From 0c26b7f1b8848cd9901d43408e6a7d4ca98a8641 Mon Sep 17 00:00:00 2001
From: Erick Fejta <fejta@google.com>
Date: Thu, 9 Jan 2020 14:46:46 -0800
Subject: [PATCH 1/2] Remove all presets.

These make jobs harder to understand. I will also shortly replace them with workload identity.
---
 prow/config.yaml                              | 32 +------------------
 .../GoogleCloudPlatform/esp-v2/esp-v2.yaml    | 19 ++++++++---
 .../gcp-oss-test-infra-config.yaml            | 13 +++++++-
 3 files changed, 27 insertions(+), 37 deletions(-)

diff --git a/prow/config.yaml b/prow/config.yaml
index 3a556e0607..30b4629034 100644
--- a/prow/config.yaml
+++ b/prow/config.yaml
@@ -52,7 +52,7 @@ plank:
       gcs_configuration:
         bucket: "oss-prow"
         path_strategy: "explicit"
-      gcs_credentials_secret: "service-account"
+      gcs_credentials_secret: "service-account" # TODO(fejta): remove https://github.com/GoogleCloudPlatform/oss-test-infra/issues/202
 
 sinker:
   resync_period: 1m
@@ -87,33 +87,3 @@ deck:
   rerun_auth_config:
     github_orgs:
     - GoogleCloudPlatform
-
-presets:
-- labels:
-    preset-service-account: "true"
-  env:
-  - name: GOOGLE_APPLICATION_CREDENTIALS
-    value: /etc/service-account/service-account.json
-  - name: E2E_GOOGLE_APPLICATION_CREDENTIALS
-    value: /etc/service-account/service-account.json
-  volumes:
-  - name: service
-    secret:
-      secretName: service-account
-  volumeMounts:
-  - name: service
-    mountPath: /etc/service-account
-    readOnly: true
-- labels:
-    preset-prow-deployer-service-account: "true"
-  env:
-  - name: GOOGLE_APPLICATION_CREDENTIALS
-    value: /creds/service-account.json
-  volumeMounts:
-  - name: creds
-    mountPath: /creds
-    readOnly: true
-  volumes:
-  - name: creds
-    secret:
-      secretName: prow-deployer-service-account
diff --git a/prow/prowjobs/GoogleCloudPlatform/esp-v2/esp-v2.yaml b/prow/prowjobs/GoogleCloudPlatform/esp-v2/esp-v2.yaml
index b87509e524..610d4a6792 100644
--- a/prow/prowjobs/GoogleCloudPlatform/esp-v2/esp-v2.yaml
+++ b/prow/prowjobs/GoogleCloudPlatform/esp-v2/esp-v2.yaml
@@ -51,10 +51,6 @@ presubmits:
   - name: ESPv2-gke-e2e-tight-http-bookstore-managed
     always_run: true
     decorate: true
-    labels:
-      preset-k8s-ssh: "true"
-      preset-service-account: "true"
-      preset-dind-enabled: "true"
     spec:
       containers:
       - args:
@@ -81,6 +77,19 @@ presubmits:
         - runner.sh
         - /workspace/scenarios/kubernetes_e2e.py
         image: gcr.io/k8s-testimages/kubekins-e2e:v20190509-e418529-master
+        env:
+        - name: GOOGLE_APPLICATION_CREDENTIALS
+          value: /etc/service-account/service-account.json
+        - name: E2E_GOOGLE_APPLICATION_CREDENTIALS
+          value: /etc/service-account/service-account.json
+        volumeMounts:
+        - name: service
+          mountPath: /etc/service-account
+          readOnly: true
+      volumes:
+      - name: service # TODO(fejta): remove https://github.com/GoogleCloudPlatform/oss-test-infra/issues/202
+        secret:
+          secretName: service-account
   - name: ESPv2-cloud-run-e2e-cloud-run-http-bookstore
     always_run: true
     decorate: true
@@ -119,4 +128,4 @@ periodics:
     volumes:
     - name: cloudesf-testing-github-prow-service-account
       secret:
-        secretName: cloudesf-testing-github-prow-service-account
\ No newline at end of file
+        secretName: cloudesf-testing-github-prow-service-account
diff --git a/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml b/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml
index fd424db954..55ec75690c 100644
--- a/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml
+++ b/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml
@@ -73,6 +73,17 @@ postsubmits:
         - prow
         - deploy
         - deploy-build
+        env:
+        - name: GOOGLE_APPLICATION_CREDENTIALS
+          value: /creds/service-account.json
+        volumeMounts:
+        - name: creds
+          mountPath: /creds
+          readOnly: true
+      volumes:
+      - name: creds
+        secret:
+          secretName: prow-deployer-service-account
   - name: post-oss-test-infra-upload-testgrid-config
     cluster: test-infra-trusted
     run_if_changed: '^(prow/prowjobs/.*\.yaml)|(testgrid/config\.yaml)$'
@@ -123,7 +134,7 @@ postsubmits:
       volumes:
       - name: testgrid-service-account
         secret:
-          secretName: testgrid-service-account
+          secretName: testgrid-service-account # TODO(fejta): remove https://github.com/GoogleCloudPlatform/oss-test-infra/issues/202
 
 periodics:
 - cron: "05 15-23 * * 1-5"  # Run at 7:05-15:05 PST (15:05 UTC) Mon-Fri

From 6c81b831ababe9da313a02039a1906a74a15de02 Mon Sep 17 00:00:00 2001
From: Erick Fejta <fejta@google.com>
Date: Thu, 9 Jan 2020 17:58:18 -0800
Subject: [PATCH 2/2] Push testgrid images using workload-identity

---
 .../oss-test-infra/gcp-oss-test-infra-config.yaml     | 11 +----------
 .../GoogleCloudPlatform_testgrid_serviceaccounts.yaml |  7 +++++++
 2 files changed, 8 insertions(+), 10 deletions(-)
 create mode 100644 prow/serviceaccounts/GoogleCloudPlatform_testgrid_serviceaccounts.yaml

diff --git a/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml b/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml
index 55ec75690c..6ff3e2cd29 100644
--- a/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml
+++ b/prow/prowjobs/GoogleCloudPlatform/oss-test-infra/gcp-oss-test-infra-config.yaml
@@ -121,20 +121,11 @@ postsubmits:
       testgrid-dashboards: googleoss-test-infra
       testgrid-alert-email: slchase@google.com
     spec:
+      serviceAccountName: testgrid-pusher
       containers:
       - image: gcr.io/k8s-testimages/bazelbuild:v20190916-ec59af8-0.29.1
-        env:
-        - name: GOOGLE_APPLICATION_CREDENTIALS
-          value: /creds/service-account.json
         command:
         - ./images/push.sh
-        volumeMounts:
-        - name: testgrid-service-account
-          mountPath: /creds
-      volumes:
-      - name: testgrid-service-account
-        secret:
-          secretName: testgrid-service-account # TODO(fejta): remove https://github.com/GoogleCloudPlatform/oss-test-infra/issues/202
 
 periodics:
 - cron: "05 15-23 * * 1-5"  # Run at 7:05-15:05 PST (15:05 UTC) Mon-Fri
diff --git a/prow/serviceaccounts/GoogleCloudPlatform_testgrid_serviceaccounts.yaml b/prow/serviceaccounts/GoogleCloudPlatform_testgrid_serviceaccounts.yaml
new file mode 100644
index 0000000000..0da4f0fe39
--- /dev/null
+++ b/prow/serviceaccounts/GoogleCloudPlatform_testgrid_serviceaccounts.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: image-updater@k8s-testgrid.iam.gserviceaccount.com
+  name: testgrid-pusher
+  namespace: test-pods