fix: use different google service account

The current one already exists. Also remove GCP_GSA_NAME as
it doesn't seem to be used any more.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

.github/actions/e2e-managed/action.yml

@@ -81,14 +81,13 @@ runs:
         role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
         aws-region: ${{ env.AWS_REGION }}
 
-    - name: Setup TF Gcloud Provider
-      shell: bash
+    - uses: 'google-github-actions/auth@fc2174804b84f912b1f6d334e9463f484f1c552d' # v3
       if: env.CLOUD_PROVIDER == 'gcp'
-      env:
-        GCP_SM_SA_GKE_JSON: ${{ env.GCP_SM_SA_GKE_JSON }}
-      run: |-
-        mkdir -p terraform/gcp/secrets
-        echo ${GCP_SM_SA_GKE_JSON} > terraform/gcp/secrets/gcloud-service-account-key.json
+      with:
+        project_id: ${{ env.GCP_FED_PROJECT_ID }}
+        service_account: ${{ env.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
+        workload_identity_provider: ${{ env.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
+        create_credentials_file: true
 
     - name: 'Az CLI login'
       uses: azure/login@v1
@@ -107,20 +106,20 @@ runs:
       run: |-
         PROVIDER=${{env.CLOUD_PROVIDER}}
         make tf.apply.${PROVIDER}
+        make tf.gha.output.${PROVIDER}
 
     - name: Setup gcloud CLI
       if: env.CLOUD_PROVIDER == 'gcp'
-      uses: google-github-actions/setup-gcloud@v0
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3
       with:
-        service_account_key: ${{ env.GCP_SM_SA_GKE_JSON }}
-        project_id: ${{ env.GCP_PROJECT_ID }}
         install_components: 'gke-gcloud-auth-plugin'
 
-    - name: Get the GKE credentials
-      shell: bash
-      if: env.CLOUD_PROVIDER == 'gcp'
-      run: |-
-        gcloud container clusters get-credentials "$GCP_GKE_CLUSTER" --zone "$GCP_GKE_ZONE" --project "$GCP_PROJECT_ID"
+    - id: 'get-credentials'
+      uses: 'google-github-actions/get-gke-credentials@v3'
+      with:
+        cluster_name: '${{ env.GCP_GKE_CLUSTER }}'
+        location: 'europe-west1'
+        project_id: '${{ env.GCP_FED_PROJECT_ID }}'
 
     - name: Get the AWS credentials
       shell: bash
@@ -145,11 +144,10 @@ runs:
     - name: Run managed e2e Tests
       shell: bash
       env:
-        GCP_SM_SA_JSON: ${{ env.GCP_SM_SA_JSON }}
+        GCP_SERVICE_ACCOUNT_KEY: ${{ env.GCP_SERVICE_ACCOUNT_KEY }}
       run: |
         export PATH=$PATH:$(go env GOPATH)/bin
         PROVIDER=${{env.CLOUD_PROVIDER}}
-        go install github.com/onsi/ginkgo/v2/ginkgo@v2.1.6
         make test.e2e.managed GINKGO_LABELS="${PROVIDER} && managed" TEST_SUITES="provider"
 
     - name: Destroy TF

.github/workflows/ci.yml

@@ -98,7 +98,7 @@ jobs:
           egress-policy: audit
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
+      - uses: hashicorp/setup-terraform@v3
       - name: Setup Go
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         id: setup-go

.github/workflows/e2e-managed.yml

@@ -15,17 +15,19 @@ env:
   # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
   # credentials have been provided before trying to run steps that need them.
   GHCR_USERNAME: ${{ github.actor }}
-  GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}
-  GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}
+  GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY}}
   USE_GKE_GCLOUD_AUTH_PLUGIN: true
-  TF_VAR_GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}
   GCP_SM_SA_GKE_JSON: ${{ secrets.GCP_SM_SA_GKE_JSON}}
-  GCP_GKE_CLUSTER: test-cluster
-  GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}
-  GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Google Service Account
+  GCP_GKE_CLUSTER: e2e
+  TF_VAR_GCP_GKE_CLUSTER: e2e
+  GCP_FED_REGION: ${{ secrets.GCP_FED_REGION}}
+  TF_VAR_GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
   GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
-  TF_VAR_GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Google Service Account for tf
   TF_VAR_GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account for tf
+  GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
+  TF_VAR_GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
+  GCP_FED_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
+  GCP_FED_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
 
   AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN}}
   AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
@@ -62,6 +64,7 @@ jobs:
       id-token: write #for oidc auth with aws/gcp/azure
       checks: write   #publish the commit status
       contents: read  #for checkout
+      packages: write #for publishing packages 
     steps:
     - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
       with:

.github/workflows/e2e.yml

@@ -19,11 +19,11 @@ env:
   # credentials have been provided before trying to run steps that need them.
   TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
   GHCR_USERNAME: ${{ github.actor }}
-  GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}
-  GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}
+  GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY}}
+  GCP_FED_REGION: ${{ secrets.GCP_FED_REGION}}
   GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Google Service Account
   GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
-  GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}
+  GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID}}
 
   AWS_REGION: "eu-central-1"
   AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}

Makefile

@@ -347,6 +347,14 @@ tf.destroy.%:
 	terraform init && \
 	terraform destroy -auto-approve
 
+# The TF workspaces can output values which are fed into GitHub Actions
+# They are consumed by the e2e tests.
+# for instance, GCP creates a service account private key which is
+# passed into the e2e tests as an environment variable.
+tf.gha.output.%:
+	@cd $(TF_DIR)/$*/infrastructure && \
+	terraform output -json | jq -r 'to_entries[] | "\(.key)=\(.value.value)"' >> $$GITHUB_OUTPUT
+
 tf.fmt:
 	@cd $(TF_DIR) && \
 	terraform fmt -recursive

e2e/run.sh

@@ -47,11 +47,10 @@ kubectl run --rm \
   --labels="app=eso-e2e,azure.workload.identity/use=true" \
   --env="ACK_GINKGO_DEPRECATIONS=2.9.5" \
   --env="GINKGO_LABELS=${GINKGO_LABELS:-.*}" \
-  --env="GCP_SM_SA_JSON=${GCP_SM_SA_JSON:-}" \
-  --env="GCP_PROJECT_ID=${GCP_PROJECT_ID:-}" \
-  --env="GCP_GSA_NAME=${GCP_GSA_NAME:-}" \
+  --env="GCP_SERVICE_ACCOUNT_KEY=${GCP_SERVICE_ACCOUNT_KEY:-}" \
+  --env="GCP_FED_PROJECT_ID=${GCP_FED_PROJECT_ID:-}" \
   --env="GCP_KSA_NAME=${GCP_KSA_NAME:-}" \
-  --env="GCP_GKE_ZONE=${GCP_GKE_ZONE:-}" \
+  --env="GCP_FED_REGION=${GCP_FED_REGION:-}" \
   --env="GCP_GKE_CLUSTER=${GCP_GKE_CLUSTER:-}" \
   --env="AWS_REGION=${AWS_REGION:-}" \
   --env="AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-}" \

e2e/suites/provider/cases/gcp/provider.go

@@ -83,11 +83,11 @@ func NewGCPProvider(f *framework.Framework, credentials, projectID string,
 }
 
 func NewFromEnv(f *framework.Framework, controllerClass string) *GcpProvider {
-	projectID := os.Getenv("GCP_PROJECT_ID")
-	credentials := os.Getenv("GCP_SM_SA_JSON")
+	projectID := os.Getenv("GCP_FED_PROJECT_ID")
+	credentials := os.Getenv("GCP_SERVICE_ACCOUNT_KEY")
 	serviceAccountName := os.Getenv("GCP_KSA_NAME")
 	serviceAccountNamespace := "default"
-	clusterLocation := os.Getenv("GCP_GKE_ZONE")
+	clusterLocation := os.Getenv("GCP_FED_REGION")
 	clusterName := os.Getenv("GCP_GKE_CLUSTER")
 	return NewGCPProvider(f, credentials, projectID, clusterLocation, clusterName, serviceAccountName, serviceAccountNamespace, controllerClass)
 }

terraform/gcp/infrastructure/main.tf

@@ -1,20 +1,26 @@
 locals {
   credentials_path = "secrets/gcloud-service-account-key.json"
-  region           = "europe-west1"
 }
 
 module "network" {
   source     = "./modules/network"
-  region     = local.region
-  project_id = var.GCP_PROJECT_ID
+  region     = var.GCP_FED_REGION
+  project_id = var.GCP_FED_PROJECT_ID
 }
 
 module "cluster" {
   source       = "./modules/gke"
-  project_id   = var.GCP_PROJECT_ID
-  region       = local.region
+  project_id   = var.GCP_FED_PROJECT_ID
+  region       = var.GCP_FED_REGION
+  cluster_name = var.GCP_GKE_CLUSTER
   network      = module.network.network_name
   subnetwork   = module.network.subnetwork_name
-  GCP_GSA_NAME = var.GCP_GSA_NAME
-  GCP_KSA_NAME = var.GCP_KSA_NAME
+
+  workload_identity_users = [
+    # eso provider which is set up by e2e tests to 
+    # assert eso functionality.
+    var.GCP_KSA_NAME,
+    # e2e test runner which orchestrates the tests
+    "external-secrets-e2e",
+  ]
 }

terraform/gcp/infrastructure/modules/gke/main.tf

@@ -1,6 +1,6 @@
 resource "google_service_account" "default" {
   project    = var.project_id
-  account_id = var.GCP_GSA_NAME
+  account_id = "e2e-managed-secretmanager"
 }
 
 resource "google_project_iam_member" "secretadmin" {
@@ -16,24 +16,20 @@ resource "google_project_iam_member" "service_account_token_creator" {
 }
 
 resource "google_service_account_iam_member" "pod_identity" {
+  for_each           = toset(var.workload_identity_users)
   role               = "roles/iam.workloadIdentityUser"
-  member             = "serviceAccount:${var.project_id}.svc.id.goog[default/${var.GCP_KSA_NAME}]"
-  service_account_id = google_service_account.default.name
-}
-
-resource "google_service_account_iam_member" "pod_identity_e2e" {
-  role               = "roles/iam.workloadIdentityUser"
-  member             = "serviceAccount:${var.project_id}.svc.id.goog[default/external-secrets-e2e]"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[default/${each.value}]"
   service_account_id = google_service_account.default.name
 }
 
 resource "google_container_cluster" "primary" {
-  project            = var.project_id
-  name               = "e2e"
-  initial_node_count = 1
-  network            = var.network
-  subnetwork         = var.subnetwork
-  location           = var.region
+  project             = var.project_id
+  name                = var.cluster_name
+  initial_node_count  = 1
+  network             = var.network
+  subnetwork          = var.subnetwork
+  location            = var.region
+  deletion_protection = false
 
   ip_allocation_policy {}
   workload_identity_config {

terraform/gcp/infrastructure/modules/gke/variable.tf

@@ -10,9 +10,9 @@ variable "network" {
 variable "subnetwork" {
   type = string
 }
-variable "GCP_GSA_NAME" {
-  type = string
+variable "workload_identity_users" {
+  type = list(string)
 }
-variable "GCP_KSA_NAME" {
+variable "cluster_name" {
   type = string
-}
+}

terraform/gcp/infrastructure/provider.tf

@@ -1,35 +1,29 @@
 terraform {
   backend "gcs" {
-    bucket      = "eso-infra-state"
-    prefix      = "eso-infra-state/state"
-    # TODO above bucket/prefix configuration is valid for the old account
-    # the new account w/ identity federation should use the below bucket.
-    #bucket      = "eso-e2e-tfstate"
-    credentials = "../secrets/gcloud-service-account-key.json"
+    bucket = "eso-e2e-tfstate"
+    prefix = "gcp-infrastructure"
   }
 
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 3.5"
+      version = "~> 7.5"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 3.5"
+      version = "~> 7.5"
     }
   }
 }
 
 provider "google" {
-  project     = "external-secrets-operator"
-  region      = "europe-west1"
-  zone        = "europe-west1-b"
-  credentials = file("../secrets/gcloud-service-account-key.json")
+  project = "external-secrets-operator"
+  region  = "europe-west1"
+  zone    = "europe-west1-b"
 }
 
 provider "google-beta" {
-  project     = "external-secrets-operator"
-  region      = "europe-west1"
-  zone        = "europe-west1-b"
-  credentials = file("../secrets/gcloud-service-account-key.json")
+  project = "external-secrets-operator"
+  region  = "europe-west1"
+  zone    = "europe-west1-b"
 }

terraform/gcp/infrastructure/variable.tf

@@ -1,9 +1,12 @@
-variable "GCP_PROJECT_ID" {
+variable "GCP_FED_PROJECT_ID" {
   type = string
 }
-variable "GCP_GSA_NAME" {
+variable "GCP_KSA_NAME" {
   type = string
 }
-variable "GCP_KSA_NAME" {
+variable "GCP_GKE_CLUSTER" {
+  type = string
+}
+variable "GCP_FED_REGION" {
   type = string
 }

terraform/gcp/kubernetes/main.tf

@@ -2,7 +2,7 @@ resource "kubernetes_service_account" "test" {
   metadata {
     name = var.GCP_KSA_NAME
     annotations = {
-      "iam.gke.io/gcp-service-account" : "${var.GCP_GSA_NAME}@${var.GCP_PROJECT_ID}.iam.gserviceaccount.com"
+      "iam.gke.io/gcp-service-account" : "e2e-managed-secretmanager@${var.GCP_FED_PROJECT_ID}.iam.gserviceaccount.com"
     }
   }
 }

terraform/gcp/kubernetes/provider.tf

@@ -1,28 +1,28 @@
 terraform {
+  backend "gcs" {
+    bucket = "eso-e2e-tfstate"
+    prefix = "gcp-kubernetes"
+  }
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 3.5"
+      version = "~> 7.5"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 3.5"
+      version = "~> 7.5"
     }
   }
 }
 
 provider "google" {
-  project     = "external-secrets-operator"
-  region      = "europe-west1"
-  zone        = "europe-west1-b"
-  credentials = file("../secrets/gcloud-service-account-key.json")
+  project = "external-secrets-operator"
+  region  = "europe-west1"
 }
 
 provider "google-beta" {
-  project     = "external-secrets-operator"
-  region      = "europe-west1"
-  zone        = "europe-west1-b"
-  credentials = file("../secrets/gcloud-service-account-key.json")
+  project = "external-secrets-operator"
+  region  = "europe-west1"
 }
 
 
@@ -36,7 +36,7 @@ provider "kubernetes" {
 
 
 data "google_container_cluster" "this" {
-  project  = var.GCP_PROJECT_ID
-  location = "europe-west1-b" # must match ../infrastructure
+  project  = var.GCP_FED_PROJECT_ID
+  location = "europe-west1" # must match ../infrastructure
   name     = "e2e"
 }

terraform/gcp/kubernetes/variables.tf

@@ -1,7 +1,4 @@
-variable "GCP_PROJECT_ID" {
-  type = string
-}
-variable "GCP_GSA_NAME" {
+variable "GCP_FED_PROJECT_ID" {
   type = string
 }
 variable "GCP_KSA_NAME" {