We need to be able to connect to GKE cluster using Workload Identity Federation method.
Could you add in K8S.Master, and in K8S.Namespace level, all field needed to connect with this method :
- Audience (as password) (GKE_AUDIENCE)
- Identity Pool (GKE_POOL)
- Provider (GKE_PROVIDER)
- Service Account(GKE_SERVICE_ACCOUNT)
- Project Name (GKE_NAME)
Could you also update the K8S plugin to retrieve GKE token using Workload Identity Federation method usgin these new fields (take them on Namespace level if ther're setted, and on Master if not).
For sample, we implemented a XL-Rule to retrieve token with following steps (Variables are listed like <<$VARIABLE_NAME$>> in following sample) :
exec : kubectl create token <<$K8S_SERVICE_ACOUNT$>> --audience <<$GKE_AUDIENCE$>> > write into temporary_token_file
Create temporary file credential_file
{
"universe_domain": "googleapis.com",
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<<$Google_Project_Id?>>/locations/global/workloadIdentityPools/<<?GKE_POOL?>>/providers/<<?GKE_PROVIDER?>>",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "{temporary}token_file"
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<<?GKE_SERVICE_ACCOUNT?>>@<<?GKE_PROJECT_NAME?>>.iam.gserviceaccount.com:generateAccessToken"
}
exec : gcloud auth login --cred-file={temporary}credential_file
exec : gcloud auth print-access-token to get GKE Access Token used by K8S.Namespace during a deployment.
by: Integration c. | 7 days ago | Deployments
Comments
Thank you for the idea. We'll investigate further and reach out if we have any questions. We're aiming to include this change in the 26.3 release.