Replace GCP_ADC_FILE with a service account key #14893
Conversation
roboquat
added
release-note-none
do-not-merge/work-in-progress
size/M
size/L
and removed
size/M
labels
mads-hartmann
force-pushed
the
mads/remove-adc
branch
3 times, most recently
from
c908f5c to
db1c98b
Compare
mads-hartmann
force-pushed
the
mads/remove-adc
branch
from
db1c98b to
e4af046
Compare
| - name: build | ||
| description: Build all packages needed to deploy Gitpod to preview environments | ||
| script: ./workflow/preview/build.sh | ||
|
|
||
| - name: get-credentials |
There was a problem hiding this comment.
This was only used one place which I got rid of in this PR so I'm removing the script.
|
Converted back to draft as it turns out prebuilds are repo-global so we shouldn't write the service key to disk as part of the "before" step. We're currently writing it to |
mads-hartmann
force-pushed
the
mads/remove-adc
branch
4 times, most recently
from
7904879 to
72fdc35
Compare
| @@ -27,8 +28,7 @@ fi | |||
|
|
|||
| ensure_gcloud_auth | |||
|
|
|||
| leeway run dev/preview:get-credentials | |||
There was a problem hiding this comment.
This is now part of the workspace configuration instead
mads-hartmann
force-pushed
the
mads/remove-adc
branch
from
72fdc35 to
a5c4ff1
Compare
|
|
github-actions
bot
added
team: SID
team: IDE
team: workspace
roboquat
added
the
deployed: workspace
Description
The PR removes the use of the Gitpod User Environment Variable GCP_ADC_FILE in favour of a much more tightly scoped service account key which is controlled as a Gitpod Project Environment Variable PREVIEW_ENV_DEV_SA_KEY.
PREVIEW_ENV_DEV_SA_KEY is configured centrally which means that it's much easier for us to rotate. The service account has a limited set of roles assigned and only has access to the gitpod-core-dev GCP project which means that the blast radius is much smaller if it is ever leaked. For more information about this see our internal RFC Removing GCP_ADC_FILE.
By using a Project Environment variable we get the benefit that it will be accessible during prebuild execution. This means that when we build➡️ Writing the service account key to disk means it would be part of the prebuild - and while it was inpreviewctlit will be able to use the remote leeway cache rather than build it every time. Unfortunately there's a bug in Leeway that means we don't populate the cache at the moment, so we don't see this improvement yet: gitpod-io/leeway#137/home/gitpod/.configwhich isn't part of prebuilds today (only files in/workspaceare) that might change in the future, so to be safe we no longer use the key during prebuilds.Using this service account also eliminate the current manual step of
gcloud auth login --no-launch-browserwhich was needed to get access to the leeway caches - this means thatleeway run dev:prevewwill no longer require that you sign in to GCP.Related Issue(s)
Part of https://github.com/gitpod-io/security/issues/79
Fixes #13714
How to test
Test that
dev:previewstill worksTest that the Werft job still works
Release Notes
Documentation
N/A
Werft options:
If enabled this will build
install/previewValid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh