maintner/maintnerd: move to Workload Identity
Create a new service account, and move the deployment over to the prod
namespace. Also update the build image to Go 1.17.
Since I've been moving to Uniform Bucket Access as I do these, also
remove the per-object ACL setting that now fails.
For golang/go#48263.
Change-Id: Ifab7041cdc905884a22bad67e35d2ac1cfabfdb0
Reviewed-on: https://go-review.googlesource.com/c/build/+/349570
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
diff --git a/maintner/maintnerd/Dockerfile b/maintner/maintnerd/Dockerfile
index e90b41b..5110a64 100644
--- a/maintner/maintnerd/Dockerfile
+++ b/maintner/maintnerd/Dockerfile
@@ -2,11 +2,8 @@
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
-FROM golang:1.16 AS build
-LABEL maintainer "golang-dev@googlegroups.com"
-
-ENV GO111MODULE=on
-ENV GOPROXY=https://proxy.golang.org
+FROM golang:1.17 AS build
+LABEL maintainer="golang-dev@googlegroups.com"
RUN mkdir /gocache
ENV GOCACHE /gocache
@@ -31,7 +28,7 @@
FROM debian:buster
-LABEL maintainer "golang-dev@googlegroups.com"
+LABEL maintainer="golang-dev@googlegroups.com"
# For interacting with the Go source & subrepos
RUN apt-get update && apt-get install -y \
diff --git a/maintner/maintnerd/Makefile b/maintner/maintnerd/Makefile
index e572d44..0ebd677 100644
--- a/maintner/maintnerd/Makefile
+++ b/maintner/maintnerd/Makefile
@@ -27,7 +27,7 @@
deploy-prod: push-prod
go install golang.org/x/build/cmd/xb
- xb --prod kubectl set image deployment/maintnerd-deployment maintnerd=$(IMAGE_PROD):$(VERSION)
+ xb --prod kubectl --namespace prod set image deployment/maintnerd-deployment maintnerd=$(IMAGE_PROD):$(VERSION)
deploy-staging: push-staging
go install golang.org/x/build/cmd/xb
xb --staging kubectl set image deployment/maintnerd-deployment maintnerd=$(IMAGE_STAGING):$(VERSION)
diff --git a/maintner/maintnerd/deployment-prod.yaml b/maintner/maintnerd/deployment-prod.yaml
index 26bafee..4e4ac53 100644
--- a/maintner/maintnerd/deployment-prod.yaml
+++ b/maintner/maintnerd/deployment-prod.yaml
@@ -1,6 +1,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
+ namespace: prod
name: maintnerd-deployment
spec:
replicas: 1 # MUST BE 1 FOR NOW
@@ -15,6 +16,9 @@
container.seccomp.security.alpha.kubernetes.io/maintnerd: docker/default
container.apparmor.security.beta.kubernetes.io/maintnerd: runtime/default
spec:
+ serviceAccountName: maintnerd
+ nodeSelector:
+ cloud.google.com/gke-nodepool: workload-identity-pool
volumes:
- name: pv-maintner-cache
gcePersistentDisk:
diff --git a/maintner/maintnerd/gcslog/gcslog.go b/maintner/maintnerd/gcslog/gcslog.go
index a6f8076..b465059 100644
--- a/maintner/maintnerd/gcslog/gcslog.go
+++ b/maintner/maintnerd/gcslog/gcslog.go
@@ -446,7 +446,6 @@
err := try(4, time.Second, func() error {
w := gl.bucket.Object(objName).NewWriter(ctx)
w.ContentType = "application/octet-stream"
- w.ACL = append(w.ACL, storage.ACLRule{Entity: storage.AllUsers, Role: storage.RoleReader})
if _, err := w.Write(buf); err != nil {
return err
}
diff --git a/maintner/maintnerd/service.yaml b/maintner/maintnerd/service.yaml
index fb528b4..91ff7ee 100644
--- a/maintner/maintnerd/service.yaml
+++ b/maintner/maintnerd/service.yaml
@@ -1,6 +1,7 @@
apiVersion: v1
kind: Service
metadata:
+ namespace: prod
name: maintnerd
spec:
ports: