Context
We're trying to remove the need of tokens to pull Helm charts from the Google Artifact Registry using Workload Identity. Our cluster runs Flux v2.3.0 on GKE v1.29.7.
We've been following this documentation page: Workload Identity
Here's what we did:
- Enabled workload identity on the GKE cluster
- Created a Google SA with read access to the GAR
- Annotated manually the
source-controller, kustomize-controller and image-reflector-controller
- Tried to pull Helm charts from the GAR
Extra Informations:
- The chart pull worked before trying to use workload identity using JWT
- Listing charts using the
helm command inside a pod using workload idenity works:
kubectl exec debug-pod -it -- /google-cloud-sdk/bin/gcloud artifacts repositories list
REPOSITORY FORMAT MODE DESCRIPTION LOCATION LABELS ENCRYPTION CREATE_TIME UPDATE_TIME SIZE (MB)
charts-repo DOCKER STANDARD_REPOSITORY Registry for OCI Helm Charts europe Google-managed key 2024-05-15T14:05:39 2024-08-22T14:12:51 3.444
Here's a flux pull command output (from inside a pod):
root@debug-pod:/# flux pull artifact oci://europe-docker.pkg.dev/our-project/charts-repo/stateless-app:12.3.5 --output /tmp
► pulling artifact from europe-docker.pkg.dev/our-project/charts-repo/stateless-app:12.3.5
✗ GET https://europe-docker.pkg.dev/v2/token?scope=repository%3Aour-project%2Fcharts-repo%2Fstateless-app%3Apull&service=: DENIED: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.downloadArtifacts" on resource "projects/our-project/locations/europe/repositories/charts-repo" (or it may not exist)
And here's the kubectl describe helmrepository chart-repo:
Message: HelmChart 'flux-system/namespace-oci-app' is not ready: chart pull error: failed to download chart for remote reference: failed to get 'oci://europe-docker.pkg.dev/our-project/charts-repo/stateless-app:12.3.5': failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://europe-docker.pkg.dev/v2/token?scope=repository%!!(MISSING)!(MISSING)A(MISSING)our-project%!!(MISSING)!(MISSING)F(MISSING)charts-repo%!!(MISSING)!(MISSING)F(MISSING)stateless-app%!!(MISSING)!(MISSING)A(MISSING)pull&service=europe-docker.pkg.dev: 403 Forbidden
As you can see, the flux CLI isn't using workload idenity and tries to pull the OCI chart anonymously.
Is there something more that we need to do to get it to work with workload identity ?
Context
We're trying to remove the need of tokens to pull Helm charts from the Google Artifact Registry using Workload Identity. Our cluster runs Flux
v2.3.0on GKEv1.29.7.We've been following this documentation page: Workload Identity
Here's what we did:
source-controller,kustomize-controllerandimage-reflector-controllerExtra Informations:
helmcommand inside a pod using workload idenity works:Here's a flux pull command output (from inside a pod):
And here's the
kubectl describe helmrepository chart-repo:As you can see, the flux CLI isn't using workload idenity and tries to pull the OCI chart anonymously.
Is there something more that we need to do to get it to work with workload identity ?