Skip to content

Toolbox: Support GKE Workload Identity Federation for gsutil

Stan Hu requested to merge sh-support-gke-workload-gsutil into master

What does this MR do?

Prevously gsutil would require backup credentials be specified in a Kubernetes secret, but this requires configuring a secret. This does not allow a service account tied to the node or the cluster from being used.

GOOGLE_APPLICATION_CREDENTIALS is configured by the Chart to specify the location of the backup credentials. If this file does not exist, we tell gsutil to obtain a token via the default service account by a config parameter in .boto. This enables backups to work with GKE Workload Identity Federation.

Related issues

Relates to #3434

Author checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • When ready for review, follow the instructions in the "Reviewer Roulette" section of the Danger Bot MR comment, as per the Distribution experimental MR workflow

For merge requests from forks, consider the following options for Danger to work properly:

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added/updated
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for omnibus-gitlab opened
  • Equivalent MR/issue for Gitlab Operator project opened (see Operator documentation on impact of Charts changes)
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Stan Hu

Merge request reports