Streamline VM bootstrap.

[fasaxc]

Description

• Use instance's service account.
• Get docker login secret from Google secret manager.
• Avoid needing an extra scp/ssh command.

Related issues/PRs

Todos

• Tests
• Documentation
• Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

• docs-pr-required: This change requires a change to the documentation that has not been completed yet.
• docs-completed: This change has all necessary documentation completed.
• docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

• release-note-required: This PR has user-facing changes. Most PRs should have this label.
• release-note-not-required: This PR has no user-facing changes.

Other optional labels:

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
• needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

[Copilot]

Pull request overview

This PR streamlines the VM bootstrap process for Calico's CI test infrastructure by consolidating operations into the VM startup script, eliminating the need for post-creation SSH/SCP commands.

• Moves Docker Hub authentication and test artifact loading from configure-test-vm into the VM's startup script
• Replaces credential file copying with Google Cloud service account authentication
• Retrieves Docker Hub password from Google Secret Manager instead of environment variables

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
.semaphore/vms/vm-bootstrap.sh	Adds Docker Hub login using Secret Manager and GCS artifact download/extraction at VM startup
.semaphore/vms/create-test-vms	Adds variable substitution for the bootstrap script template and configures VMs with service account
.semaphore/vms/configure-test-vm	Removes post-creation SSH commands for Docker login and artifact transfer, now handled by startup script

[Copilot]

Missing pipe operator in the sed chain. Line 46 should end with a pipe | to connect to the next sed command on line 47. Without it, the output from line 46's sed will be discarded and only line 47's sed will write to the output file.

Suggested change

	sed "s|__CALICO_DIR_NAME__|${CALICO_DIR_NAME}|g"
	sed "s|__CALICO_DIR_NAME__|${CALICO_DIR_NAME}|g" |

[Copilot]

[nitpick] Hardcoded project ID. The project ID unique-caldron-775 is hardcoded in both the secret access (line 85) and the service account (line 61 in create-test-vms). Consider using a variable like ${GCP_PROJECT} (already used in configure-test-vm line 22) for consistency and easier configuration management.

Suggested change

	DOCKERHUB_PASSWORD=$(gcloud secrets versions access latest --project=unique-caldron-775 --secret=ci-dockerhub-password)
	DOCKERHUB_PASSWORD=$(gcloud secrets versions access latest --project="${GCP_PROJECT}" --secret=ci-dockerhub-password)

[Copilot]

[nitpick] Hardcoded service account and project ID. The value [email protected] contains a hardcoded project ID. Consider parameterizing this using a variable like ${GCP_PROJECT} for consistency with configure-test-vm (line 22).

Suggested change

	--service-account=ci-test-vm@unique-caldron-775.iam.gserviceaccount.com \
	--service-account=ci-test-vm@${GCP_PROJECT}.iam.gserviceaccount.com \