Skip to content

Commit 837e769

Browse files
authored
Add instructions for workload identity-enabled GKE clusters (GoogleCloudPlatform#423)
* Add workload identity instructions * Adds links from README * cleanup
1 parent 41a2599 commit 837e769

13 files changed

+65
-2
lines changed

.gitignore

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,5 @@ pkg/
1010
.skaffold-*.yaml
1111
.kubernetes-manifests-*/
1212
.project
13-
.eclipse.buildship.core.prefs
13+
.eclipse.buildship.core.prefs
14+
release/wi-kubernetes-manifests.yaml

README.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,8 @@ We offer the following installation methods:
169169
### Option 2: Running on Google Kubernetes Engine (GKE)
170170
171171
> 💡 Recommended if you're using Google Cloud Platform and want to try it on
172-
> a realistic cluster.
172+
> a realistic cluster. **Note**: If your cluster has Workload Identity enabled,
173+
> [see these instructions](/docs/workload-identity.md)
173174
174175
1. Create a Google Kubernetes Engine cluster and make sure `kubectl` is pointing
175176
to the cluster.
@@ -306,6 +307,10 @@ by deploying the [release manifest](./release) directly to an existing cluster.
306307
curl -v "http://$INGRESS_HOST"
307308
```
308309

310+
### Option 5: Deploying on a Workload Identity-enabled GKE cluster
311+
312+
See [this doc](/docs/workload-identity.md).
313+
309314
### Cleanup
310315

311316
If you've deployed the application with `skaffold run` command, you can run

docs/workload-identity.md

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
# Setup for Workload Identity clusters
2+
3+
If you have enabled [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) on your GKE cluster ([a requirement for Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/gke-anthos-cli-new-cluster#requirements)), follow these instructions to ensure that OnlineBoutique pods can communicate with GCP APIs.
4+
5+
*Note* - These instructions have only been validated in GKE on GCP clusters. [Workload Identity is not yet supported](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas) in Anthos GKE on Prem.
6+
7+
8+
9+
1. **Set up Workload Identity** on your GKE cluster [using the instructions here](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_on_new_cluster). These instructions create the Kubernetes Service Account (KSA) and Google Service Account (GSA) that the OnlineBoutique pods will use to authenticate to GCP. Take note of what Kubernetes `namespace` you use during setup.
10+
11+
2. **Add IAM Roles** to your GSA. These roles allow workload identity-enabled OnlineBoutique pods to send traces and metrics to GCP.
12+
13+
```bash
14+
PROJECT_ID=<your-gcp-project-id>
15+
GSA_NAME=<your-gsa>
16+
17+
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
18+
--member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
19+
--role roles/cloudtrace.agent
20+
21+
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
22+
--member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
23+
--role roles/monitoring.metricWriter
24+
```
25+
26+
3. **Generate OnlineBoutique manifests** using your KSA as the Pod service account. In `kubernetes-manifests/`, replace `serviceAccountName: default` with the name of your KSA. (**Note** - sample below is Bash.)
27+
28+
```bash
29+
30+
KSA_NAME=<your-ksa>
31+
sed "s/serviceAccountName: default/serviceAccountName: ${KSA_NAME}/g" release/kubernetes-manifests.yaml > release/wi-kubernetes-manifests.yaml
32+
done
33+
```
34+
35+
4. **Deploy OnlineBoutique** to your GKE cluster using the install instructions above, except make sure that instead of the default namespace, you're deploying the manifests into your KSA namespace:
36+
37+
```bash
38+
NAMESPACE=<your-ksa-namespace>
39+
kubectl apply -n ${NAMESPACE} -f release/wi-kubernetes-manifests.yaml
40+
```

kubernetes-manifests/adservice.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ spec:
2525
labels:
2626
app: adservice
2727
spec:
28+
serviceAccountName: default
2829
terminationGracePeriodSeconds: 5
2930
containers:
3031
- name: server

kubernetes-manifests/cartservice.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ spec:
2525
labels:
2626
app: cartservice
2727
spec:
28+
serviceAccountName: default
2829
terminationGracePeriodSeconds: 5
2930
containers:
3031
- name: server

kubernetes-manifests/checkoutservice.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ spec:
2525
labels:
2626
app: checkoutservice
2727
spec:
28+
serviceAccountName: default
2829
containers:
2930
- name: server
3031
image: checkoutservice

kubernetes-manifests/currencyservice.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ spec:
2525
labels:
2626
app: currencyservice
2727
spec:
28+
serviceAccountName: default
2829
terminationGracePeriodSeconds: 5
2930
containers:
3031
- name: server

kubernetes-manifests/emailservice.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ spec:
2525
labels:
2626
app: emailservice
2727
spec:
28+
serviceAccountName: default
2829
terminationGracePeriodSeconds: 5
2930
containers:
3031
- name: server

kubernetes-manifests/frontend.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ spec:
2727
annotations:
2828
sidecar.istio.io/rewriteAppHTTPProbers: "true"
2929
spec:
30+
serviceAccountName: default
3031
containers:
3132
- name: server
3233
image: frontend

kubernetes-manifests/loadgenerator.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ spec:
2727
annotations:
2828
sidecar.istio.io/rewriteAppHTTPProbers: "true"
2929
spec:
30+
serviceAccountName: default
3031
terminationGracePeriodSeconds: 5
3132
restartPolicy: Always
3233
containers:

0 commit comments

Comments
 (0)