Skip to content
This repository has been archived by the owner on Dec 15, 2022. It is now read-only.

Implement WorkloadIdentity/InjectedIdentity Support #51

Merged

Conversation

davidcollom
Copy link
Contributor

@davidcollom davidcollom commented Mar 16, 2022

Description of your changes

Fixes #11 - the GCP/Google Terraform Provider supports WorkloadIdentity natively, therefore when we receive a source: InjectedIdentity config, we leave it for the provider to assume this is being handled by the terraform provider.

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

I have built and deployed this provider in a GKE Cluster and provisioned a GKE Cluster using WorkloadIdentity following this guide: https://github.com/crossplane/provider-gcp/blob/master/docs/AUTHENTICATION.md

apiVersion: gcp.jet.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: InjectedIdentity
  projectID: [...REDACTED...]
---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: gcp-custom
spec:
  args:
  - --debug
  image: davidcollom/provider-jet-gcp-controller-amd64:latest
  imagePullPolicy: Always
  serviceAccountName: terraformer
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: gcp
spec:
  controllerConfigRef:
    name: gcp-custom
  package: davidcollom/provider-jet-gcp-amd64:latest
  packagePullPolicy: Always
---
apiVersion: container.gcp.jet.crossplane.io/v1alpha2
kind: Cluster
metadata:
  name: crossplane-test-1
spec:
  deletionPolicy: Delete
  forProvider:
    initialNodeCount: 1
    location: europe-west2
    network: default-vpc
    nodeLocations:
    - europe-west2-a
    - europe-west2-b
    - europe-west2-c
    nodePool:
    - initialNodeCount: 1
      management:
      - autoRepair: true
        autoUpgrade: true
      maxPodsPerNode: 110
      name: default-pool
      nodeConfig:
      - diskSizeGb: 100
        diskType: pd-standard
        imageType: COS_CONTAINERD
        machineType: e2-medium
        metadata:
          disable-legacy-endpoints: "true"
        oauthScopes:
        - https://www.googleapis.com/auth/devstorage.read_only
        - https://www.googleapis.com/auth/logging.write
        - https://www.googleapis.com/auth/monitoring
        - https://www.googleapis.com/auth/service.management.readonly
        - https://www.googleapis.com/auth/servicecontrol
        - https://www.googleapis.com/auth/trace.append
        serviceAccount: default
        shieldedInstanceConfig:
        - enableIntegrityMonitoring: true
      nodeCount: 1
      nodeLocations:
      - europe-west2-a
      - europe-west2-b
      - europe-west2-c
      upgradeSettings:
      - maxSurge: 1
        maxUnavailable: 0
      version: 1.21.6-gke.1503
    nodeVersion: 1.21.6-gke.1503
    project: [...REDACTED...]
    releaseChannel:
    - channel: REGULAR
    removeDefaultNodePool: false
    subnetwork: projects/[...REDACTED...]/regions/europe-west2/subnetworks/default-vpc
  providerConfigRef:
    name: default
  writeConnectionSecretToRef:
    name: cluster-test-dev
    namespace: default

With help from @mol-george on raising this with me and helped pair

@davidcollom davidcollom force-pushed the support-workload-identity branch from dc21fd6 to 708a846 Compare March 16, 2022 14:40
Copy link
Collaborator

@ulucinar ulucinar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @davidcollom for adding support for workload identities in provider-jet-gcp. I've also verified that both injected identities and the service account credential-based provider configs are working in my cluster. I think we are good to merge this once you rebase the PR.

Makefile Outdated Show resolved Hide resolved
internal/clients/gcp.go Outdated Show resolved Hide resolved
Signed-off-by: David Collom <david.collom@jetstack.io>
Signed-off-by: David Collom <david@collom.co.uk>
@ulucinar
Copy link
Collaborator

Hi @davidcollom,
When you commit via the Github UI, we will be missing your sign-off. You may consider doing a:

git commit -s --amend

Thank you!

Co-authored-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
Signed-off-by: David Collom <david@collom.co.uk>
@davidcollom davidcollom force-pushed the support-workload-identity branch from 21766be to bdff9d0 Compare March 18, 2022 19:37
@davidcollom
Copy link
Contributor Author

@ulucinar Thanks for the review/testing and Comments. All sorted/resolved 👍

Copy link
Collaborator

@ulucinar ulucinar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @davidcollom!

@ulucinar ulucinar merged commit 6855ea8 into crossplane-contrib:main Mar 18, 2022
@davidcollom davidcollom deleted the support-workload-identity branch March 19, 2022 07:56
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

InjectedIdentity provider config source is not working
2 participants