Support gcp workload identity federation #359
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Codecov Report
@@ Coverage Diff @@
## master #359 +/- ##
=======================================
Coverage 46.03% 46.03%
=======================================
Files 74 74
Lines 7751 7751
=======================================
Hits 3568 3568
Misses 3692 3692
Partials 491 491 |
akhil-rane
force-pushed
the
support_gcp_workload_identity
branch
2 times, most recently
from
44113d3
to
7297380
Compare
|
/test verify |
openshift-ci
bot
added
the
needs-rebase
For enabling short-lived credentials in gcp cluster using workload identity, we need ccoctl tool to know the kubernetes service account names from the credentials request manifest so that it can create gcp service accounts that can be impersonated only by specific kubernetes service accounts.
akhil-rane
force-pushed
the
support_gcp_workload_identity
branch
from
7297380
to
0b8fff7
Compare
openshift-ci
bot
removed
the
needs-rebase
akhil-rane
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@joelddiaz this looks good for a quick review |
|
/test e2e-gcp |
joelddiaz
reviewed
Jul 16, 2021
Comment on lines
+20
to
+21
| serviceAccountNames: | ||
| - cloud-credential-operator |
There was a problem hiding this comment.
I'm assuming this is more of an example of the kinds of changes that need to be made across the various repos, and CCO - as presently written - will not actually make use of these creds when in Manual mode. Correct?
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akhil-rane, joelddiaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To enable short-lived credentials in gcp cluster using workload identity
federation, we need to make following set of changes
which can be used by ccoctl tool to create gcp service accounts with
limited access
ref: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
x-ref: https://issues.redhat.com/browse/CCO-105