feat: add WIF docs, add warning for credentials input (#141)

* add wif test * add wif docs * cancel old builds * bold deprecation * remove debug branch * add diff concurrency groups * fmt * Update README.md Co-authored-by: Seth Vargo <seth@sethvargo.com> * address comments * missing space * fix newline Co-authored-by: Seth Vargo <seth@sethvargo.com>
google-github-actions · Nov 15, 2021 · da3398a · da3398a
1 parent 27caa7b
commit da3398a
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 14 deletions.
diff --git a/.github/workflows/get-gke-credentials-it.yml b/.github/workflows/get-gke-credentials-it.yml
@@ -6,6 +6,10 @@ on:
     - 'main'
   pull_request:
 
+concurrency:
+  group: '${{ github.head_ref || github.ref }}-it'
+  cancel-in-progress: true
+
 jobs:
   gcloud:
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
@@ -111,3 +115,36 @@ jobs:
             echo "Expected no pods. Got ${pods}"
             exit 1
         fi
+
+  wif:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
+    name: with wif
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: google-github-actions/auth@main
+      with:
+        workload_identity_provider: ${{ secrets.WIF_PROVIDER_NAME }}
+        service_account: ${{ secrets.GET_GKE_CRED_SA_EMAIL }}
+    - id: build
+      name: Build dist
+      run: |-
+        npm install
+        npm run build
+    - id: get-kubeconfig
+      uses: ./
+      with:
+        project_id: ${{ secrets.GET_GKE_CRED_PROJECT }}
+        cluster_name: ${{ secrets.GET_GKE_CRED_CLUSTER_NAME }}
+        location: ${{ secrets.GET_GKE_CRED_CLUSTER_LOCATION }}
+    - name: test-kubectl # Use kubectl with the generated kubeconfig to auth and list pods. There should be no pods in the default ns.
+      run: |
+        pods=$(kubectl get pods -o=jsonpath='{$.items[*]}')
+        if [ -n "$pods" ]
+        then
+            echo "Expected no pods. Got ${pods}"
+            exit 1
+        fi
diff --git a/.github/workflows/get-gke-credentials-unit.yml b/.github/workflows/get-gke-credentials-unit.yml
@@ -2,6 +2,10 @@ name: get-gke-credentials Unit
 
 on: [push, pull_request]
 
+concurrency:
+  group: '${{ github.head_ref || github.ref }}-unit'
+  cancel-in-progress: true
+
 jobs:
   run:
     name: test

diff --git a/README.md b/README.md
@@ -31,12 +31,17 @@ This action requires:
 
 ```yaml
 steps:
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+    service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
+
 - id: get-credentials
-  uses: google-github-actions/get-gke-credentials@main
+  uses: google-github-actions/get-gke-credentials@v0.3.0
   with:
     cluster_name: my-cluster
     location: us-central1-a
-    credentials: ${{ secrets.gcp_credentials }}
 
 # The KUBECONFIG env var is automatically exported and picked up by kubectl.
 - id: get-pods
@@ -49,18 +54,18 @@ steps:
 
 - `location`: (Required) Location (Region/Zone) for the cluster.
 
-- `credentials`: (Optional) Service account key to use for authentication. This should be
-  the JSON formatted private key which can be exported from the Cloud Console. The
-  value can be raw or base64-encoded. Required if not using a the
-  `setup-gcloud` action with exported credentials.
-
 - `project_id`: (Optional) Project ID where the cluster is deployed. If provided, this
   will override the project configured by gcloud.
 
 - `use_auth_provider`: (Optional) Flag to use GCP auth plugin in kubectl instead of a short lived token. Defaults to false.
 
 - `use_internal_ip`: (Optional) Flag to use the internal IP address of the cluster endpoint with private clusters. Defaults to false.
 
+- `credentials`: (**Deprecated**) This input is deprecated. See [auth section](https://github.com/google-github-actions/get-gke-credentials#via-google-github-actionsauth) for more details.
+  Service account key to use for authentication. This should be
+  the JSON formatted private key which can be exported from the Cloud Console. The
+  value can be raw or base64-encoded.
+
 ## Outputs
 
 - Exports env var `KUBECONFIG` which is set to the generated `kubeconfig` file path.
@@ -74,16 +79,38 @@ with **at least** the following roles:
   - Get and list access to GKE Clusters.
 `
 
-### Via Credentials
+### Via google-github-actions/auth
+
+Use [google-github-actions/auth](https://github.com/google-github-actions/auth) to authenticate the action. You can use [Workload Identity Federation][wif] or traditional [Service Account Key JSON][sa] authentication.
+by specifying the `credentials` input. This Action supports both the recommended [Workload Identity Federation][wif] based authentication and the traditional [Service Account Key JSON][sa] based auth.
+
+See [usage](https://github.com/google-github-actions/auth#usage) for more details.
+
+#### Authenticating via Workload Identity Federation
 
-You can provide [Google Cloud Service Account JSON][sa] directly to the action
-by specifying the `credentials` input. First, create a [GitHub
-Secret][gh-secret] that contains the JSON content, then import it into the
-action:
+```yaml
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+    service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
+- id: get-credentials
+  uses: google-github-actions/get-gke-credentials@v0.3.0
+  with:
+    cluster_name: my-cluster
+    location: us-central1-a
+    credentials: ${{ secrets.gcp_credentials }}
+```
+
+#### Authenticating via Service Account Key JSON
 
 ```yaml
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    credentials_json: ${{ secrets.gcp_credentials }}
 - id: get-credentials
-  uses: google-github-actions/get-gke-credentials@main
+  uses: google-github-actions/get-gke-credentials@v0.3.0
   with:
     cluster_name: my-cluster
     location: us-central1-a
@@ -99,7 +126,7 @@ only works using a custom runner hosted on GCP.**
 
 ```yaml
 - id: get-credentials
-  uses: google-github-actions/get-gke-credentials@main
+  uses: google-github-actions/get-gke-credentials@v0.3.0
   with:
     cluster_name: my-cluster
     location: us-central1-a
@@ -114,6 +141,7 @@ Credentials.
 [token]: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
 [sm]: https://cloud.google.com/secret-manager
 [sa]: https://cloud.google.com/iam/docs/creating-managing-service-accounts
+[wif]: https://cloud.google.com/iam/docs/workload-identity-federation
 [gh-runners]: https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners
 [gh-secret]: https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets
 [setup-gcloud]: ../setup-gcloud
diff --git a/src/main.ts b/src/main.ts
@@ -28,6 +28,14 @@ async function run(): Promise<void> {
     const authProvider = core.getInput('use_auth_provider');
     const useInternalIp = core.getInput('use_internal_ip');
 
+    // Add warning if using credentials
+    if (credentials) {
+      core.warning(
+        '"credentials" input has been deprecated. ' +
+          'Please switch to using google-github-actions/auth which supports both Workload Identity Federation and JSON Key authentication. ' +
+          'For more details, see https://github.com/google-github-actions/get-gke-credentials#authorization',
+      );
+    }
     // Create Container Cluster client
     const client = new ClusterClient(location, { projectId, credentials });