cmd/gopherbot: move to Workload Identity

Create a new service account, and move the deployment over to the prod
namespace. Also update the build image to Go 1.17.

For golang/go#48263.

Change-Id: I9c7776b294ee78c2745670f805ec70cab1ae4573
Reviewed-on: https://go-review.googlesource.com/c/build/+/349056
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>

cmd/gopherbot/Dockerfile

@@ -2,13 +2,9 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
-FROM golang:1.12 AS build
+FROM golang:1.17 AS build
 LABEL maintainer "golang-dev@googlegroups.com"
 
-
-ENV GO111MODULE=on
-ENV GOPROXY=https://proxy.golang.org
-
 RUN mkdir /gocache
 ENV GOCACHE /gocache
 

cmd/gopherbot/Makefile

@@ -23,7 +23,7 @@ push-staging: docker-image
 
 deploy-prod: push-prod
 	go install golang.org/x/build/cmd/xb
-	xb --prod kubectl set image deployment/gopherbot-deployment gopherbot=$(IMAGE_PROD):$(VERSION)
+	xb --prod kubectl --namespace prod set image deployment/gopherbot-deployment gopherbot=$(IMAGE_PROD):$(VERSION)
 deploy-staging: push-staging
 	go install golang.org/x/build/cmd/xb
 	xb --staging kubectl set image deployment/gopherbot-deployment gopherbot=$(IMAGE_STAGING):$(VERSION)

cmd/gopherbot/deployment-prod.yaml

@@ -1,6 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  namespace: prod
   name: gopherbot-deployment
 spec:
   replicas: 1 # more than 1 might cause duplicate GitHub comments
@@ -15,6 +16,9 @@ spec:
         container.seccomp.security.alpha.kubernetes.io/gopherbot: docker/default
         container.apparmor.security.beta.kubernetes.io/gopherbot: runtime/default
     spec:
+      serviceAccountName: gopherbot
+      nodeSelector:
+        cloud.google.com/gke-nodepool: workload-identity-pool
       volumes:
       - name: cache-volume
         emptyDir: {}