Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rbac-manager] Support workload identity #330

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[rbac-manager] Support workload identity #330

wants to merge 1 commit into from
+68 −28

Conversation

jace-ys
Copy link
Contributor

@jace-ys jace-ys commented Dec 8, 2023
edited
Loading

Hey folks 👋🏻

Hope you don't mind this contribution but we'd like to see theatre support workload identity in the rbac-manager instead of using service account keys. I've made the change such that if workload identity is not configured, the rbac-manager will fallback to using service account keys.

This is how we're currently using it with workload identity in our GKE cluster (after removing GOOGLE_APPLICATION_CREDENTIALS):

Same change on our fork: duffelhq#3

# Config Connector CRDs
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: theatre-workload-identity-user
  annotations:
    cnrm.cloud.google.com/project-id: duffel-prod
spec:
  bindings:
  - members:
    - serviceAccount:duffel-prod.svc.id.goog[theatre-system/theatre-rbac-manager]
    role: roles/iam.workloadIdentityUser
  - members:
    - serviceAccount:[email protected]
    # Required so that the theatre service account can impersonate itself
    role: roles/iam.serviceAccountTokenCreator
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    external: projects/duffel-prod/serviceAccounts/[email protected]
 kubectl annotate serviceaccount theatre-rbac-manager \
    --namespace theatre-system \
    iam.gke.io/[email protected]

@jace-ys jace-ys marked this pull request as draft December 8, 2023 16:23
@jace-ys jace-ys marked this pull request as ready for review December 8, 2023 17:56
@jace-ys
Copy link
Contributor Author

jace-ys commented Dec 8, 2023

@vinayvinay I think you're the one left in GC that I know..

Any idea who would be best suited to review this? 😁

@jace-ys jace-ys mentioned this pull request Dec 11, 2023
Merged
@jace-ys jace-ys force-pushed the jace/rbac-manager-workload-identity branch 2 times, most recently from 8ad47a2 to b4d17a9 Compare August 19, 2024 20:20
@jace-ys jace-ys force-pushed the jace/rbac-manager-workload-identity branch from b4d17a9 to 44d5970 Compare August 19, 2024 20:25
jace-ys
jace-ys commented Aug 19, 2024
View reviewed changes
Makefile
@@ -68,7 +68,7 @@ manifests: generate
install-tools:
go install github.com/onsi/ginkgo/[email protected]
go install sigs.k8s.io/controller-tools/cmd/[email protected]
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.17
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shamelessly stolen from #335 to get my CI tests passing.. 😬

@jace-ys
Copy link
Contributor Author

jace-ys commented Aug 20, 2024

@mbfisher @bogvak @0x0013 Sorry for the direct tag but wanted to get this merged and saw that you folks have been recently active on this repo!

@mbfisher
Copy link

@mbfisher @bogvak @0x0013 Sorry for the direct tag but wanted to get this merged and saw that you folks have been recently active on this repo!

I'm a contributor so can't help I'm afraid, Core Infra own this so I'd raise a SPOC ticket with them to get a review

@jace-ys
Copy link
Contributor Author

jace-ys commented Aug 20, 2024
edited
Loading

I'm a contributor so can't help I'm afraid, Core Infra own this so I'd raise a SPOC ticket with them to get a review

Thanks for letting me know! Unfortunately I'm no longer at GC so don't think I'd be able to do that 😅

@benwh
Copy link
Contributor

benwh commented Sep 9, 2024

Bumping - it'd be great to get this in!

👋 @ttamimi @VSpike @ijames-gc

0x0013
0x0013 reviewed Nov 25, 2024
View reviewed changes
Copy link

@0x0013 0x0013 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jace-ys Thanks, this looks like a valuable addition.

I'm no expert in GCP authentication flow, so I would like to ask some clarifications before I can review, mostly for my own understanding. I've left these in code comments. Apologies if the answers to these are obvious.

cmd/rbac-manager/main.go
Subject: subject,
}

ts, err := impersonate.CredentialsTokenSource(ctx, config, option.WithCredentials(creds))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary for the account to impersonate itself, instead of using the TokenSource already returned by FindDefaultCredentials?

cmd/rbac-manager/main.go
return nil, err
}

return directoryv1.NewService(ctx, option.WithTokenSource(ts))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if the option when using a supplied json credentials (old behavior) could also use the TokenSource from Credentials returned by FindDefaultCredentials?

If so, likely the code could be simplified a little, instead of needing to call NewService with different option for each credential type.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0x0013 0x0013 0x0013 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jace-ys @mbfisher @benwh @0x0013