Make Workload Identity optional (#27189)

* Make Workload Identity optional * Update tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py Co-authored-by: Sergii Tkachenko <hi@sergii.org> * Update tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py Co-authored-by: Sergii Tkachenko <hi@sergii.org> * Flip the bool flag naming * Correct the flag help description Co-authored-by: Sergii Tkachenko <hi@sergii.org>
3 years ago · 3dab256776
parent b016729c90
commit 3dab256776
10 changed files with 72 additions and 39 deletions
--- a/tools/internal_ci/linux/grpc_xds_url_map.sh
+++ b/tools/internal_ci/linux/grpc_xds_url_map.sh
@ -18,8 +18,8 @@ set -ex -o igncr || set -ex
 # Constants
 readonly GITHUB_REPOSITORY_NAME="grpc"
 # GKE Cluster
-readonly GKE_CLUSTER_NAME="interop-test-psm-sec-v2-us-central1-a"
-readonly GKE_CLUSTER_ZONE="us-central1-a"
+readonly GKE_CLUSTER_NAME="interop-test-psm-basic"
+readonly GKE_CLUSTER_ZONE="us-central1-c"
 ## xDS test client Docker images
 readonly CLIENT_IMAGE_NAME="gcr.io/grpc-testing/xds-interop/cpp-client"
 readonly FORCE_IMAGE_BUILD="${FORCE_IMAGE_BUILD:-0}"
--- a/tools/internal_ci/linux/grpc_xds_url_map_python.sh
+++ b/tools/internal_ci/linux/grpc_xds_url_map_python.sh
@ -18,8 +18,8 @@ set -eo pipefail
 # Constants
 readonly GITHUB_REPOSITORY_NAME="grpc"
 # GKE Cluster
-readonly GKE_CLUSTER_NAME="interop-test-psm-sec-v2-us-central1-a"
-readonly GKE_CLUSTER_ZONE="us-central1-a"
+readonly GKE_CLUSTER_NAME="interop-test-psm-basic"
+readonly GKE_CLUSTER_ZONE="us-central1-c"
 ## xDS test client Docker images
 readonly CLIENT_IMAGE_NAME="gcr.io/grpc-testing/xds-interop/python-client"
 readonly FORCE_IMAGE_BUILD="${FORCE_IMAGE_BUILD:-0}"
--- a/tools/run_tests/xds_k8s_test_driver/config/url-map.cfg
+++ b/tools/run_tests/xds_k8s_test_driver/config/url-map.cfg
@ -6,3 +6,7 @@
 # 2. All UrlMap tests today are testing client-side logic.
 # grpc-java master: 438f8d9e7880b2f6ae2b376a35a9f5f32b4dbeaa TODO: use v1.40.0
 --server_image=gcr.io/grpc-testing/xds-interop/java-server:438f8d9e7880b2f6ae2b376a35a9f5f32b4dbeaa
+# Disables the GCP Workload Identity feature to simplify permission control
+--gcp_service_account=None
+--private_api_key_secret_name=None
+--noenable_workload_identity
--- a/tools/run_tests/xds_k8s_test_driver/framework/test_app/client_app.py
+++ b/tools/run_tests/xds_k8s_test_driver/framework/test_app/client_app.py
@ -244,7 +244,8 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner):
                 service_account_template='service-account.yaml',
                 reuse_namespace=False,
                 namespace_template=None,
-                 debug_use_port_forwarding=False):
+                 debug_use_port_forwarding=False,
+                 enable_workload_identity=True):
        super().__init__(k8s_namespace, namespace_template, reuse_namespace)

        # Settings
@ -257,10 +258,15 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner):
        self.network = network
        self.deployment_template = deployment_template
        self.debug_use_port_forwarding = debug_use_port_forwarding
+        self.enable_workload_identity = enable_workload_identity
        # Service account settings:
        # Kubernetes service account
+        if self.enable_workload_identity:
            self.service_account_name = service_account_name or deployment_name
            self.service_account_template = service_account_template
+        else:
+            self.service_account_name = None
+            self.service_account_template = None
        # GCP.
        self.gcp_project = gcp_project
        self.gcp_ui_url = gcp_api_manager.gcp_ui_url
@ -296,6 +302,7 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner):

        super().run()

+        if self.enable_workload_identity:
            # Allow Kubernetes service account to use the GCP service account
            # identity.
            self._grant_workload_identity_user(
@ -356,7 +363,7 @@ class KubernetesClientRunner(base_runner.KubernetesBaseRunner):
        if self.deployment or force:
            self._delete_deployment(self.deployment_name)
            self.deployment = None
-        if self.service_account or force:
+        if self.enable_workload_identity and (self.service_account or force):
            self._revoke_workload_identity_user(
                gcp_iam=self.gcp_iam,
                gcp_service_account=self.gcp_service_account,
--- a/tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py
+++ b/tools/run_tests/xds_k8s_test_driver/framework/test_app/server_app.py
@ -181,7 +181,8 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner):
                 reuse_service=False,
                 reuse_namespace=False,
                 namespace_template=None,
-                 debug_use_port_forwarding=False):
+                 debug_use_port_forwarding=False,
+                 enable_workload_identity=False):
        super().__init__(k8s_namespace, namespace_template, reuse_namespace)

        # Settings
@ -200,10 +201,16 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner):
        self.service_template = service_template
        self.reuse_service = reuse_service
        self.debug_use_port_forwarding = debug_use_port_forwarding
+        self.enable_workload_identity = enable_workload_identity
        # Service account settings:
        # Kubernetes service account
+        if self.enable_workload_identity:
            self.service_account_name = service_account_name or deployment_name
            self.service_account_template = service_account_template
+        else:
+            self.service_account_name = None
+            self.service_account_template = None
+
        # GCP.
        self.gcp_project = gcp_project
        self.gcp_ui_url = gcp_api_manager.gcp_ui_url
@ -271,6 +278,7 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner):
                test_port=test_port)
        self._wait_service_neg(self.service_name, test_port)

+        if self.enable_workload_identity:
            # Allow Kubernetes service account to use the GCP service account
            # identity.
            self._grant_workload_identity_user(
@ -351,7 +359,7 @@ class KubernetesServerRunner(base_runner.KubernetesBaseRunner):
        if (self.service and not self.reuse_service) or force:
            self._delete_service(self.service_name)
            self.service = None
-        if self.service_account or force:
+        if self.enable_workload_identity and (self.service_account or force):
            self._revoke_workload_identity_user(
                gcp_iam=self.gcp_iam,
                gcp_service_account=self.gcp_service_account,
--- a/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py
+++ b/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_flags.py
@ -41,9 +41,12 @@ DEBUG_USE_PORT_FORWARDING = flags.DEFINE_bool(
    "debug_use_port_forwarding",
    default=False,
    help="Development only: use kubectl port-forward to connect to test app")
+ENABLE_WORKLOAD_IDENTITY = flags.DEFINE_bool(
+    "enable_workload_identity",
+    default=True,
+    help="Enable the WorkloadIdentity feature")

 flags.mark_flags_as_required([
-    "gcp_service_account",
    "kube_context",
    "td_bootstrap_image",
    "server_image",
--- a/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_testcase.py
+++ b/tools/run_tests/xds_k8s_test_driver/framework/xds_k8s_testcase.py
@ -114,6 +114,7 @@ class XdsKubernetesTestCase(absltest.TestCase, metaclass=abc.ABCMeta):
        cls.force_cleanup = _FORCE_CLEANUP.value
        cls.debug_use_port_forwarding = \
            xds_k8s_flags.DEBUG_USE_PORT_FORWARDING.value
+        cls.enable_workload_identity = xds_k8s_flags.enable_workload_identity.value
        cls.check_local_certs = _CHECK_LOCAL_CERTS.value

        # Resource managers
@ -346,7 +347,8 @@ class RegularXdsKubernetesTestCase(XdsKubernetesTestCase):
            gcp_service_account=self.gcp_service_account,
            xds_server_uri=self.xds_server_uri,
            network=self.network,
-            debug_use_port_forwarding=self.debug_use_port_forwarding)
+            debug_use_port_forwarding=self.debug_use_port_forwarding,
+            enable_workload_identity=self.enable_workload_identity)

    def initKubernetesClientRunner(self) -> KubernetesClientRunner:
        return KubernetesClientRunner(
@ -361,6 +363,7 @@ class RegularXdsKubernetesTestCase(XdsKubernetesTestCase):
            xds_server_uri=self.xds_server_uri,
            network=self.network,
            debug_use_port_forwarding=self.debug_use_port_forwarding,
+            enable_workload_identity=self.enable_workload_identity,
            stats_port=self.client_port,
            reuse_namespace=self.server_namespace == self.client_namespace)

--- a/tools/run_tests/xds_k8s_test_driver/framework/xds_url_map_test_resources.py
+++ b/tools/run_tests/xds_k8s_test_driver/framework/xds_url_map_test_resources.py
@ -173,7 +173,8 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags):
            gcp_service_account=self.gcp_service_account,
            td_bootstrap_image=self.td_bootstrap_image,
            xds_server_uri=self.xds_server_uri,
-            network=self.network)
+            network=self.network,
+            enable_workload_identity=self.enable_workload_identity)
        self.test_server_alternative_runner = server_app.KubernetesServerRunner(
            self.k8s_namespace,
            deployment_name=self.server_name + '-alternative',
@ -184,6 +185,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags):
            td_bootstrap_image=self.td_bootstrap_image,
            xds_server_uri=self.xds_server_uri,
            network=self.network,
+            enable_workload_identity=self.enable_workload_identity,
            reuse_namespace=True)
        self.test_server_affinity_runner = server_app.KubernetesServerRunner(
            self.k8s_namespace,
@ -195,6 +197,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags):
            td_bootstrap_image=self.td_bootstrap_image,
            xds_server_uri=self.xds_server_uri,
            network=self.network,
+            enable_workload_identity=self.enable_workload_identity,
            reuse_namespace=True)
        logging.info('Strategy of GCP resources management: %s', self.strategy)

@ -221,6 +224,7 @@ class GcpResourceManager(metaclass=_MetaSingletonAndAbslFlags):
            xds_server_uri=self.xds_server_uri,
            network=self.network,
            debug_use_port_forwarding=self.debug_use_port_forwarding,
+            enable_workload_identity=self.enable_workload_identity,
            stats_port=self.client_port)

    def _pre_cleanup(self):
--- a/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/client.deployment.yaml
+++ b/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/client.deployment.yaml
@ -18,7 +18,9 @@ spec:
        app: ${deployment_name}
        owner: xds-k8s-interop-test
    spec:
+      % if service_account_name:
      serviceAccountName: ${service_account_name}
+      % endif
      containers:
      - name: ${deployment_name}
        image: ${image_name}
--- a/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/server.deployment.yaml
+++ b/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/server.deployment.yaml
@ -18,7 +18,9 @@ spec:
        app: ${deployment_name}
        owner: xds-k8s-interop-test
    spec:
+      % if service_account_name:
      serviceAccountName: ${service_account_name}
+      % endif
      containers:
      - name: ${deployment_name}
        image: ${image_name}