kpt icon indicating copy to clipboard operation
kpt copied to clipboard

Published 20 hours ago verified publisher icon kptdev

Workload Identity function

Open johnbelamaric opened this issue 3 years ago • 1 comments

We now have an operator for annotating a KSA for Workload Identity (#3456). This is helpful when the KSA lives in the Porch cluster. But it's not helpful for KSAs that are in the workload clusters that do not have Porch running.

Some examples:

  • I want to use WI to authenticate ConfigSync to a CSR.
  • Customers can use WI to authenticate to Cloud SQL (https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#workload-identity)
  • Almost any other non-CC use case for Workload Identity

I think we just need a function to do this. At least, that is true in the case of a 1:1 relationship between the deployment repository and the workload cluster. Or maybe more accurately, it is true if the project-id of all clusters reading from a given deployment repository is the same. See https://github.com/GoogleContainerTools/kpt/pull/3456#issuecomment-1219532855 for a little more context.

johnbelamaric avatar Aug 30 '22 23:08 johnbelamaric

Actually it seems this is not what the operator does; rather it handles only the GCP side of the binding. So this raises the priority of this issue.

johnbelamaric avatar Sep 07 '22 03:09 johnbelamaric