Additional role to service account used by CAPG e2e tests

[richardcase]

The e2e tests in CAPG have been updated to cover GKE provisioning. As a result, the service account that is retrieved from boskos needs an additional role assigning to it.

The Boskos resource details:

Type: gce-project
Owner: cluster-api-provider-gcp

Note: the resource is a key for a GCP service account.

The GCP service account that is related to this resource needs the following role adding to it:

iam.serviceAccountTokenCreator

This is blocking the e2e tests running.

[richardcase]

//cc @cpanato @salasberryfin

[cpanato]

/assign

[cpanato]

cc @ameukam can you help here? or who we can talk with

[ameukam]

I have very limited bandwidth currently. Sorry. 😞
Talk to one of the @kubernetes/sig-k8s-infra-leads

[salasberryfin]

@dims @BenTheElder can you help with this?

[dims]

/assign @ameukam @upodroid

[BenTheElder]

If we're adding roles: we need to make sure boskos cleans up the associated resources we'll be creating that we may not have been before.

[richardcase]

If we're adding roles: we need to make sure boskos cleans up the associated resources we'll be creating that we may not have been before.

Thats a good point. We'll be creating GKE clusters in the e2e. Looking at the janitor these are not included:

https://github.com/kubernetes-sigs/boskos/blob/9f79a9e4406a8d9fcc97b8ea93890dea44702981/cmd/janitor/gcp_janitor.py#L272

I can create a PR for this.

[richardcase]

@cpanato @BenTheElder - just to confirm the existing GCP janitor cleans up stale GKE clusters:

[2025-01-15 09:49:15.829076] checking endpoint https://container.googleapis.com/
[2025-01-15 09:49:15.829160] running ['gcloud', 'container', '-q', 'clusters', 'list', '--project=k8s-infra-sandbox-capg', '--filter=name !~ ^default', '--format=json(name,createTime,region,zone)']
[2025-01-15 09:49:25.556005] cluster info: {'createTime': '2025-01-15T07:35:27+00:00', 'name': 'richard-test-autopilot', 'zone': 'us-central1'}
[2025-01-15 09:49:36.631275] Found stale gke cluster 'richard-test-autopilot' in 'https://container.googleapis.com/', created time = '2025-01-15T07:35:27'
[2025-01-15 09:50:09.076330] start a new thread, total 1
[2025-01-15 09:50:11.751438] [DRYRUN] Call ['gcloud', 'container', '-q', 'clusters', 'delete', 'richard-test-autopilot', '--project=k8s-infra-sandbox-capg', '--zone=us-central1']
[2025-01-15 09:50:13.642609] cluster info: {'createTime': '2025-01-15T07:33:43+00:00', 'name': 'richard-test-regional', 'zone': 'us-central1'}
[2025-01-15 09:50:23.363040] Found stale gke cluster 'richard-test-regional' in 'https://container.googleapis.com/', created time = '2025-01-15T07:33:43'
[2025-01-15 09:50:30.017251] start a new thread, total 2
[2025-01-15 09:50:32.418504] [DRYRUN] Call ['gcloud', 'container', '-q', 'clusters', 'delete', 'richard-test-regional', '--project=k8s-infra-sandbox-capg', '--zone=us-central1']
[2025-01-15 09:50:37.966746] cluster info: {'createTime': '2025-01-15T07:34:39+00:00', 'name': 'richard-test-zonal', 'zone': 'us-central1-c'}
[2025-01-15 09:50:42.694235] Found stale gke cluster 'richard-test-zonal' in 'https://container.googleapis.com/', created time = '2025-01-15T07:34:39'
[2025-01-15 09:50:51.363193] start a new thread, total 3
[2025-01-15 09:50:52.837425] [DRYRUN] Call ['gcloud', 'container', '-q', 'clusters', 'delete', 'richard-test-zonal', '--project=k8s-infra-sandbox-capg', '--zone=us-central1-c']