CI/CD in GitHub

[phette23]

No description provided.

[phette23]

To setup permissions we need to follow the Workload Identity Federation through a Service Account steps: create an SA, create a Workload Identity Pool, create a provider in the WIP, allow SA to use provider, grant SA needed role(s) on Artifact Registry.

gcloud commands

# fish shell, staging project example
set PROJECT_ID cca-web-staging
set SA libraries-wagtail-gh-actions
set SERVICE_ACCOUNT_EMAIL $SA@$PROJECT_ID.iam.gserviceaccount.com

# create a Service Account (SA)
gcloud iam service-accounts create $SA --project "$PROJECT_ID"

# create a workload identity pool
gcloud iam workload-identity-pools create github \
    --project=$PROJECT_ID \
    --location=global \
    --display-name="GitHub Actions Pool"

# create workload identity pool provider
gcloud iam workload-identity-pools providers create-oidc libraries-wagtail \
    --project="$PROJECT_ID" \
    --location="global" \
    --workload-identity-pool="github" \
    --display-name="My GitHub repo Provider" \
    --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
    --attribute-condition="assertion.repository_owner == 'cca'" \
    --issuer-uri="https://token.actions.githubusercontent.com"

# this is the WORKLOAD_IDENTITY_PROVIDER in the workflow
set WORKLOAD_IDENTITY_POOL_ID (gcloud iam workload-identity-pools providers describe libraries-wagtail \
    --project="$PROJECT_ID" \
    --location="global" \
    --workload-identity-pool="github" \
    --format="value(name)")

# Allow authentications from the Workload Identity Pool to our SA
gcloud iam service-accounts add-iam-policy-binding "$SA@$PROJECT_ID.iam.gserviceaccount.com" \
    --project="$PROJECT_ID" \
    --role="roles/iam.workloadIdentityUser" \
    --member="principalSet://iam.googleapis.com/$WORKLOAD_IDENTITY_POOL_ID/attribute.repository/cca/libraries_wagtail"

# give SA permission to write to Artifact Registry
# note: repo name and location filled in
gcloud artifacts repositories add-iam-policy-binding cca-docker-web \
    --project="$PROJECT_ID" \
    --location=us-west1 \
    --role="roles/artifactregistry.writer" \
    --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL"

# Grant GKE-specific roles: container.clusterViewer allows reading cluster information, container.developer permits deploying workloads to the cluster. Also artifactregistry.reader is indeed needed to pull images but writer above should cover that.
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
    --role="roles/container.clusterViewer"

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
    --role="roles/container.developer"

[phette23]

Once done we can delete the old AR repo.