Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add multicluster configuration note #1883

45 changes: 45 additions & 0 deletions modules/workload-identity/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,51 @@ module "my-app-workload-identity" {
If annotation is disabled (via `annotate_k8s_sa = false`), the existing Kubernetes service account must
already bear the `"iam.gke.io/gcp-service-account"` annotation.

## Using with multiple clusters

This module accommodates configurations involving multiple clusters within the kubernetes provider.

To begin, initialize the kubernetes provider for each cluster with a unique alias, as demonstrated below:

Initialize your `kubernetes` provider with an alias like the following:

```hcl
provider "kubernetes" {
alias = "alias-for-your-cluster"
host = "https://your-cluster-host-url.com"
token = "your-cluster-token"
cluster_ca_certificate = base64decode("Your-Cluster-Certificate")
}
```

Ensure each cluster configuration has a distinct alias. Repeat this step for every cluster you intend to manage.

In your module configuration, include the providers attribute to assign the appropriate provider alias:

```hcl
module "workload_identity_for_cluster" {
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"

providers = {
kubernetes = kubernetes.alias-for-your-cluster
}

name = "service-account-name"
namespace = "desired-namespace"
// Other module configurations
}
```

This approach is required when managing multiple clusters. Omitting this step can lead to errors like the one shown below:

```shell
Error: Get "http://localhost/api/v1/namespaces/default/serviceaccounts/your-service-account": dial tcp [::1]:80: connect: connection refused
│ with module.your_workload_identity.kubernetes_service_account.main[0],
│ on .terraform/modules/your_workload_identity/modules/workload-identity/main.tf line 50, in resource "kubernetes_service_account" "main":
│ 50: resource "kubernetes_service_account" "main" {
```

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

Expand Down