cmd/coordinator: move to Workload Identity

Create a new service account, and move the deployment over to the prod
namespace.

The network metadata entry we look for isn't available under Workload
Identity
(https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#gke_mds)
so use the hostname instead, which works fine.

For golang/go#48263.

Change-Id: I91ef091de3e0a923b4a96c56a7f8e7c9e614be8f
Reviewed-on: https://go-review.googlesource.com/c/build/+/349950
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
diff --git a/cmd/coordinator/Makefile b/cmd/coordinator/Makefile
index 64370f3..7ad1239 100644
--- a/cmd/coordinator/Makefile
+++ b/cmd/coordinator/Makefile
@@ -47,7 +47,7 @@
 
 deploy-prod: push-prod
 	go install golang.org/x/build/cmd/xb
-	xb --prod kubectl set image deployment/coordinator-deployment coordinator=$(IMAGE_PROD):$(VERSION)
+	xb --prod kubectl --namespace prod set image deployment/coordinator-deployment coordinator=$(IMAGE_PROD):$(VERSION)
 deploy-staging: push-staging
 	go install golang.org/x/build/cmd/xb
 	xb --staging kubectl set image deployment/coordinator-deployment coordinator=$(IMAGE_STAGING):$(VERSION)
diff --git a/cmd/coordinator/coordinator.go b/cmd/coordinator/coordinator.go
index d817dd5..dfb2863 100644
--- a/cmd/coordinator/coordinator.go
+++ b/cmd/coordinator/coordinator.go
@@ -3163,7 +3163,7 @@
 	// TODO: migrate to a GKE internal load balancer with an internal static IP
 	// once we migrate symbolic-datum-552 off a Legacy VPC network to the modern
 	// scheme that supports internal static IPs.
-	return "http://" + pool.NewGCEConfiguration().GKENodeIP() + ":30157"
+	return "http://" + pool.NewGCEConfiguration().GKENodeHostname() + ":30157"
 }
 
 // affectedPkgs returns the name of every package affected by this commit.
diff --git a/cmd/coordinator/deployment-prod.yaml b/cmd/coordinator/deployment-prod.yaml
index 1f9a682..fc95681 100644
--- a/cmd/coordinator/deployment-prod.yaml
+++ b/cmd/coordinator/deployment-prod.yaml
@@ -1,6 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  namespace: prod
   name: coordinator-deployment
 spec:
   selector:
@@ -14,6 +15,9 @@
         container.seccomp.security.alpha.kubernetes.io/coordinator: docker/default
         container.apparmor.security.beta.kubernetes.io/coordinator: runtime/default
     spec:
+      serviceAccountName: coordinator
+      nodeSelector:
+        cloud.google.com/gke-nodepool: workload-identity-pool
       containers:
       - name: coordinator
         image: gcr.io/symbolic-datum-552/coordinator:latest
diff --git a/cmd/coordinator/module-proxy-service.yaml b/cmd/coordinator/module-proxy-service.yaml
index 42a4e91..08c39c4 100644
--- a/cmd/coordinator/module-proxy-service.yaml
+++ b/cmd/coordinator/module-proxy-service.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
+  namespace: prod
   name: proxygolang-proxy
   annotations:
     cloud.google.com/load-balancer-type: "Internal"
diff --git a/cmd/coordinator/service-prod.yaml b/cmd/coordinator/service-prod.yaml
index 010a6ef..335f9bc 100644
--- a/cmd/coordinator/service-prod.yaml
+++ b/cmd/coordinator/service-prod.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
+  namespace: prod
   name: coordinator
 spec:
   ports:
diff --git a/internal/coordinator/pool/gce.go b/internal/coordinator/pool/gce.go
index ae77085..e4e3357 100644
--- a/internal/coordinator/pool/gce.go
+++ b/internal/coordinator/pool/gce.go
@@ -81,7 +81,7 @@
 	storageClient   *storage.Client
 	inStaging       bool                   // are we running in the staging project? (named -dev)
 	errorsClient    *errorreporting.Client // Stackdriver errors client
-	gkeNodeIP       string
+	gkeNodeHostname string
 
 	// values created due to seperating the buildlet pools into a seperate package
 	gceMode             string
@@ -126,9 +126,9 @@
 			return fmt.Errorf("failed to get current GCE zone: %v", err)
 		}
 
-		gkeNodeIP, err = metadata.Get("instance/network-interfaces/0/ip")
+		gkeNodeHostname, err = metadata.Get("instance/hostname")
 		if err != nil {
-			return fmt.Errorf("failed to get current instance IP: %v", err)
+			return fmt.Errorf("failed to get current instance hostname: %v", err)
 		}
 
 		// Convert the zone from "projects/1234/zones/us-central1-a" to "us-central1-a".
@@ -251,9 +251,9 @@
 	return gerritClient
 }
 
-// GKENodeIP retrieves the GKE node IP.
-func (c *GCEConfiguration) GKENodeIP() string {
-	return gkeNodeIP
+// GKENodeHostname retrieves the GKE node hostname.
+func (c *GCEConfiguration) GKENodeHostname() string {
+	return gkeNodeHostname
 }
 
 // DSClient retrieves the datastore client.