-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(eventsource): fix GCP Pub/Sub behavior #845
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for raising this PR! I don't have more comments than some doc related (obviously you have more knowledge on Pub/Sub than me), please make sure it is well tested. Also I wonder if @apurvchandra has any comments on this as I know he uses Pub/Sub as well, or @tmshn would you like to provide a RC image for him to do cross verification?
kubectl apply -n argo-events -f https://raw.githubusercontent.com/argoproj/argo-events/stable/examples/event-sources/gcp-pubsub.yaml | ||
``` | ||
|
||
If you use Workload Identity, omit `credentialSecret` field. Instead don't forget to configure appropriate service account (see [example](https://github.com/argoproj/argo-events/blob/stable/examples/event-sources/gcp-pubsub.yaml)). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't need a service account with privileged access any more, see https://github.com/argoproj/argo-events/blob/master/docs/service-accounts.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Workload Identity works by connecting Google Service Account (GSA) and Kubernetes Service Account (KSA) so that KSA can obtain GSA's token.
This connection is done by putting an annotation to KSA like below:
(NB: in addition to this, appropriate IAM should be set on GCP side, but no extra RoleBinding is needed on k8s side)
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: argo-events
name: tmshn-tester
annotations:
iam.gke.io/gcp-service-account: argo-events-tmshn-tester@my-gcp-project.iam.gserviceaccount.com
ref: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
This setup is too basic on using Workload Identity to write on Argo Events' document, but anyway we need to know which KSA runs the event source pod.
So at least I want to document that even if we don't encourage users to create new KSA.
Is that default
or argo-events-sa
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, at my first sight, I thought the doc was something about "configure proper service account to access the secret...", please ignore that comment. However, I think the link should be pointing to https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity.
I've tested to cover all cases, but I'm happy if anyone can double-check this!
I pushed the event source docker image built on HEAD. You can try by fixing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
Fixed several problems of GCP Pub/Sub event source:
subscription.get
→subscription.testPermission
for existing check,topic.get
→subscription.get
for topic verificationackDeadline
m.Nack()
immediately on error to allow faster redeliverycloud.google.com/go
to v0.52.0 where read timeout to metadata server is removed (ref: googleapis/google-cloud-go@fbf2f51)