Add instructions for workload identity-enabled GKE clusters (GoogleCloudPlatform#423)

* Add workload identity instructions

* Adds links from README

* cleanup

Author: askmeegs

.gitignore

@@ -10,4 +10,5 @@ pkg/
 .skaffold-*.yaml
 .kubernetes-manifests-*/
 .project
-.eclipse.buildship.core.prefs
+.eclipse.buildship.core.prefs
+release/wi-kubernetes-manifests.yaml

README.md

@@ -169,7 +169,8 @@ We offer the following installation methods:
 ### Option 2: Running on Google Kubernetes Engine (GKE)
 
 > 💡 Recommended if you're using Google Cloud Platform and want to try it on
-> a realistic cluster.
+> a realistic cluster. **Note**: If your cluster has Workload Identity enabled, 
+> [see these instructions](/docs/workload-identity.md)
 
 1.  Create a Google Kubernetes Engine cluster and make sure `kubectl` is pointing
     to the cluster.
@@ -306,6 +307,10 @@ by deploying the [release manifest](./release) directly to an existing cluster.
    curl -v "http://$INGRESS_HOST"
    ```
 
+### Option 5: Deploying on a Workload Identity-enabled GKE cluster 
+
+See [this doc](/docs/workload-identity.md). 
+
 ### Cleanup
 
 If you've deployed the application with `skaffold run` command, you can run

docs/workload-identity.md

@@ -0,0 +1,40 @@
+# Setup for Workload Identity clusters 
+
+If you have enabled [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) on your GKE cluster ([a requirement for Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/gke-anthos-cli-new-cluster#requirements)), follow these instructions to ensure that OnlineBoutique pods can communicate with GCP APIs.
+
+*Note* - These instructions have only been validated in GKE on GCP clusters. [Workload Identity is not yet supported](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas) in Anthos GKE on Prem. 
+
+
+
+1. **Set up Workload Identity** on your GKE cluster [using the instructions here](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_on_new_cluster). These instructions create the Kubernetes Service Account (KSA) and Google Service Account (GSA) that the OnlineBoutique pods will use to authenticate to GCP. Take note of what Kubernetes `namespace` you use during setup.
+
+2. **Add IAM Roles** to your GSA. These roles allow workload identity-enabled OnlineBoutique pods to send traces and metrics to GCP. 
+
+```bash
+PROJECT_ID=<your-gcp-project-id>
+GSA_NAME=<your-gsa>
+
+gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+  --member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
+  --role roles/cloudtrace.agent
+
+gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+  --member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
+  --role roles/monitoring.metricWriter
+```
+
+3. **Generate OnlineBoutique manifests** using your KSA as the Pod service account. In `kubernetes-manifests/`, replace `serviceAccountName: default` with the name of your KSA. (**Note** - sample below is Bash.)
+
+```bash
+
+KSA_NAME=<your-ksa>
+sed "s/serviceAccountName: default/serviceAccountName: ${KSA_NAME}/g" release/kubernetes-manifests.yaml > release/wi-kubernetes-manifests.yaml
+done
+```
+
+4. **Deploy OnlineBoutique** to your GKE cluster using the install instructions above, except make sure that instead of the default namespace, you're deploying the manifests into your KSA namespace: 
+
+```bash
+NAMESPACE=<your-ksa-namespace>
+kubectl apply -n ${NAMESPACE} -f release/wi-kubernetes-manifests.yaml
+```

kubernetes-manifests/adservice.yaml

@@ -25,6 +25,7 @@ spec:
       labels:
         app: adservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server

kubernetes-manifests/cartservice.yaml

@@ -25,6 +25,7 @@ spec:
       labels:
         app: cartservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server

kubernetes-manifests/checkoutservice.yaml

@@ -25,6 +25,7 @@ spec:
       labels:
         app: checkoutservice
     spec:
+      serviceAccountName: default
       containers:
         - name: server
           image: checkoutservice

kubernetes-manifests/currencyservice.yaml

@@ -25,6 +25,7 @@ spec:
       labels:
         app: currencyservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server

kubernetes-manifests/emailservice.yaml

@@ -25,6 +25,7 @@ spec:
       labels:
         app: emailservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server

kubernetes-manifests/frontend.yaml

@@ -27,6 +27,7 @@ spec:
       annotations:
         sidecar.istio.io/rewriteAppHTTPProbers: "true"
     spec:
+      serviceAccountName: default
       containers:
         - name: server
           image: frontend

kubernetes-manifests/loadgenerator.yaml

@@ -27,6 +27,7 @@ spec:
       annotations:
         sidecar.istio.io/rewriteAppHTTPProbers: "true"
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       restartPolicy: Always
       containers: