feat: Add new Workload identity [submodule](./modules/workload-identity) (terraform-google-modules#417)

* initial workload identity addition various typo & linting fixes update README with output instead of hardcoded name update README to avoid cycle fix linting add missing outputs to fix linting update readme, generate docs fix linting for workload identity output updates from peer review add integration step for verifying workload identity initial workload identity integration test remove duplicate comment update dev tools version and just focus on workload identity tests here need these dependent steps project_ids is what we're using for variables add project_id output give registry_project_id a default in workload identity since we're not using it generate docs add the kubernetes provider rename cluster service account to work with this module bump google tf provider version newer gke clusters need to use kubernetes monitoring updated variable defaults in readme update monitoring variable in all modules update logging service variable too shorten some names to match identity account_id regex * accept incoming for conflicts on readme * fix WI config, fix tests * re enable all tests * fix vars,op * re enable cloud build for all tests * fix flake8 errors * increase timeout * add defaults, address comments Co-authored-by: Miles Matthias <miles.matthias@gmail.com>

Author: bharathkkb

.kitchen.yml

@@ -3,7 +3,6 @@
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
@@ -15,7 +14,7 @@
 ---
 driver:
  name: "terraform"
- command_timeout: 1800
+ command_timeout: 2700
 
 provisioner:
  name: "terraform"
@@ -133,28 +132,41 @@ suites:
  controls:
  - gcloud
  - kubectl
-# Disabled due to issue #264
-# (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264)
-# - name: stub_domains_private
-# driver:
-# root_module_directory: test/fixtures/stub_domains_private
-# systems:
-# - name: stub_domains_private
-# backend: local
+ # Disabled due to issue #264
+ # (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264)
+ # - name: stub_domains_private
+ # driver:
+ # root_module_directory: test/fixtures/stub_domains_private
+ # systems:
+ # - name: stub_domains_private
+ # backend: local
  - name: "upstream_nameservers"
  driver:
  root_module_directory: test/fixtures/upstream_nameservers
  verifier:
-  systems:
-  - name: upstream_nameservers
-  backend: local
+ systems:
+ - name: upstream_nameservers
+ backend: local
  - name: "stub_domains_upstream_nameservers"
  driver:
  root_module_directory: test/fixtures/stub_domains_upstream_nameservers
  verifier:
- systems:
- - name: stub_domains_upstream_nameservers
- backend: local
+ systems:
+ - name: stub_domains_upstream_nameservers
+ backend: local
+ - name: "workload_identity"
+ driver:
+ root_module_directory: test/fixtures/workload_identity
+ verifier:
+ systems:
+ - name: gcloud
+ backend: local
+ controls:
+ - gcloud
+ - name: gcp
+ backend: gcp
+ controls:
+ - gcp
  - name: "workload_metadata_config"
  driver:
  root_module_directory: test/fixtures/workload_metadata_config

build/int.cloudbuild.yaml

@@ -344,6 +344,26 @@ steps:
  - verify sandbox-enabled-local
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy sandbox-enabled-local']
+- id: create workload-identity-local
+ waitFor:
+ - prepare
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create workload-identity-local']
+- id: converge workload-identity-local
+ waitFor:
+ - create workload-identity-local
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge workload-identity-local']
+- id: verify workload-identity-local
+ waitFor:
+ - converge workload-identity-local
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify workload-identity-local']
+- id: destroy workload-identity-local
+ waitFor:
+ - verify workload-identity-local
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy workload-identity-local']
 tags:
 - 'ci'
 - 'integration'

examples/workload_identity/README.md

@@ -0,0 +1,41 @@
+# Simple Zonal Cluster with Workload Identity
+
+This example illustrates how to create a simple cluster, with a GCP service account bound as the identity running workloads on your GKE cluster.
+
+Read more about [workload identity in the docs](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity).
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
+| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
+| network | The VPC network to host the cluster in | string | n/a | yes |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | `"us-central1"` | no |
+| subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate | |
+| client\_token | |
+| cluster\_name | Cluster name |
+| k8s\_service\_account\_email | K8S GCP service account. |
+| k8s\_service\_account\_name | K8S GCP service name |
+| kubernetes\_endpoint | |
+| location | Cluster location (zones) |
+| project\_id | Project id where GKE cluster is created. |
+| region | Cluster region |
+| service\_account | The default service account used for running nodes. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/workload_identity/main.tf

@@ -0,0 +1,65 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ cluster_type = "regional"
+}
+
+provider "google" {
+ version = "~> 2.20.1"
+ region = var.region
+}
+
+provider "kubernetes" {
+ version = "~> 1.10"
+ host = module.gke.endpoint
+ token = data.google_client_config.default.access_token
+ cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
+module "gke" {
+ source = "../../modules/beta-public-cluster/"
+ project_id = var.project_id
+ name = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+ region = var.region
+ network = var.network
+ subnetwork = var.subnetwork
+ ip_range_pods = var.ip_range_pods
+ ip_range_services = var.ip_range_services
+ remove_default_node_pool = true
+ service_account = "create"
+ identity_namespace = "${var.project_id}.svc.id.goog"
+ node_metadata = "GKE_METADATA_SERVER"
+ node_pools = [
+ {
+ name = "wi-pool"
+ min_count = 1
+ max_count = 2
+ auto_upgrade = true
+ }
+ ]
+}
+
+module "workload_identity" {
+ source = "../../modules/workload-identity"
+ project_id = var.project_id
+ name = "iden-${module.gke.name}"
+ namespace = "default"
+ use_existing_k8s_sa = false
+}
+
+data "google_client_config" "default" {
+}

examples/workload_identity/outputs.tf

@@ -0,0 +1,64 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+ sensitive = true
+ value = module.gke.endpoint
+}
+
+output "client_token" {
+ sensitive = true
+ value = base64encode(data.google_client_config.default.access_token)
+}
+
+output "ca_certificate" {
+ value = module.gke.ca_certificate
+}
+
+output "service_account" {
+ description = "The default service account used for running nodes."
+ value = module.gke.service_account
+}
+
+output "region" {
+ description = "Cluster region"
+ value = module.gke.region
+}
+
+output "location" {
+ description = "Cluster location (zones)"
+ value = module.gke.location
+}
+
+output "project_id" {
+ description = "Project id where GKE cluster is created."
+ value = var.project_id
+}
+
+output "cluster_name" {
+ description = "Cluster name"
+ value = module.gke.name
+}
+
+output "k8s_service_account_email" {
+ description = "K8S GCP service account."
+ value = module.workload_identity.gcp_service_account_email
+}
+
+output "k8s_service_account_name" {
+ description = "K8S GCP service name"
+ value = module.workload_identity.gcp_service_account_name
+}

examples/workload_identity/variables.tf

@@ -0,0 +1,46 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+ description = "The project ID to host the cluster in"
+}
+
+variable "cluster_name_suffix" {
+ description = "A suffix to append to the default cluster name"
+ default = ""
+}
+
+variable "region" {
+ description = "The region to host the cluster in"
+ default = "us-central1"
+}
+
+variable "network" {
+ description = "The VPC network to host the cluster in"
+}
+
+variable "subnetwork" {
+ description = "The subnetwork to host the cluster in"
+}
+
+variable "ip_range_pods" {
+ description = "The secondary ip range to use for pods"
+}
+
+variable "ip_range_services" {
+ description = "The secondary ip range to use for pods"
+}
+