-
Notifications
You must be signed in to change notification settings - Fork 8
Use Case k8s Allowed Network Policy workload identity GCP
Use Case - Allowed Services (Network Policies) & Secrets Injection (Vault)
- Namespace: uc-workload-identity
We will use pubsub topic ACL’s to demonstrate the adding the secrets to the pod via a mutating webhook. At this point, the secret is available and protected by RBAC in the Controller workspace ‘appconfigmgrv2-system’. Webhook copies the appropriate secret into the application namespace and adds it as a volume and as an Environment Variable (pointing to the volume mount) named GOOGLE_APPLICATION_CREDENTIALS as required by Google API’s.
gsutil cat gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-workload-identity/deploy-apps.yaml | kubectl apply -f -
*NOTE - will document vault in wiki
curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq" app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq
curl "http://$INGRESS_NO_ISTIO_HOST/testcallseq?call1=http://workload-identity-pubsub-app.uc-workload-identity:8000?gcpProjectID=$PROJECT_NAME&topic=workload-identity-topic&message=hello"
gcloud pubsub subscriptions pull --auto-ack workload-identity-topic --page-size 20 --limit 20 --project $PROJECT_NAME
host:hello-app-drv-py-1-677775646f-b8gm5
Publish Success: 776104906071903
┌────────┬─────────────────┬────────────┐
│ DATA │ MESSAGE_ID │ ATTRIBUTES │
├────────┼─────────────────┼────────────┤
│ hello1 │ 608858688012712 │ │
└────────┴─────────────────┴────────────┘