Support GKE workload identity
Summary
GitLab charts supports GKE workload identity: https://docs.gitlab.com/charts/advanced/external-object-storage/gke-workload-identity.html.
The Operator uses pre-defined service accounts which are bound to the workloads: https://docs.gitlab.com/operator/security_context_constraints.html.
Once we support binding arbitrary service accounts (#1089 (closed)), we can test and document how to setup GKE workload identity with the Operator.
Acceptance Criteria
- GKE workload identity tested
- GKE workload identity & service account setup documented
Designs
- Show closed items
Blocks
Is blocked by
Relates to
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- 🤖 GitLab Bot 🤖 added devopssystems sectioncore platform labels
added devopssystems sectioncore platform labels
- Clemens Beck marked this issue as blocked by #1089 (closed)
marked this issue as blocked by #1089 (closed)
- Clemens Beck mentioned in commit 16a28f42
mentioned in commit 16a28f42
- Clemens Beck mentioned in merge request !957 (merged)
mentioned in merge request !957 (merged)
- Clemens Beck marked this issue as related to gitlab-org/charts/gitlab#3434 (closed)
marked this issue as related to gitlab-org/charts/gitlab#3434 (closed)
- Nailia Iskhakova mentioned in epic gitlab-org/quality/quality-engineering#95 (closed)
mentioned in epic gitlab-org/quality/quality-engineering#95 (closed)
- Grant Young marked this issue as blocking gitlab-org/gitlab-environment-toolkit#109 (closed)
marked this issue as blocking gitlab-org/gitlab-environment-toolkit#109 (closed)
- Grant Young mentioned in issue gitlab-org/gitlab-environment-toolkit#109 (closed)
mentioned in issue gitlab-org/gitlab-environment-toolkit#109 (closed)
- Peter Lu changed milestone to %Next 1-3 releases
changed milestone to %Next 1-3 releases
Bumping priority to P1 as it is blocking Add GitLab Operator support with GET (gitlab-org/gitlab-environment-toolkit#109 - closed), and it is still preferred to support Operator with GET in Q3.
Collapse replies Hi @clemensbeck - Is this issue completed?
- Author Maintainer
@plu8 With !983 (merged) merged this issue is now unblocked but not completed.
Users can now create and use a new K8s ServiceAccount that is only used by the Toolbox. This allows the GCP ServiceAccount to be linked with Toolbox workloads only (rather than all workloads) using the iam.gke.io/gcp-service-account annotation.
gitlab-org/gitlab-environment-toolkit#109 (closed) could already be unlocked, but we should use this issue for documentation purposes as the Operator setup is different from the chart setup.
- Clemens Beck mentioned in commit 3276ff4f
mentioned in commit 3276ff4f
- Clemens Beck mentioned in merge request !983 (merged)
mentioned in merge request !983 (merged)
- Clemens Beck mentioned in commit a5b6b1f9
mentioned in commit a5b6b1f9
- Clemens Beck mentioned in commit 733adeea
mentioned in commit 733adeea
- Clemens Beck mentioned in commit 5d70aff0
mentioned in commit 5d70aff0
- DeveloperResolved by Nailia Iskhakova
@clemensbeck could you please assist with the clarification about using workload identity after the latest changes? Per gitlab-org/gitlab-environment-toolkit#109 (comment 2163227127) I updatedvalues
for GitLab CR to include nameserviceAccount.name
, and installation fails. I'm assuming I'm setting this up wrong, but not sure where is the issue.Click to expand
chart: values: gitlab: ... sidekiq: .. nodeSelector: workload: sidekiq ... serviceAccount: annotations: iam.gke.io/gcp-service-account: gl-gke-sidekiq@gitlab-qa-distribution-35632a.iam.gserviceaccount.com name: operator-cnh-gke-sidekiq toolbox: backups: objectStorage: backend: gcs serviceAccount: annotations: iam.gke.io/gcp-service-account: gl-gke-toolbox@gitlab-qa-distribution-35632a.iam.gserviceaccount.com name: operator-cnh-gke-toolbox webservice: ... nodeSelector: workload: webservice ... serviceAccount: annotations: iam.gke.io/gcp-service-account: gl-gke-webservice@gitlab-qa-distribution-35632a.iam.gserviceaccount.com name: operator-cnh-gke-webservice ... registry: metrics: enabled: true serviceMonitor: enabled: true serviceAccount: annotations: iam.gke.io/gcp-service-account: gl-gke-registry@gitlab-qa-distribution-35632a.iam.gserviceaccount.com name: operator-cnh-gke-registry storage: key: config secret: gitlab-container-registry-object-storage-key version: 8.6.0
│ default gitlab-kas-75958b7588-jx2t9 ● 1/1 Running 0 1 31 1 n/a 33 n/a 10.0.3.10 │ │ default gitlab-kas-75958b7588-sf66r ● 1/1 Running 0 1 27 1 n/a 29 n/a 10.0.3.9 │ │ default gitlab-migrations-eb7f4be-b9c-1-f7rfn ● 0/1 Completed 0 0 0 0 n/a 0 n/a 10.0.3.7 │ │ default gitlab-nginx-ingress-controller-rxwsg ● 1/1 Running 0 3 112 3 n/a 112 n/a 10.0.0.12 │ │ default gitlab-shared-secrets-b2f1613-ps8bj ● 0/1 Completed 0 0 0 0 n/a n/a n/a 10.0.3.4 │
{"level":"info","ts":"2024-11-25T12:53:56Z","logger":"controllers.GitLab","msg":"GitLab is initializing","gitlab":{"name":"gitlab","namespace":"default"},"operation":"install","current version":"8.6.0","desired version":"8.6.0"} {"level":"info","ts":"2024-11-25T12:53:57Z","logger":"controllers.GitLab","msg":"ensuring migrations Job has finished","gitlab":{"name":"gitlab","namespace":"default"}} {"level":"info","ts":"2024-11-25T12:53:57Z","logger":"controllers.GitLab","msg":"ensuring Webservice and Sidekiq are reconciled if enabled","gitlab":{"name":"gitlab","namespace":"default"}} {"level":"info","ts":"2024-11-25T12:53:57Z","logger":"controllers.GitLab","msg":"Webservice and/or Sidekiq not yet Running","gitlab":{"name":"gitlab","namespace":"default"}}
6 replies Last reply by Nailia Iskhakova
mentioned in epic gitlab-com/gl-infra/software-delivery/framework&2