Add instructions for workload identity-enabled GKE clusters (GoogleCloudPlatform#423)

askmeegs · web-flow · commit 837e7690c79e · 2020-11-09T09:35:59.000-05:00
* Add workload identity instructions

* Adds links from README

* cleanup
diff --git a/.gitignore b/.gitignore
@@ -10,4 +10,5 @@ pkg/
 .skaffold-*.yaml
 .kubernetes-manifests-*/
 .project
-.eclipse.buildship.core.prefs
+.eclipse.buildship.core.prefs
+release/wi-kubernetes-manifests.yaml
diff --git a/README.md b/README.md
@@ -169,7 +169,8 @@ We offer the following installation methods:
 ### Option 2: Running on Google Kubernetes Engine (GKE)
 
 > 💡 Recommended if you're using Google Cloud Platform and want to try it on
-> a realistic cluster.
+> a realistic cluster. **Note**: If your cluster has Workload Identity enabled, 
+> [see these instructions](/docs/workload-identity.md)
 
 1.  Create a Google Kubernetes Engine cluster and make sure `kubectl` is pointing
     to the cluster.
@@ -306,6 +307,10 @@ by deploying the [release manifest](./release) directly to an existing cluster.
    curl -v "http://$INGRESS_HOST"
    ```
 
+### Option 5: Deploying on a Workload Identity-enabled GKE cluster 
+
+See [this doc](/docs/workload-identity.md). 
+
 ### Cleanup
 
 If you've deployed the application with `skaffold run` command, you can run
diff --git a/docs/workload-identity.md b/docs/workload-identity.md
@@ -0,0 +1,40 @@
+# Setup for Workload Identity clusters 
+
+If you have enabled [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) on your GKE cluster ([a requirement for Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/gke-anthos-cli-new-cluster#requirements)), follow these instructions to ensure that OnlineBoutique pods can communicate with GCP APIs.
+
+*Note* - These instructions have only been validated in GKE on GCP clusters. [Workload Identity is not yet supported](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas) in Anthos GKE on Prem. 
+
+
+
+1. **Set up Workload Identity** on your GKE cluster [using the instructions here](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_on_new_cluster). These instructions create the Kubernetes Service Account (KSA) and Google Service Account (GSA) that the OnlineBoutique pods will use to authenticate to GCP. Take note of what Kubernetes `namespace` you use during setup.
+
+2. **Add IAM Roles** to your GSA. These roles allow workload identity-enabled OnlineBoutique pods to send traces and metrics to GCP. 
+
+```bash
+PROJECT_ID=<your-gcp-project-id>
+GSA_NAME=<your-gsa>
+
+gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+  --member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
+  --role roles/cloudtrace.agent
+
+gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+  --member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
+  --role roles/monitoring.metricWriter
+```
+
+3. **Generate OnlineBoutique manifests** using your KSA as the Pod service account. In `kubernetes-manifests/`, replace `serviceAccountName: default` with the name of your KSA. (**Note** - sample below is Bash.)
+
+```bash
+
+KSA_NAME=<your-ksa>
+sed "s/serviceAccountName: default/serviceAccountName: ${KSA_NAME}/g" release/kubernetes-manifests.yaml > release/wi-kubernetes-manifests.yaml
+done
+```
+
+4. **Deploy OnlineBoutique** to your GKE cluster using the install instructions above, except make sure that instead of the default namespace, you're deploying the manifests into your KSA namespace: 
+
+```bash
+NAMESPACE=<your-ksa-namespace>
+kubectl apply -n ${NAMESPACE} -f release/wi-kubernetes-manifests.yaml
+```
diff --git a/kubernetes-manifests/adservice.yaml b/kubernetes-manifests/adservice.yaml
@@ -25,6 +25,7 @@ spec:
       labels:
         app: adservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
diff --git a/kubernetes-manifests/cartservice.yaml b/kubernetes-manifests/cartservice.yaml
@@ -25,6 +25,7 @@ spec:
       labels:
         app: cartservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
diff --git a/kubernetes-manifests/checkoutservice.yaml b/kubernetes-manifests/checkoutservice.yaml
@@ -25,6 +25,7 @@ spec:
       labels:
         app: checkoutservice
     spec:
+      serviceAccountName: default
       containers:
         - name: server
           image: checkoutservice
diff --git a/kubernetes-manifests/currencyservice.yaml b/kubernetes-manifests/currencyservice.yaml
@@ -25,6 +25,7 @@ spec:
       labels:
         app: currencyservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
diff --git a/kubernetes-manifests/emailservice.yaml b/kubernetes-manifests/emailservice.yaml
@@ -25,6 +25,7 @@ spec:
       labels:
         app: emailservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
diff --git a/kubernetes-manifests/frontend.yaml b/kubernetes-manifests/frontend.yaml
@@ -27,6 +27,7 @@ spec:
       annotations:
         sidecar.istio.io/rewriteAppHTTPProbers: "true"
     spec:
+      serviceAccountName: default
       containers:
         - name: server
           image: frontend
diff --git a/kubernetes-manifests/loadgenerator.yaml b/kubernetes-manifests/loadgenerator.yaml
@@ -27,6 +27,7 @@ spec:
       annotations:
         sidecar.istio.io/rewriteAppHTTPProbers: "true"
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       restartPolicy: Always
       containers:
diff --git a/kubernetes-manifests/paymentservice.yaml b/kubernetes-manifests/paymentservice.yaml
@@ -25,6 +25,7 @@ spec:
       labels:
         app: paymentservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
diff --git a/kubernetes-manifests/productcatalogservice.yaml b/kubernetes-manifests/productcatalogservice.yaml
@@ -25,6 +25,7 @@ spec:
       labels:
         app: productcatalogservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
diff --git a/release/kubernetes-manifests.yaml b/release/kubernetes-manifests.yaml
@@ -29,6 +29,7 @@ spec:
       labels:
         app: emailservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
@@ -152,6 +153,7 @@ spec:
       labels:
         app: recommendationservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
@@ -306,6 +308,7 @@ spec:
       labels:
         app: paymentservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
@@ -355,6 +358,7 @@ spec:
       labels:
         app: productcatalogservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
@@ -412,6 +416,7 @@ spec:
       labels:
         app: cartservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
@@ -471,6 +476,7 @@ spec:
       annotations:
         sidecar.istio.io/rewriteAppHTTPProbers: "true"
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       restartPolicy: Always
       containers:
@@ -502,6 +508,7 @@ spec:
       labels:
         app: currencyservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
@@ -668,6 +675,7 @@ spec:
       labels:
         app: adservice
     spec:
+      serviceAccountName: default
       terminationGracePeriodSeconds: 5
       containers:
       - name: server
