automations for basic preview tasks

WIP: IDP not working, yet

Author: geropl

.devcontainer/devcontainer.json

@@ -12,7 +12,8 @@
     ],
     "remoteEnv": {
         "GIT_EDITOR": "code --wait",
-        "KUBE_EDITOR": "code --wait"
+        "KUBE_EDITOR": "code --wait",
+        "PREVIEW_ENV_DEV_SA_KEY_PATH": "/home/gitpod/.config/gcloud/preview-environment-dev-sa.json"
     },
     "features": {
         "ghcr.io/devcontainers/features/docker-in-docker:2": {

.gitpod/automations.yaml

@@ -0,0 +1,39 @@
+tasks:
+  setup-workspace:
+    name: setup workspace
+    triggeredBy:
+    - postEnvironmentStart
+    command: |
+      export PREVIEW_ENV_DEV_SA_KEY_PATH="/home/gitpod/.config/gcloud/preview-environment-dev-sa.json"
+      leeway run dev/preview:configure-workspace
+      leeway run dev/preview/previewctl:install
+  preview-create:
+    name: create preview
+    dependsOn:
+    - setup-workspace
+    triggeredBy:
+    - manual
+    command: |
+      export PREVIEW_ENV_DEV_SA_KEY_PATH="/home/gitpod/.config/gcloud/preview-environment-dev-sa.json"
+      previewctl create
+  preview-delete:
+    name: delete preview
+    dependsOn:
+    - setup-workspace
+    triggeredBy:
+    - manual
+    command: |
+      export PREVIEW_ENV_DEV_SA_KEY_PATH="/home/gitpod/.config/gcloud/preview-environment-dev-sa.json"
+      previewctl delete
+services:
+  preview-update-kubectx:
+    name: update kubectx
+    # trigger:
+    # - onStart
+    # dependsOn:
+    # - setup-workspace
+    # TODO(gpl): would be great if we could depend on a task - or use "gitpod auto task start setup-workspace --wait"
+    commands:
+      start: |
+        leeway run dev/preview/previewctl:install
+        previewctl install-context --watch

dev/preview/workflow/preview/configure-workspace.sh

@@ -19,13 +19,23 @@ if [ -z "${PREVIEW_ENV_DEV_SA_KEY_PATH:-}" ]; then
 fi
 
 if [ -f "/usr/local/gitpod/config/initial-spec.json" ]; then
+  # gcloud iam workload-identity-pools create-cred-config \
+  #   projects/184212049955/locations/global/workloadIdentityPools/app-gitpod/providers/app-gitpod-provider \
+  #   --service-account=preview-environmnet-dev@gitpod-dev-preview.iam.gserviceaccount.com \
+  #   --service-account-token-lifetime-seconds=1h \
+  #   --output-file="${PREVIEW_ENV_DEV_SA_KEY_PATH}" \
+  #   --executable-command='gitpod-new idp token --audience="//iam.googleapis.com/projects/184212049955/locations/global/workloadIdentityPools/app-gitpod/providers/app-gitpod-provider"  --gcloud' \
+  #   --executable-timeout-millis=5000
+
   gcloud iam workload-identity-pools create-cred-config \
-    projects/184212049955/locations/global/workloadIdentityPools/gitpod-next/providers/gitpod-next-provider \
+    projects/184212049955/locations/global/workloadIdentityPools/app-gitpod/providers/app-gitpod-provider \
     --service-account=preview-environmnet-dev@gitpod-dev-preview.iam.gserviceaccount.com \
-    --service-account-token-lifetime-seconds=1h \
-    --output-file="${PREVIEW_ENV_DEV_SA_KEY_PATH}" \
-    --executable-command='node /workspace/gitpod/dev/next-oidc/oidc.js' \
-    --executable-timeout-millis=5000
+    --subject-token-type="urn:ietf:params:oauth:token-type:jwt" \
+    --credential-source-type="json" \
+    --executable-command='gitpod-new idp token --audience="//iam.googleapis.com/projects/184212049955/locations/global/workloadIdentityPools/app-gitpod/providers/app-gitpod-provider"  --gcloud' \
+    --executable-timeout-millis=5000 \
+    --executable-output-file="/tmp/gcloud-oidc.json" \
+    --output-file="${PREVIEW_ENV_DEV_SA_KEY_PATH}"
 elif [[ -n "${PREVIEW_ENV_DEV_CRED:-}" ]]; then
   echo "${PREVIEW_ENV_DEV_CRED}" >"${PREVIEW_ENV_DEV_SA_KEY_PATH}"
 fi