Use non-default GCP SA in CI testing. (openconfig#2647)

nokia · Jul 17, 2024 · e0859fc · e0859fc
1 parent f6070f1
commit e0859fc
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 2 deletions.
diff --git a/cloudbuild/virtual.yaml b/cloudbuild/virtual.yaml
@@ -6,7 +6,7 @@ steps:
       - USERNAME=user
       - SSH_ARGS=--internal-ip --ssh-key-expire-after=1d
       - INSTANCE_NAME=fp-presubmit-${BUILD_ID}
-      - INSTANCE_ARGS=--network cloudbuild-workers --image-project gep-kne --image-family kne --machine-type ${_MACHINE_TYPE} ${_MACHINE_ARGS} --boot-disk-size 200GB --scopes=default,compute-rw
+      - INSTANCE_ARGS=--network cloudbuild-workers --image-project gep-kne --image-family kne --machine-type ${_MACHINE_TYPE} ${_MACHINE_ARGS} --boot-disk-size 200GB --service-account=fp-kne@disco-idea-817.iam.gserviceaccount.com --scopes=default,compute-rw
       - ZONE=us-west1-a
       - REMOTE_WORKSPACE=/tmp/featureprofiles
       - COMMAND=sudo su -c "echo 'user ALL=(ALL) NOPASSWD:ALL' | sudo EDITOR='tee -a' visudo"; sudo -iu user /tmp/featureprofiles/cloudbuild/virtual.sh "${_DUT_PLATFORM}" "${_DUT_TESTS}"

diff --git a/tools/ci-trigger/README.md b/tools/ci-trigger/README.md
@@ -84,7 +84,7 @@ docker push us-west1-docker.pkg.dev/disco-idea-817/featureprofiles-ci/featurepro
 To deploy the container into the project:
 
 ```
-gcloud run deploy featureprofiles-ci-trigger --cpu 2000m --memory 2Gi --region us-west1 --image us-west1-docker.pkg.dev/disco-idea-817/featureprofiles-ci/featureprofiles-ci-trigger:latest
+gcloud run deploy featureprofiles-ci-trigger --cpu 2000m --memory 2Gi --region us-west1 --image us-west1-docker.pkg.dev/disco-idea-817/featureprofiles-ci/featureprofiles-ci-trigger:latest --service-account [SERVICE_ACCOUNT]
 ```
 
 Allow for background CPU and a minimum instance count for pubsub pull to continue processing.

diff --git a/tools/ci-trigger/cloudbuild.go b/tools/ci-trigger/cloudbuild.go
@@ -72,6 +72,7 @@ func (c *cloudBuild) submitBuild(objPath string) (string, string, error) {
 			Object: objPath,
 		},
 	}
+	build.ServiceAccount = gcpCloudBuildServiceAccount
 
 	resp, err := c.buildClient.Projects.Locations.Builds.Create("projects/"+gcpProjectID+"/locations/us-west1", build).Do()
 	if err != nil {

diff --git a/tools/ci-trigger/cloudbuild.yaml b/tools/ci-trigger/cloudbuild.yaml
@@ -11,3 +11,5 @@ steps:
     args: ['run', 'deploy', 'featureprofiles-ci-trigger', '--image', 'us-west1-docker.pkg.dev/$PROJECT_ID/featureprofiles-ci/featureprofiles-ci-trigger:$COMMIT_SHA', '--region', 'us-west1']
 images:
   - us-west1-docker.pkg.dev/$PROJECT_ID/featureprofiles-ci/featureprofiles-ci-trigger
+options:
+  logging: CLOUD_LOGGING_ONLY
diff --git a/tools/ci-trigger/config.go b/tools/ci-trigger/config.go
@@ -51,6 +51,9 @@ const (
 
 	// gcpPhysicalTestTopic is the name of the pubsub topic in gcpProjectID for launching physical tests.
 	gcpPhysicalTestTopic = "featureprofiles-physical-tests"
+
+	// gcpCloudBuildServiceAccount is the service account used by all Cloud Build jobs launched for KNE tests.
+	gcpCloudBuildServiceAccount = "fp-kne-cloudbuild@disco-idea-817.iam.gserviceaccount.com"
 )
 
 // authorizedTeams is the list of GitHub organization teams authorized to launch Cloud Build jobs.