Replace GCP_ADC_FILE with a service account key

.gitpod.yml

@@ -1,4 +1,4 @@
-image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
 workspaceLocation: gitpod/gitpod-ws.code-workspace
 checkoutLocation: gitpod
 ports:
@@ -34,12 +34,11 @@ ports:
   - port: 8022
     onOpen: ignore
 tasks:
+  # This task takes care of configuring your workspace so it can manage and interact
+  # with preview environments.
   - name: Preview environment configuration
-    init: |
-      leeway run dev/preview/previewctl:install
-    command: |
-      previewctl get-credentials
-      previewctl install-context --watch
+    init: leeway run dev/preview/previewctl:install
+    command: leeway run dev/preview:configure-workspace
   - name: Installer dependencies
     init: |
       (cd install/installer && make deps)

.werft/aks-installer-tests.yaml

@@ -65,7 +65,7 @@ pod:
       secretName: self-hosted-github-oauth
   containers:
   - name: nightly-test
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
     workingDir: /workspace
     imagePullPolicy: Always
     volumeMounts:

.werft/build.yaml

@@ -70,7 +70,7 @@ pod:
     - name: MYSQL_TCP_PORT
       value: 23306
   - name: build
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
     workingDir: /workspace
     imagePullPolicy: IfNotPresent
     resources:

.werft/cleanup-installer-tests.yaml

@@ -25,7 +25,7 @@ pod:
       secretName: aks-credentials
   containers:
   - name: nightly-test
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
     workingDir: /workspace
     imagePullPolicy: Always
     volumeMounts:

.werft/debug.yaml

@@ -54,7 +54,7 @@ pod:
     - name: MYSQL_TCP_PORT
       value: 23306
   - name: build
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
     workingDir: /workspace
     imagePullPolicy: IfNotPresent
     volumeMounts:

.werft/eks-installer-tests.yaml

@@ -65,7 +65,7 @@ pod:
       secretName: self-hosted-github-oauth
   containers:
   - name: nightly-test
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
     workingDir: /workspace
     imagePullPolicy: Always
     volumeMounts:

.werft/gke-installer-tests.yaml

@@ -65,7 +65,7 @@ pod:
         secretName: self-hosted-github-oauth
   containers:
     - name: nightly-test
-      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
       workingDir: /workspace
       imagePullPolicy: Always
       volumeMounts:

.werft/ide-integration-tests-startup.yaml

@@ -17,7 +17,7 @@ pod:
         secretName: github-token-gitpod-bot
   containers:
     - name: gcloud
-      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
       workingDir: /workspace
       imagePullPolicy: IfNotPresent
       env:

.werft/k3s-installer-tests.yaml

@@ -65,7 +65,7 @@ pod:
       secretName: self-hosted-github-oauth
   containers:
   - name: nightly-test
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
     workingDir: /workspace
     imagePullPolicy: Always
     volumeMounts:

.werft/platform-delete-preview-environment.yaml

@@ -25,7 +25,7 @@ pod:
         secretName: harvester-vm-ssh-keys
   containers:
     - name: build
-      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
       workingDir: /workspace
       imagePullPolicy: IfNotPresent
       volumeMounts:

.werft/platform-delete-preview-environments-cron.yaml

@@ -29,7 +29,7 @@ pod:
         secretName: github-token-gitpod-bot
   containers:
     - name: build
-      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
       workingDir: /workspace
       imagePullPolicy: IfNotPresent
       volumeMounts:

.werft/platform-trigger-artificial-job.yaml

@@ -24,7 +24,7 @@ pod:
         secretName: github-token-gitpod-bot
   containers:
     - name: build
-      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
       workingDir: /workspace
       imagePullPolicy: IfNotPresent
       volumeMounts:

.werft/platform-trigger-werft-cleanup.yaml

@@ -22,7 +22,7 @@ pod:
         secretName: gcp-sa-gitpod-dev-deployer
   containers:
     - name: build
-      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
       workingDir: /workspace
       imagePullPolicy: IfNotPresent
       volumeMounts:

.werft/workspace-run-integration-tests.yaml

@@ -22,7 +22,7 @@ pod:
         secretName: github-token-gitpod-bot
   containers:
     - name: gcloud
-      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-dont-include-previewctl-in-image.12
+      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:mads-remove-adc.9
       workingDir: /workspace
       imagePullPolicy: IfNotPresent
       env:

dev/image/BUILD.yaml

@@ -8,7 +8,6 @@ packages:
       - imageRepoBase
     srcs:
       - gcloud-default-config
-      - kubeconfig.yaml
     config:
       dockerfile: Dockerfile
       image:

dev/image/Dockerfile

@@ -163,18 +163,11 @@ RUN sudo install-packages \
 
 RUN sudo python3 -m pip uninstall crcmod; sudo python3 -m pip install --no-cache-dir -U crcmod
 
-### gitpod-core specific gcloud/kubectl config
+### gitpod-core specific gcloud config
 # Copy GCloud default config that points to gitpod-dev
 ARG GCLOUD_CONFIG_DIR=/home/gitpod/.config/gcloud
 COPY --chown=gitpod gcloud-default-config $GCLOUD_CONFIG_DIR/configurations/config_default
 
-# Set kubeconfig file for dev cluster, using GCloud Application Default Credentials (ADC) as auth provider
-ARG KUBE_CONFIG_PATH=/home/gitpod/.kube/config
-COPY --chown=gitpod kubeconfig.yaml $KUBE_CONFIG_PATH
-
-# Set Application Default Credentials (ADC) based on user-provided env var
-RUN echo ". /workspace/gitpod/scripts/setup-google-adc.sh" >> ~/.bashrc
-
 ENV DB_HOST=localhost
 
 ENV LEEWAY_WORKSPACE_ROOT=/workspace/gitpod
@@ -263,3 +256,7 @@ COPY dev-kubecdl--app/kubecdl dev-gpctl--app/gpctl /usr/bin/
 RUN bash -c "echo . \<\(gpctl completion bash\) >> ~/.bashrc"
 
 ENV PATH=$PATH:/workspace/bin
+
+# Setting the environment variable here so that it will be accessible to all tasks and
+# terminal sessions in Gitpod workspaces.
+ENV PREVIEW_ENV_DEV_SA_KEY_PATH=/home/gitpod/.config/gcloud/preview-environment-dev-sa.json

dev/preview/BUILD.yaml

@@ -11,18 +11,20 @@ packages:
         - [ "sh", "-c", "cat components--all-docker/versions.yaml > /tmp/versions.yaml" ]
 
 scripts:
+
+  - name: configure-workspace
+    description: Configures the workspace so that it has access to development resources (dev, harvester) as well as your preview environment.
+    script: ./workflow/preview/configure-workspace.sh
+
   - name: build
     description: Build all packages needed to deploy Gitpod to preview environments
     script: ./workflow/preview/build.sh
 
-  - name: get-credentials
-    description: Provisions a new preview environment
-    script: |
-      KUBECONFIG=$HOME/.kube/config previewctl get-credentials
-
   - name: create-preview
     description: Provisions a new preview environment
     script: |
+      export GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-$PREVIEW_ENV_DEV_SA_KEY_PATH}"
+      export GOOGLE_BACKEND_CREDENTIALS="${GOOGLE_BACKEND_CREDENTIALS:-$PREVIEW_ENV_DEV_SA_KEY_PATH}"
       export TF_VAR_cert_issuer="${TF_VAR_cert_issuer:-zerossl-issuer-gitpod-core-dev}"
       export TF_VAR_dev_kube_path="${TF_VAR_dev_kube_path:-/home/gitpod/.kube/config}"
       export TF_VAR_dev_kube_context="${TF_VAR_dev_kube_context:-dev}"
@@ -38,6 +40,8 @@ scripts:
     description: Delete an existing preview environment
     script: |
       export DESTROY=true
+      export GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-$PREVIEW_ENV_DEV_SA_KEY_PATH}"
+      export GOOGLE_BACKEND_CREDENTIALS="${GOOGLE_BACKEND_CREDENTIALS:-$PREVIEW_ENV_DEV_SA_KEY_PATH}"
       export TF_VAR_kubeconfig_path="${TF_VAR_kubeconfig_path:-$HOME/.kube/config}"
       export TF_VAR_preview_name="${TF_VAR_preview_name:-$(previewctl get-name)}"
       ./workflow/preview/deploy-harvester.sh

dev/preview/workflow/preview/build.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=1091
 
 set -euo pipefail
 

dev/preview/workflow/preview/configure-workspace.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# shellcheck disable=1090
+
+set -euo pipefail
+
+SCRIPT_PATH=$(realpath "$(dirname "$0")")
+
+source "$(realpath "${SCRIPT_PATH}/../lib/common.sh")"
+
+if [[ -z "${PREVIEW_ENV_DEV_SA_KEY:-}" ]]; then
+    log_warn "PREVIEW_ENV_DEV_SA_KEY is not set. Skipping workspace setup."
+    exit 0
+fi
+
+echo "${PREVIEW_ENV_DEV_SA_KEY}" > "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+gcloud auth activate-service-account --key-file "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+
+log_info "Configuring access to kubernetes clusters"
+previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+
+log_info "Starting watch-loop to configure access to your preview environment"
+previewctl install-context --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}" --watch

dev/preview/workflow/preview/deploy-gitpod.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=1091
 
 set -euo pipefail
 

dev/preview/workflow/preview/deploy-harvester.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+# shellcheck disable=1091
 # shellcheck disable=SC2034
 
 set -euo pipefail

dev/preview/workflow/preview/deploy-monitoring-satellite.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=1091
 
 set -euo pipefail
 

dev/preview/workflow/preview/preview.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 # shellcheck disable=1091
+# shellcheck disable=1090
 
 set -euo pipefail
 
@@ -27,8 +28,7 @@ fi
 
 ensure_gcloud_auth
 
-leeway run dev/preview:get-credentials
 leeway run dev/preview:create-preview
 leeway run dev/preview:build
-previewctl install-context --retry 30
+previewctl install-context --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}" --retry 30
 leeway run dev/preview:deploy-gitpod