Skip to content

Latest commit

 

History

History
180 lines (129 loc) · 4.46 KB

README.md

File metadata and controls

180 lines (129 loc) · 4.46 KB
Raw

Terraform for GKE Workload Identity

Overview

  • Create a GKE cluster and node group
  • Create an IAM service account, Kubernetes service account, and role binding between service accounts
  • Workload Identity per Kubernetes namespace

Installation

Update Terraform variables

src/tf/autopilot-cluster/vars/dev.tfvars

project_id = "<project-id>"
region     = "us-central1"
stage      = "dev"
backend_bucket = ""

If you want to use the backend with GCS bucket, set the backend_bucket variable:

project_id = "<project-id>"
region     = "us-central1"
stage      = "dev"
backend_bucket = "terraform-state"

Create a GKE cluster

  • Create Terraform workspaces
cd src/tf/autopilot-cluster/

terraform workspace new dev
terraform workspace new stg
terraform workspace select dev
terraform workspace list
  • Run Terraform
terraform init

terraform plan -var-file=vars/dev.tfvars

terraform apply

Create Service Account & Workload Identity

  • Create Terraform workspaces
cd ../../src/tf/workload-identity/

terraform workspace new dev
terraform workspace new stg
terraform workspace select dev
terraform workspace list
  • Run Terraform
terraform init

terraform plan -var-file=vars/dev.tfvars

terraform apply

Confirm Resources

kubectl get namespaces
bucket-api-ns     Active   9m58s
default           Active   31h
kube-node-lease   Active   31h
kube-public       Active   31h
kube-system       Active   31h
pubsub-api-ns     Active   9m58s
gcloud iam service-accounts list | grep api
GCP SA bound to K8S SA your-project-id[bucket-api-sa]    [email protected]    False
GCP SA bound to K8S SA your-project-id[pubsub-api-sa]    [email protected]    False
kubectl get serviceaccount -n bucket-api-ns
kubectl get serviceaccount -n pubsub-api-ns
NAME            SECRETS   AGE
bucket-api-sa   0         18m
default         0         38m
NAME            SECRETS   AGE
default         0         38m
pubsub-api-sa   0         18m
kubectl get all -n bucket-api-ns

kubectl get all -n pubsub-api-ns

Manifest Deployment

IMPORTANT: Both the IAM service account and Kubernetes service account have the SAME name when you create it by using terraform-google-modules/kubernetes-engine/google//modules/workload-identity module. Thus we will replace Kubernetes service account from bucket-api-ksa to bucket-api-sa.

cd bucket-api

sed -e "s|<project-id>|${PROJECT_ID}|g" bucket-api-template.yaml | sed -e "s|bucket-api-ksa|bucket-api-sa|g" > bucket-api.yaml
cat bucket-api.yaml
kubectl apply -f bucket-api.yaml
cd ../pubsub-api

sed -e "s|<project-id>|${PROJECT_ID}|g" pubsub-api-template.yaml | sed -e "s|pubsub-api-ksa|pubsub-api-sa|g" > pubsub-api.yaml
cat pubsub-api.yaml
kubectl apply -f pubsub-api.yaml

Check the status of service

kubectl describe service -n bucket-api-ns

kubectl describe service -n pubsub-api-ns

Troubleshooting

│ Error: projects/<your-project-id>/locations/us-central1-a/clusters/sample-cluster-dev not found
│ 
│   with data.google_container_cluster.this,
│   on main.tf line 11, in data "google_container_cluster" "this":
│   11: data "google_container_cluster" "this" {

Check your region variable in workload-identity/vars/dev.tfvars

Cleanup

cd src/tf/workload-identity 
terraform destroy

cd ../autopilot-cluster
terraform destroy

References