all: use Workload Identity for gitmirror, move to "prod" namespace
Rather than using a service account key, enable Workload Identity for
gitmirror. This involved moving into a non-default namespace, so the
coordinator's monitoring logic needs updating too.
Change-Id: I196fae0825f806248571aae6fb125d8c0917934d
Reviewed-on: https://go-review.googlesource.com/c/build/+/347410
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
diff --git a/kubernetes/client.go b/kubernetes/client.go
index d6a6185..d52e4c6 100644
--- a/kubernetes/client.go
+++ b/kubernetes/client.go
@@ -39,7 +39,10 @@
// The provided host is an url (scheme://hostname[:port]) of a
// Kubernetes master without any path.
// The provided client is an authorized http.Client used to perform requests to the Kubernetes API master.
-func NewClient(baseURL string, client *http.Client) (*Client, error) {
+func NewClient(baseURL, namespace string, client *http.Client) (*Client, error) {
+ if namespace == "" {
+ return nil, fmt.Errorf("must specify Kubernetes namespace")
+ }
validURL, err := url.Parse(baseURL)
if err != nil {
return nil, fmt.Errorf("failed to parse URL %q: %v", baseURL, err)
@@ -47,7 +50,7 @@
return &Client{
endpointURL: strings.TrimSuffix(validURL.String(), "/") + "/api/v1",
httpClient: client,
- namespace: "default",
+ namespace: namespace,
}, nil
}
diff --git a/kubernetes/client_test.go b/kubernetes/client_test.go
index debf7f5..3deabdc 100644
--- a/kubernetes/client_test.go
+++ b/kubernetes/client_test.go
@@ -74,7 +74,7 @@
s := httptest.NewServer(&hs)
defer s.Close()
- c, err := kubernetes.NewClient(s.URL, http.DefaultClient)
+ c, err := kubernetes.NewClient(s.URL, "default", http.DefaultClient)
if err != nil {
t.Fatalf("NewClient: %v", err)
}
diff --git a/kubernetes/gke/gke.go b/kubernetes/gke/gke.go
index 0811b53..a7ab1ac 100644
--- a/kubernetes/gke/gke.go
+++ b/kubernetes/gke/gke.go
@@ -35,6 +35,7 @@
Project string
TokenSource oauth2.TokenSource
Zone string
+ Namespace string
}
type clientOptFunc func(*clientOpt)
@@ -69,9 +70,16 @@
})
}
+// OptNamespace sets the Kubernetes namespace to look in.
+func OptNamespace(namespace string) ClientOpt {
+ return clientOptFunc(func(o *clientOpt) {
+ o.Namespace = namespace
+ })
+}
+
// NewClient returns an Kubernetes client to a GKE cluster.
func NewClient(ctx context.Context, clusterName string, opts ...ClientOpt) (*kubernetes.Client, error) {
- var opt clientOpt
+ opt := clientOpt{Namespace: "default"}
for _, o := range opts {
o.modify(&opt)
}
@@ -166,7 +174,7 @@
},
}
- kubeClient, err := kubernetes.NewClient("https://"+cluster.Endpoint, kubeHTTPClient)
+ kubeClient, err := kubernetes.NewClient("https://"+cluster.Endpoint, opt.Namespace, kubeHTTPClient)
if err != nil {
return nil, fmt.Errorf("kubernetes HTTP client could not be created: %v", err)
}
