Refactor preview environment and image build methods (#19652)

* [dev-image] upgrade terraform and gcloud

* update leeway version and use new cache bucket

* update image tag

* use oidc

* fix bob

* Add code web extension as package

* gcr token refresh

* fluentbit use service account

* Add xterm web ide as package

* add ide configmap patch

* fix ide first page 502

* remove secret manager

* fix monitoring

* fix integration and delete preview

* cleanup

* use previewctl:install

* change folder

* cleanup

* change leeway cache bucket for main branch

* cleanup

* fix

* hot-deploy

Author: iQQBot

.github/actions/delete-preview/Dockerfile

@@ -1,4 +1,4 @@
-FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-go-122-gha.23879
+FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:pd-test-new-preview-gha.24525
 
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]

.github/actions/delete-preview/entrypoint.sh

@@ -3,19 +3,14 @@
 set -euo pipefail
 
 export HOME=/home/gitpod
-export PREVIEW_ENV_DEV_SA_KEY_PATH="$HOME/.config/gcloud/preview-environment-dev-sa.json"
 # shellcheck disable=SC2155
 export LEEWAY_WORKSPACE_ROOT="$(pwd)"
 export PATH="$PATH:$HOME/bin"
 
 mkdir $HOME/bin
 
-echo "${INPUT_SA_KEY}" > "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-gcloud auth activate-service-account --key-file "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-
-leeway run dev/preview/previewctl:download
-
-previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+gcloud auth login --cred-file="$GOOGLE_APPLICATION_CREDENTIALS" --activate --quiet
+leeway run dev/preview/previewctl:install
 
 export TF_INPUT=0
 export TF_IN_AUTOMATION=true

.github/actions/delete-preview/metadata.yml

@@ -1,15 +1,9 @@
 name: "Delete preview environment"
 description: "Deletes a preview environment"
 inputs:
-    sa_key:
-        description: "The service account key to use when authenticating with GCP"
-        required: true
     name:
         description: "The name of the preview environment"
         required: true
-    previewctl_hash:
-        description: "The Leeway hash of the dev/preview/previewctl:docker package to be used when downloading previewclt"
-        required: false
 runs:
     using: "docker"
     image: "Dockerfile"

.github/actions/deploy-gitpod/Dockerfile

@@ -1,4 +1,4 @@
-FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-go-122-gha.23879
+FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:pd-test-new-preview-gha.24525
 
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]

.github/actions/deploy-gitpod/entrypoint.sh

@@ -7,24 +7,20 @@ export PREVIEW_ENV_DEV_SA_KEY_PATH="$HOME/.config/gcloud/preview-environment-dev
 # shellcheck disable=SC2155
 export LEEWAY_WORKSPACE_ROOT="$(pwd)"
 export VERSION="${INPUT_VERSION}"
+export IMAGE_REPO_BASE="${INPUT_IMAGE_REPO_BASE}"
 export PATH="$PATH:$HOME/bin"
 
 mkdir $HOME/bin
 
 echo "Downloading installer for ${VERSION}"
-oci-tool fetch file -o $HOME/bin/installer --platform=linux-amd64 "eu.gcr.io/gitpod-core-dev/build/installer:${VERSION}" app/installer
+oci-tool fetch file -o $HOME/bin/installer --platform=linux-amd64 "${IMAGE_REPO_BASE}/installer:${VERSION}" app/installer
 chmod +x $HOME/bin/installer
 
 echo "Download versions.yaml"
-oci-tool fetch file -o /tmp/versions.yaml --platform=linux-amd64 "eu.gcr.io/gitpod-core-dev/build/versions:${VERSION}" versions.yaml
+oci-tool fetch file -o /tmp/versions.yaml --platform=linux-amd64 "${IMAGE_REPO_BASE}/versions:${VERSION}" versions.yaml
 
-echo "${INPUT_SA_KEY}" > "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-gcloud auth activate-service-account --key-file "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-
-leeway run dev/preview/previewctl:download
-
-echo "Setting up access to core-dev and harvester"
-previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+gcloud auth login --cred-file="$GOOGLE_APPLICATION_CREDENTIALS" --activate --quiet
+leeway run dev/preview/previewctl:install
 
 PREVIEW_NAME="$(previewctl get-name --branch "${INPUT_NAME}")"
 export PREVIEW_NAME
@@ -36,7 +32,7 @@ for var in WITH_DEDICATED_EMU ANALYTICS WORKSPACE_FEATURE_FLAGS; do
   fi
 done
 
-previewctl install-context --branch "${PREVIEW_NAME}" --log-level debug --timeout 10m --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+previewctl install-context --branch "${PREVIEW_NAME}" --log-level debug --timeout 10m
 leeway run dev/preview:deploy-gitpod
 previewctl report --branch "${PREVIEW_NAME}" >> "${GITHUB_STEP_SUMMARY}"
 

.github/actions/deploy-gitpod/metadata.yml

@@ -1,18 +1,12 @@
 name: "Deploy Gitpod"
 description: "Deploys Gitpod to an existing preview environment"
 inputs:
-    sa_key:
-        description: "The service account key to use when authenticating with GCP"
-        required: true
     name:
         description: "The name of the preview environment to deploy Gitpod to"
         required: false
     version:
         description: "The version of Gitpod to install"
         required: true
-    previewctl_hash:
-        description: "The Leeway hash of the dev/preview/previewctl:docker package to be used when downloading previewclt"
-        required: false
     with_dedicated_emu:
         description: "Dedicated Config"
         required: false

.github/actions/deploy-monitoring-satellite/Dockerfile

@@ -1,4 +1,4 @@
-FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-go-122-gha.23879
+FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:pd-test-new-preview-gha.24525
 
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]

.github/actions/deploy-monitoring-satellite/entrypoint.sh

@@ -3,23 +3,17 @@
 set -euo pipefail
 
 export HOME=/home/gitpod
-export PREVIEW_ENV_DEV_SA_KEY_PATH="$HOME/.config/gcloud/preview-environment-dev-sa.json"
 # shellcheck disable=SC2155
 export LEEWAY_WORKSPACE_ROOT="$(pwd)"
 export PATH="$PATH:$HOME/bin"
 
 mkdir $HOME/bin
 
-echo "${INPUT_SA_KEY}" > "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-gcloud auth activate-service-account --key-file "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-
-leeway run dev/preview/previewctl:download
-
-echo "previewctl get-credentials"
-previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+gcloud auth login --cred-file="$GOOGLE_APPLICATION_CREDENTIALS" --activate --quiet
+leeway run dev/preview/previewctl:install
 
 echo "previewctl install-context"
-previewctl install-context --log-level debug --timeout 10m --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+previewctl install-context --log-level debug --timeout 10m
 
 echo "leeway run dev/preview:deploy-monitoring-satellite"
 leeway run dev/preview:deploy-monitoring-satellite

.github/actions/deploy-monitoring-satellite/metadata.yml

@@ -1,12 +1,5 @@
 name: "Deploy monitoring satellite"
 description: "Deploys monitoring satellite to an existing preview environment"
-inputs:
-    sa_key:
-        description: "The service account key to use when authenticating with GCP"
-        required: true
-    previewctl_hash:
-        description: "The Leeway hash of the dev/preview/previewctl:docker package to be used when downloading previewclt"
-        required: false
 runs:
     using: "docker"
     image: "Dockerfile"

.github/actions/integration-tests/action.yml

@@ -11,9 +11,6 @@ inputs:
   preview_name:
     description: "Name of the preview environment to run the tests against"
     required: true
-  sa_key:
-    description: "The service account key to use when authenticating with GCP"
-    required: true
   github_token:
     description: "The GitHub token to use when authenticating with GitHub"
     required: true
@@ -30,50 +27,64 @@ inputs:
   test_build_ref:
     description: "The build ref of the test run. Used in the IDE integration tests."
     required: false
-
+  integration_test_username:
+    description: "The username for integration test"
+    required: true
+  integration_test_usertoken:
+    description: "The username for integration test"
+    required: true
+  identity_provider:
+    description: "GCP workload identity provider"
+    required: true
+  service_account:
+    description: "GCP service account"
+    required: true
+  leeway_segment_key:
+    description: "leeway analytics key"
+    required: true
 runs:
   using: "composite"
   steps:
+    - uses: actions/checkout@v4
+    - id: env-vars
+      name: configure env variables
+      shell: bash
+      run: |
+        {
+            echo "LEEWAY_SEGMENT_KEY=${{ inputs.leeway_segment_key }}"
+            echo "LEEWAY_WORKSPACE_ROOT=$GITHUB_WORKSPACE"
+            echo "HOME=/home/gitpod"
+        }  >> "$GITHUB_ENV"
     - id: auth
-      uses: google-github-actions/auth@v1
+      name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@v2
       with:
-        token_format: access_token
-        credentials_json: "${{ inputs.sa_key }}"
-    - name: Get Secrets from GCP
-      id: "secrets"
-      uses: "google-github-actions/get-secretmanager-secrets@v1"
+        workload_identity_provider: "${{ inputs.identity_provider }}"
+        service_account: "${{ inputs.service_account }}"
+    - name: 'Set up Cloud SDK'
+      uses: 'google-github-actions/setup-gcloud@v2'
       with:
-        secrets: |-
-          WORKSPACE_INTEGRATION_TEST_USERNAME:gitpod-core-dev/workspace-integration-test-username
-          WORKSPACE_INTEGRATION_TEST_USER_TOKEN:gitpod-core-dev/workspace-integration-test-user-token
+        skip_install: true
+    - id: docker
+      name: configure docker
+      shell: bash
+      run: |
+        gcloud auth configure-docker eu.gcr.io --quiet
     - name: Setup
       shell: bash
       env:
-        PREVIEW_ENV_DEV_SA_KEY: ${{ inputs.sa_key }}
         PREVIEW_NAME: ${{ inputs.preview_name }}
       run: |
-        export LEEWAY_WORKSPACE_ROOT="$(pwd)"
-        export HOME="/home/gitpod"
-        export PREVIEW_ENV_DEV_SA_KEY_PATH="/home/gitpod/.config/gcloud/preview-environment-dev-sa.json"
-
-        echo "${PREVIEW_ENV_DEV_SA_KEY}" > "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-        gcloud auth activate-service-account --key-file "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-
         leeway run dev/preview/previewctl:install
-
-        echo "Setting up access to core-dev and harvester"
-        previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-
-        previewctl install-context --branch "${PREVIEW_NAME}" --log-level debug --timeout 1m --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
+        previewctl install-context --branch "${PREVIEW_NAME}" --log-level debug --timeout 10m
 
     - name: Integration Test
       id: integration-test
       shell: bash
       env:
         ROBOQUAT_TOKEN: ${{ inputs.github_token }}
-        INTEGRATION_TEST_USERNAME: ${{ steps.secrets.outputs.WORKSPACE_INTEGRATION_TEST_USERNAME }}
-        INTEGRATION_TEST_USER_TOKEN: ${{ steps.secrets.outputs.WORKSPACE_INTEGRATION_TEST_USER_TOKEN }}
-        PREVIEW_ENV_DEV_SA_KEY: ${{ inputs.sa_key }}
+        INTEGRATION_TEST_USERNAME: ${{ inputs.integration_test_username }}
+        INTEGRATION_TEST_USER_TOKEN: ${{ inputs.integration_test_usertoken }}
         PREVIEW_NAME: ${{ inputs.preview_name }}
         TEST_USE_LATEST_VERSION: ${{ inputs.latest_ide_version }}
         TEST_BUILD_ID: ${{ inputs.test_build_id }}

.github/actions/preview-create/Dockerfile

@@ -1,4 +1,4 @@
-FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-go-122-gha.23879
+FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:pd-test-new-preview-gha.24525
 
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]

.github/actions/preview-create/entrypoint.sh

@@ -3,31 +3,17 @@
 set -euo pipefail
 
 export HOME=/home/gitpod
-export PREVIEW_ENV_DEV_SA_KEY_PATH="$HOME/.config/gcloud/preview-environment-dev-sa.json"
 # shellcheck disable=SC2155
 export LEEWAY_WORKSPACE_ROOT="$(pwd)"
 export PATH="$PATH:$HOME/bin"
 
 mkdir $HOME/bin
 
-echo "${INPUT_SA_KEY}" >"${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-gcloud auth activate-service-account --key-file "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-
-leeway run dev/preview/previewctl:download
-previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
-
-replace="module.preview_gce[0].google_compute_instance.default"
-if [[ "${INPUT_INFRASTRUCTURE_PROVIDER}" = "harvester " ]]; then
-  replace="module.preview_harvester[0].harvester_virtualmachine.harvester"
-fi
-
-if [[ "${INPUT_RECREATE_VM:-x}" == "true" ]]; then
-  export TF_CLI_ARGS_plan="-replace=${replace}"
-fi
+gcloud auth login --cred-file="$GOOGLE_APPLICATION_CREDENTIALS" --activate --quiet
+leeway run dev/preview/previewctl:install
 
 TF_VAR_preview_name="$(previewctl get-name --branch "${INPUT_NAME}")"
 export TF_VAR_preview_name
-export TF_VAR_infra_provider="${INPUT_INFRASTRUCTURE_PROVIDER}"
 export TF_VAR_with_large_vm="${INPUT_LARGE_VM}"
 export TF_VAR_gce_use_spot="${INPUT_PREEMPTIBLE}"
 export TF_INPUT=0

.github/actions/preview-create/metadata.yml

@@ -15,12 +15,6 @@ inputs:
         description: "Whether to use preemptible VMs for the env"
         required: true
         default: true
-    sa_key:
-        description: "The service account key to use when authenticating with GCP"
-        required: true
-    previewctl_hash:
-        description: "The Leeway hash of the dev/preview/previewctl:docker package to be used when downloading previewclt"
-        required: false
     recreate_vm:
         description: "Whether to recreate the VM"
         required: false

.github/actions/setup-environment/action.yml

@@ -1,7 +1,10 @@
 name: Setup environment
-
+description: "Setup environment"
 inputs:
-  sa_key:
+  identity_provider:
+    description: "GCP workload identity provider"
+    required: true
+  service_account:
     description: "GCP service account"
     required: true
   leeway_segment_key:
@@ -14,33 +17,21 @@ runs:
     - uses: actions/checkout@v4
     - id: auth
       name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@v1
+      uses: google-github-actions/auth@v2
       with:
-        credentials_json: "${{ inputs.sa_key }}"
-    - id: gcloud-auth
-      name: gcloud auth activate-service-account
-      shell: bash
-      run: |
-        gcloud auth activate-service-account --key-file ${{ steps.auth.outputs.credentials_file_path }}
+        workload_identity_provider: "${{ inputs.identity_provider }}"
+        service_account: "${{ inputs.service_account }}"
+    - name: 'Set up Cloud SDK'
+      uses: 'google-github-actions/setup-gcloud@v2'
+      with:
+        skip_install: true
     - id: env-vars
       name: configure env variables
       shell: bash
       run: |
-        SA_KEY_FILE=$(mktemp)
-        echo '${{ inputs.sa_key }}' > "$SA_KEY_FILE"
-
-        trap 'rm -f ${SA_KEY_FILE}' EXIT
-
         gcloud auth configure-docker eu.gcr.io --quiet
 
-        PREVIEW_ENV_DEV_SA_KEY_PATH="$GITHUB_WORKSPACE/.config/gcloud/preview-environment-dev-sa.json"
-
         {
             echo "LEEWAY_SEGMENT_KEY=${{ inputs.leeway_segment_key }}"
             echo "LEEWAY_WORKSPACE_ROOT=$GITHUB_WORKSPACE"
-            echo "PREVIEW_ENV_DEV_SA_KEY_PATH=${PREVIEW_ENV_DEV_SA_KEY_PATH}"
         }  >> "$GITHUB_ENV"
-
-        # Authenticate with GCP so we can use the Leeway cache
-        mkdir -p "$(dirname "$PREVIEW_ENV_DEV_SA_KEY_PATH")"
-        echo '${{ inputs.sa_key }}' > "${PREVIEW_ENV_DEV_SA_KEY_PATH}"