docs: add multicluster configuration note (#1883)

terraform-google-modules · May 22, 2024 · d87cbee · d87cbee
1 parent 12cf40f
commit d87cbee
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md
@@ -94,6 +94,51 @@ module "my-app-workload-identity" {
 If annotation is disabled (via `annotate_k8s_sa = false`), the existing Kubernetes service account must
 already bear the `"iam.gke.io/gcp-service-account"` annotation.
 
+## Using with multiple clusters
+
+This module accommodates configurations involving multiple clusters within the kubernetes provider.
+
+To begin, initialize the kubernetes provider for each cluster with a unique alias, as demonstrated below:
+
+Initialize your `kubernetes` provider with an alias like the following:
+
+```hcl
+provider "kubernetes" {
+  alias                  = "alias-for-your-cluster"
+  host                   = "https://your-cluster-host-url.com"
+  token                  = "your-cluster-token"
+  cluster_ca_certificate = base64decode("Your-Cluster-Certificate")
+}
+```
+
+Ensure each cluster configuration has a distinct alias. Repeat this step for every cluster you intend to manage.
+
+In your module configuration, include the providers attribute to assign the appropriate provider alias:
+
+```hcl
+module "workload_identity_for_cluster" {
+  source  = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+
+  providers = {
+    kubernetes = kubernetes.alias-for-your-cluster
+  }
+
+  name        = "service-account-name"
+  namespace   = "desired-namespace"
+  // Other module configurations
+}
+```
+
+This approach is required when managing multiple clusters. Omitting this step can lead to errors like the one shown below:
+
+```shell
+Error: Get "http://localhost/api/v1/namespaces/default/serviceaccounts/your-service-account": dial tcp [::1]:80: connect: connection refused
+│
+│   with module.your_workload_identity.kubernetes_service_account.main[0],
+│   on .terraform/modules/your_workload_identity/modules/workload-identity/main.tf line 50, in resource "kubernetes_service_account" "main":
+│   50: resource "kubernetes_service_account" "main" {
+```
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs