IMAGE_NAME="gcr.io/grpc-testing/xds-interop/cpp-client" readonly FORCE_IMAGE_BUILD="${FORCE_IMAGE_BUILD:-0}" diff --git a/tools/internal_ci/linux/grpc_xds_url_map_python.sh b/tools/internal_ci/linux/grpc_xds_url_map_python.sh index 59152f80985..234ddd535c1 100755 --- a/tools/internal_ci/linux/grpc_xds_url_map_python.sh +++ b/tools/internal_ci/linux/grpc_xds_url_map_python.sh @@ -18,8 +18,8 @@ set -eo pipefail # Constants readonly GITHUB_REPOSITORY_NAME="grpc" # GKE Cluster -readonly GKE_CLUSTER_NAME="interop-test-psm-sec-v2-us-central1-a" -readonly GKE_CLUSTER_ZONE="us-central1-a" +readonly GKE_CLUSTER_NAME="interop-test-psm-basic" +readonly GKE_CLUSTER_ZONE="us-central1-c" ## xDS test client Docker images readonly CLIENT_IMAGE_NAME="gcr.io/grpc-testing/xds-interop/python-client" readonly FORCE_IMAGE_BUILD="${FORCE_IMAGE_BUILD:-0}" diff --git a/tools/run_tests/xds_k8s_test_driver/config/url-map.cfg b/tools/run_tests/xds_k8s_test_driver/config/url-map.cfg index 688b1c38222..5a31dae3ee8 100644 --- a/tools/run_tests/xds_k8s_test_driver/config/url-map.cfg +++ b/tools/run_tests/xds_k8s_test_driver/config/url-map.cfg @@ -6,3 +6,7 @@ # 2. All UrlMap tests today are testing client-side logic. # grpc-java master: 438f8d9e7880b2f6ae2b376a35a9f5f32b4dbeaa TODO: use v1.40.0 --server_image=gcr.io/grpc-testing/xds-interop/java-server:438f8d9e7880b2f6ae2b376a35a9f5f32b4dbeaa +# Disables the GCP Workload Identity feature to simplify permission control +--gcp_service_account=None +--private_api_key_secret_name=None +--noenable_workload_identity diff --git a/tools/run_tests/xds_k8s_test_driver/framework/test_app/client_app.py b/tools/run_tests/xds_k8s_test_driver/framework/test_app/client_app.py index 9a30dca7bdf..9645db93fd9 100644 --- a/tools/run_tests/xds_k8s_test_driver/framework/test_app/client_app.py +++ b/tools/run_tests/xds_k8s_test_driver/framework/test_app/client_app.py @@ -244,7 +244,8 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner): service_account_template='service-account.yaml', reuse_namespace=False, namespace_template=None, - debug_use_port_forwarding=False): + debug_use_port_forwarding=False, + enable_workload_identity=True): super().__init__(k8s_namespace, namespace_template, reuse_namespace) # Settings @@ -257,10 +258,15 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner): self.network = network self.deployment_template = deployment_template self.debug_use_port_forwarding = debug_use_port_forwarding + self.enable_workload_identity = enable_workload_identity # Service account settings: # Kubernetes service account - self.service_account_name = service_account_name or deployment_name - self.service_account_template = service_account_template + if self.enable_workload_identity: + self.service_account_name = service_account_name or deployment_name + self.service_account_template = service_account_template + else: + self.service_account_name = None + self.service_account_template = None # GCP. self.gcp_project = gcp_project self.gcp_ui_url = gcp_api_manager.gcp_ui_url @@ -296,19 +302,20 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner): super().run() - # Allow Kubernetes service account to use the GCP service account - # identity. - self._grant_workload_identity_user( - gcp_iam=self.gcp_iam, - gcp_service_account=self.gcp_service_account, - service_account_name=self.service_account_name) + if self.enable_workload_identity: + # Allow Kubernetes service account to use the GCP service account + # identity. + self._grant_workload_identity_user( + gcp_iam=self.gcp_iam, + gcp_service_account=self.gcp_service_account, + service_account_name=self.service_account_name) - # Create service account - self.service_account = self._create_service_account( - self.service_account_template, - service_account_name=self.service_account_name, - namespace_name=self.k8s_namespace.name, - gcp_service_account=self.gcp_service_account) + # Create service account + self.service_account = self._create_service_account( + self.service_account_template, + service_account_name=self.service_account_name, + namespace_name=self.k8s_namespace.name, + gcp_service_account=self.gcp_service_account) # Always create a new deployment self.deployment = self._create_deployment( @@ -356,7 +363,7 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner): if self.deployment or force: self._delete_deployment(self.deployment_name) self.deployment = None - if self.service_account or force: + if self.enable_workload_identity and (self.service_account or force): self._revoke_workload_identity_user( gcp_iam=self.gcp_iam, gcp_service_account=self.gcp_service_account, diff --git a/tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py b/tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py index 7fec8f1b696..234a9d0dcc0 100644 --- a/tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py +++ b/tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py @@ -181,7 +181,8 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner): reuse_service=False, reuse_namespace=False, namespace_template=None, - debug_use_port_forwarding=False): + debug_use_port_forwarding=False, + enable_workload_identity=False): super().__init__(k8s_namespace, namespace_template, reuse_namespace) # Settings @@ -200,10 +201,16 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner): self.service_template = service_template self.reuse_service = reuse_service self.debug_use_port_forwarding = debug_use_port_forwarding + self.enable_workload_identity = enable_workload_identity # Service account settings: # Kubernetes service account - self.service_account_name = service_account_name or deployment_name - self.service_account_template = service_account_template + if self.enable_workload_identity: + self.service_account_name = service_account_name or deployment_name + self.service_account_template = service_account_template + else: + self.service_account_name = None + self.service_account_template = None + # GCP. self.gcp_project = gcp_project self.gcp_ui_url = gcp_api_manager.gcp_ui_url @@ -271,19 +278,20 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner): test_port=test_port) self._wait_service_neg(self.service_name, test_port) - # Allow Kubernetes service account to use the GCP service account - # identity. - self._grant_workload_identity_user( - gcp_iam=self.gcp_iam, - gcp_service_account=self.gcp_service_account, - service_account_name=self.service_account_name) + if self.enable_workload_identity: + # Allow Kubernetes service account to use the GCP service account + # identity. + self._grant_workload_identity_user( + gcp_iam=self.gcp_iam, + gcp_service_account=self.gcp_service_account, + service_account_name=self.service_account_name) - # Create service account - self.service_account = self._create_service_account( - self.service_account_template, - service_account_name=self.service_account_name, - namespace_name=self.k8s_namespace.name, - gcp_service_account=self.gcp_service_account) + # Create service account + self.service_account = self._create_service_account( + self.service_account_template, + service_account_name=self.service_account_name, + namespace_name=self.k8s_namespace.name, + gcp_service_account=self.gcp_service_account) # Always create a new deployment self.deployment = self._create_deployment( @@ -351,7 +359,7 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner): if (self.service and not self.reuse_service) or force: self._delete_service(self.service_name) self.service = None - if self.service_account or force: + if self.enable_workload_identity and (self.service_account or force): self._revoke_workload_identity_user( gcp_iam=self.gcp_iam, gcp_service_account=self.gcp_service_account, diff --git a/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py b/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py index 801c83a4a8c..e259de8bf1d 100644 --- a/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py +++ b/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py @@ -41,9 +41,12 @@ DEBUG_USE_PORT_FORWARDING = flags.DEFINE_bool( "debug_use_port_forwarding", default=False, help="Development only: use kubectl port-forward to connect to test app") +ENABLE_WORKLOAD_IDENTITY = flags.DEFINE_bool( + "enable_workload_identity", + default=True, + help="Enable the WorkloadIdentity feature") flags.mark_flags_as_required([ - "gcp_service_account", "kube_context", "td_bootstrap_image", "server_image", diff --git a/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_testcase.py b/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_testcase.py index 336c82bf4f0..2242ab71dac 100644 --- a/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_testcase.py +++ b/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_testcase.py @@ -114,6 +114,7 @@ class XdsKubernetesTestCase(absltest.TestCase, metaclass=abc.ABCMeta): cls.force_cleanup = _FORCE_CLEANUP.value cls.debug_use_port_forwarding = \ xds_k8s_flags.DEBUG_USE_PORT_FORWARDING.value + cls.enable_workload_identity = xds_k8s_flags.enable_workload_identity.value cls.check_local_certs = _CHECK_LOCAL_CERTS.value # Resource managers @@ -346,7 +347,8 @@ class RegularXdsKubernetesTestCase(XdsKubernetesTestCase): gcp_service_account=self.gcp_service_account, xds_server_uri=self.xds_server_uri, network=self.network, - debug_use_port_forwarding=self.debug_use_port_forwarding) + debug_use_port_forwarding=self.debug_use_port_forwarding, + enable_workload_identity=self.enable_workload_identity) def initKubernetesClientRunner(self) -> KubernetesClientRunner: return KubernetesClientRunner( @@ -361,6 +363,7 @@ class RegularXdsKubernetesTestCase(XdsKubernetesTestCase): xds_server_uri=self.xds_server_uri, network=self.network, debug_use_port_forwarding=self.debug_use_port_forwarding, + enable_workload_identity=self.enable_workload_identity, stats_port=self.client_port, reuse_namespace=self.server_namespace == self.client_namespace) diff --git a/tools/run_tests/xds_k8s_test_driver/framework/xds_url_map_test_resources.py b/tools/run_tests/xds_k8s_test_driver/framework/xds_url_map_test_resources.py index 518e353c887..e3240c78893 100644 --- a/tools/run_tests/xds_k8s_test_driver/framework/xds_url_map_test_resources.py +++ b/tools/run_tests/xds_k8s_test_driver/framework/xds_url_map_test_resources.py @@ -173,7 +173,8 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags): gcp_service_account=self.gcp_service_account, td_bootstrap_image=self.td_bootstrap_image, xds_server_uri=self.xds_server_uri, - network=self.network) + network=self.network, + enable_workload_identity=self.enable_workload_identity) self.test_server_alternative_runner = server_app.KubernetesServerRunner( self.k8s_namespace, deployment_name=self.server_name + '-alternative', @@ -184,6 +185,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags): td_bootstrap_image=self.td_bootstrap_image, xds_server_uri=self.xds_server_uri, network=self.network, + enable_workload_identity=self.enable_workload_identity, reuse_namespace=True) self.test_server_affinity_runner = server_app.KubernetesServerRunner( self.k8s_namespace, @@ -195,6 +197,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags): td_bootstrap_image=self.td_bootstrap_image, xds_server_uri=self.xds_server_uri, network=self.network, + enable_workload_identity=self.enable_workload_identity, reuse_namespace=True) logging.info('Strategy of GCP resources management: %s', self.strategy) @@ -221,6 +224,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags): xds_server_uri=self.xds_server_uri, network=self.network, debug_use_port_forwarding=self.debug_use_port_forwarding, + enable_workload_identity=self.enable_workload_identity, stats_port=self.client_port) def _pre_cleanup(self): diff --git a/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/client.deployment.yaml b/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/client.deployment.yaml index 109086c4510..31ef54fe6ea 100644 --- a/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/client.deployment.yaml +++ b/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/client.deployment.yaml @@ -18,7 +18,9 @@ spec: app: ${deployment_name} owner: xds-k8s-interop-test spec: + % if service_account_name: serviceAccountName: ${service_account_name} + % endif containers: - name: ${deployment_name} image: ${image_name} diff --git a/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/server.deployment.yaml b/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/server.deployment.yaml index dbf2fa5d7af..04f0cd645ed 100644 --- a/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/server.deployment.yaml +++ b/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/server.deployment.yaml @@ -18,7 +18,9 @@ spec: app: ${deployment_name} owner: xds-k8s-interop-test spec: + % if service_account_name: serviceAccountName: ${service_account_name} + % endif containers: - name: ${deployment_name} image: ${image_name}