-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test secretless authentication on GKE #562
Conversation
d1974ec
to
a38ddd3
Compare
Signed-off-by: Richard Wall <richard.wall@venafi.com>
a38ddd3
to
f767ff6
Compare
I've run the script with the US https://ven-tlspk.venafi.cloud/ using the following settings: export VEN_API_KEY=$(lpass show -p ven-tlspk.venafi.cloud)
export \
VEN_OWNING_TEAM=$(curl --fail-with-body -sS https://api.venafi.cloud/v1/teams -H "tppl-api-key: $VEN_API_KEY" | jq '.teams[0].id' -r) \
OCI_BASE=ttl.sh/maelvls \
VEN_API_KEY_PULL=$(lpass show -p glow-in-the-dark.venafi.cloud) \
VEN_API_HOST=api.venafi.cloud \
VEN_ZONE='tlspk-bench\Default' \
CLOUDSDK_CORE_PROJECT=jetstack-mael-valais \
CLOUDSDK_COMPUTE_ZONE=europe-west1-b \
CLUSTER_NAME=test-secretless Unfortunately, it stopped with some 400:
I admit I wasn't able to debug the issue... I trust that you have tested the script. Thanks for testing with an EU tenant too! |
@maelvls Thanks for reviewing. The script does indeed work for me, but I know there are some rough edges. Since you've approved it now, I'll make it better in followup PRs. |
This modified script will create a GKE cluster and set up: venafi-enhanced-issuer, approver-policy-enterprise, and venafi-kubernetes-agent to authenticate to Venafi Control Plane using a Kubernetes ServiceAccount Token.
Here are the corresponding events from the Venafi Control Plane event log
Ref: VC-35374