Allow using K8s SAs as Google IAM SAs

kbst · Jun 28, 2019 · 584f5c4 · 584f5c4
1 parent 3c54b66
commit 584f5c4
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/google/_modules/gke/cluster.tf b/google/_modules/gke/cluster.tf
@@ -1,4 +1,6 @@
 resource "google_container_cluster" "current" {
+  provider = "google-beta"
+
   project = var.project
   name    = var.metadata_name
 
@@ -21,6 +23,10 @@ resource "google_container_cluster" "current" {
     }
   }
 
+  workload_identity_config {
+    identity_namespace = "${var.project}.svc.id.goog"
+  }
+
   network = google_compute_network.current.self_link
 
   #
@@ -54,4 +60,3 @@ resource "google_container_cluster" "current" {
     }
   }
 }
-
diff --git a/google/_modules/gke/node_pool/main.tf b/google/_modules/gke/node_pool/main.tf
@@ -1,4 +1,6 @@
 resource "google_container_node_pool" "current" {
+  provider = "google-beta"
+
   name     = var.pool_name
   project  = var.project
   cluster  = var.metadata_name
@@ -29,11 +31,14 @@ resource "google_container_node_pool" "current" {
     labels = var.metadata_labels
 
     tags = var.metadata_tags
+
+    workload_metadata_config {
+      node_metadata = "GKE_METADATA_SERVER"
+    }
   }
 
   management {
     auto_repair  = var.auto_repair
     auto_upgrade = var.auto_upgrade
   }
 }
-
diff --git a/google/cluster/providers.tf b/google/cluster/providers.tf
@@ -3,7 +3,11 @@ provider "external" {
 }
 
 provider "google" {
-  version = "~> 2.8"
+  version = "~> 2.9"
+}
+
+provider "google-beta" {
+  version = "~> 2.9"
 }
 
 provider "kubernetes" {
@@ -17,4 +21,3 @@ provider "null" {
 provider "template" {
   version = "~> 2.1"
 }
-