use dedicated serviceAccounts for deploy jobs

Signed-off-by: Denis Baryshev <[email protected]>
sushmitsarmah · Jan 26, 2022 · bc00dc7 · bc00dc7
1 parent 381e434
commit bc00dc7
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 16 deletions.
diff --git a/.github/workflows/deploy-zksync.yml b/.github/workflows/deploy-zksync.yml
@@ -122,7 +122,7 @@ jobs:
       -
         id: kubeConf
         run: |
-          kube_token=$(cat /var/run/secrets/tokens/github-actions-deployer)
+          kube_token=$(cat /var/run/secrets/tokens/gha-deployer-${{ needs.setup.outputs.runner }})
           echo "::add-mask::$kube_token"
           echo "::set-output name=token::$kube_token"
       -

diff --git a/.github/workflows/loadtest.yml b/.github/workflows/loadtest.yml
@@ -13,6 +13,7 @@ concurrency: deploy-${{ github.event.inputs.environment }}
 env:
   ZKSYNC_ENV: loadtest
   HF_ARGS: -e loadtest
+  DEPLOY_SA_NAME: gha-deployer-stage
 
 jobs:
   update:
@@ -39,10 +40,10 @@ jobs:
     needs: [update]
     container:
       image: dysnix/kubectl:v1.20-gcloud
-
+      volumes:
+        - /var/run/secrets/tokens:/var/run/secrets/tokens
     env:
       DEPLOY_APPS: -l name=sqlproxy
-
     outputs:
       image_tag: ${{ steps.set.outputs.shortRev }}
 
@@ -65,7 +66,7 @@ jobs:
       -
         id: kubeConf
         run: |
-          kube_token=$(cat /var/run/secrets/tokens/github-actions-deployer)
+          kube_token=$(cat /var/run/secrets/tokens/${DEPLOY_SA_NAME})
           echo "::add-mask::$kube_token"
           echo "::set-output name=token::$kube_token"
       -
@@ -165,7 +166,7 @@ jobs:
       -
         id: kubeConf
         run: |
-          kube_token=$(cat /var/run/secrets/tokens/github-actions-deployer)
+          kube_token=$(cat /var/run/secrets/tokens/${DEPLOY_SA_NAME})
           echo "::add-mask::$kube_token"
           echo "::set-output name=token::$kube_token"
       -
@@ -233,7 +234,7 @@ jobs:
       -
         id: kubeConf
         run: |
-          kube_token=$(cat /var/run/secrets/tokens/github-actions-deployer)
+          kube_token=$(cat /var/run/secrets/tokens/${DEPLOY_SA_NAME})
           echo "::add-mask::$kube_token"
           echo "::set-output name=token::$kube_token"
       -

diff --git a/.github/workflows/update-config.yml b/.github/workflows/update-config.yml
@@ -17,7 +17,7 @@ defaults:
 concurrency: update-config-${{ github.event.inputs.environment }}
 
 jobs:
-  pre:
+  setup:
     runs-on: [k8s, stage]
     steps:
       - uses: actions/checkout@v2
@@ -50,19 +50,19 @@ jobs:
 
   updateConfig:
     name: Update Config
-    needs: [pre]
-    runs-on: [k8s, deployer, "${{ needs.pre.outputs.runner }}"]
+    needs: [setup]
+    runs-on: [k8s, deployer, "${{ needs.setup.outputs.runner }}"]
     container:
       image: dysnix/kubectl:v1.20-gcloud
       volumes:
         - /var/run/secrets/tokens:/var/run/secrets/tokens
     env:
-      ENVFILE: ./compiled_envs/${{ needs.pre.outputs.environment }}.env
+      ENVFILE: ./compiled_envs/${{ needs.setup.outputs.environment }}.env
     steps:
       -
         id: kubeConf
         run: |
-          kube_token=$(cat /var/run/secrets/tokens/github-actions-deployer)
+          kube_token=$(cat /var/run/secrets/tokens/gha-deployer-${{ needs.setup.outputs.runner }})
           echo "::add-mask::$kube_token"
           echo "::set-output name=token::$kube_token"
       -
@@ -78,15 +78,15 @@ jobs:
         with:
           repository: matter-labs/configs
           path: configs
-          ref: ${{ needs.pre.outputs.configRef }}
+          ref: ${{ needs.setup.outputs.configRef }}
           token: ${{ secrets.GH_TOKEN }}
       -
         name: Update Server Config
         working-directory: configs
         run: |
           sudo apk --no-cache add yarn
           ./bin/config
-          ./bin/config compile ${{ needs.pre.outputs.environment }}
-          kubectl delete configmap -n ${{ needs.pre.outputs.namespace }} server-env-custom || /bin/true
-          kubectl create configmap -n ${{ needs.pre.outputs.namespace }} server-env-custom --from-env-file=${{ env.ENVFILE }}
-          # kubectl delete pod -n ${{ needs.pre.outputs.namespace }} -l app.kubernetes.io/instance=server
+          ./bin/config compile ${{ needs.setup.outputs.environment }}
+          kubectl delete configmap -n ${{ needs.setup.outputs.namespace }} server-env-custom || /bin/true
+          kubectl create configmap -n ${{ needs.setup.outputs.namespace }} server-env-custom --from-env-file=${{ env.ENVFILE }}
+          # kubectl delete pod -n ${{ needs.setup.outputs.namespace }} -l app.kubernetes.io/instance=server