Skip to content

Add support for GKE Workload Identity

Grant Young requested to merge gy-gke-workload-identity-2024 into main

What does this MR do?

MR adds support for GKE Workload Identity, which was recently added as an option to the application.

The MR also streamlines and makes several improvements to Geo as part of the permissions changes:

  • Made some adjustments for Geo Container Registry replication to work smoother
    • Primary Registry URL is now required on secondary sites to ensure continued replication through upgrades
    • If not given replication is disabled as a failsafe
    • container_registry_token has been renamed to geo_container_registry_notification_secret to be clearer
    • Updated and streamlined docs to reflect the above
  • Only the specifically required GitLab secrets are now copied between sites instead of all
  • Geo docs have been updated with clearer info in various places
  • container_registry_token has been renamed to geo_container_registry_notification_secret to be clearer
  • Added note that gitlab_geo playbook should be part of upgrade process.
  • Added note that CNH sites will not work until the full Geo setup has been completed.
  • Removed the previous config to grant access to primary site buckets on GCP as this was added in error.

Updated version of previous MR when product limitation was found.

Related issues

Closes #712 (closed)

Author's checklist

When ready for review, the Author applies the workflowready for review label and mention @gl-quality/get-maintainers:

  • Merge request:
    • Corresponding Issue raised and reviewed by the GET maintainers team.
    • Merge Request Title and Description are up-to-date, accurate, and descriptive
    • MR targeting the appropriate branch
    • MR has a green pipeline
    • MR has no new security alerts in the widget from the Secret Detection and IaC Scan (SAST) jobs.
  • Code:
    • Check the area changed works as expected. Consider testing it in different environment sizes (1k,3k,10k,etc.).
    • Documentation created/updated in the same MR.
    • If this MR adds an optional configuration - check that all permutations continue to work.
    • For Terraform changes: set up a previous version environment, then run a terraform plan with your new changes and ensure nothing will be destroyed. If anything will be destroyed and this can't be avoided please add a comment to the current MR.
  • Create any follow-up issue(s) to support the new feature across other supported cloud providers or advanced configurations. Create 1 issue for each provider/configuration. Contact the Quality Enablement team if unsure.
Edited by Grant Young

Merge request reports