Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rbac-manager] Support workload identity #330

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[rbac-manager] Support workload identity #330

wants to merge 1 commit into from

Conversation

jace-ys
Copy link
Contributor

@jace-ys jace-ys commented Dec 8, 2023
edited

Hey folks 👋🏻

Hope you don't mind this contribution but we'd like to see theatre support workload identity in the rbac-manager instead of using service account keys. I've made the change such that if workload identity is not configured, the rbac-manager will fallback to using service account keys.

This is how we're currently using it with workload identity in our GKE cluster (after removing GOOGLE_APPLICATION_CREDENTIALS):

Same change on our fork: duffelhq#3

# Config Connector CRDs
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: theatre-workload-identity-user
  annotations:
    cnrm.cloud.google.com/project-id: duffel-prod
spec:
  bindings:
  - members:
    - serviceAccount:duffel-prod.svc.id.goog[theatre-system/theatre-rbac-manager]
    role: roles/iam.workloadIdentityUser
  - members:
    - serviceAccount:theatre@duffel-prod.iam.gserviceaccount.com
    # Required so that the theatre service account can impersonate itself
    role: roles/iam.serviceAccountTokenCreator
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    external: projects/duffel-prod/serviceAccounts/theatre@duffel-prod.iam.gserviceaccount.com
 kubectl annotate serviceaccount theatre-rbac-manager \
    --namespace theatre-system \
    iam.gke.io/gcp-service-account=theatre@duffel-prod.iam.gserviceaccount.com

@jace-ys jace-ys marked this pull request as draft December 8, 2023 16:23
@jace-ys jace-ys marked this pull request as ready for review December 8, 2023 17:56
@jace-ys
Copy link
Contributor Author

jace-ys commented Dec 8, 2023

@vinayvinay I think you're the one left in GC that I know..

Any idea who would be best suited to review this? 😁

@jace-ys jace-ys mentioned this pull request Dec 11, 2023
Merged
@jace-ys jace-ys force-pushed the jace/rbac-manager-workload-identity branch 2 times, most recently from 8ad47a2 to b4d17a9 Compare August 19, 2024 20:20
@jace-ys jace-ys force-pushed the jace/rbac-manager-workload-identity branch from b4d17a9 to 44d5970 Compare August 19, 2024 20:25
jace-ys
jace-ys commented Aug 19, 2024
View reviewed changes
Makefile
@@ -68,7 +68,7 @@ manifests: generate
install-tools:
go install github.com/onsi/ginkgo/ginkgo@v1.16.5
go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.17
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shamelessly stolen from #335 to get my CI tests passing.. 😬

@jace-ys
Copy link
Contributor Author

jace-ys commented Aug 20, 2024

@mbfisher @bogvak @0x0013 Sorry for the direct tag but wanted to get this merged and saw that you folks have been recently active on this repo!

@mbfisher
Copy link

@mbfisher @bogvak @0x0013 Sorry for the direct tag but wanted to get this merged and saw that you folks have been recently active on this repo!

I'm a contributor so can't help I'm afraid, Core Infra own this so I'd raise a SPOC ticket with them to get a review

@jace-ys
Copy link
Contributor Author

jace-ys commented Aug 20, 2024
edited

I'm a contributor so can't help I'm afraid, Core Infra own this so I'd raise a SPOC ticket with them to get a review

Thanks for letting me know! Unfortunately I'm no longer at GC so don't think I'd be able to do that 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jace-ys @mbfisher