Skip to content
This repository has been archived by the owner on May 15, 2023. It is now read-only.

GKE Workload Identity support? #80

Open
nkaravias opened this issue Jan 15, 2021 · 0 comments
Open

GKE Workload Identity support? #80

nkaravias opened this issue Jan 15, 2021 · 0 comments

Comments

@nkaravias
Copy link

Based on the helm chart for the config-validator, workload identity is a valid option (https://github.com/forseti-security/helm-charts/blob/master/charts/config-validator/values.yaml#L75-L77).

However when deploying the config-validator the git-sync-init initContainer is crashlooping:

kubectl logs --previous deployment/config-validator-debug -n forseti -c git-sync-init

Found 2 pods, using pod/config-validator-764ff4f958-xvx4v
I0115 19:22:45.673995       1 main.go:269]  "level"=0 "msg"="starting up"  "args"=["/git-sync","-repo=https://source.developers.google.com/p/<my project ID>/r/<my git repo>","-branch=dev","-dest=policy-library","-one-time"]
E0115 19:22:45.834602       1 main.go:294]  "msg"="failed to sync repo, aborting" "error"="error running command: exit status 128: \"Cloning into '/tmp/git'...\\nfatal: could not read Username for 'https://source.developers.google.com': No such device or address\\n\""

If I manually exec in a container using the same service account I can confirm that workload identity is properly configured and I'm able to do a manual git clone.

Here's a snippet of the config-validator Deployment manifest that shows the initContainer in question:

        initContainers:
        - name: git-sync-init
          image: "gcr.io/google-containers/git-sync:v3.1.2"
          args:
          - -repo=https://source.developers.google.com/p/<my project ID>/r/<my git repo>
          - -branch=dev
          - -dest=policy-library
          - -one-time

Is GKE workload identity supported by the config-validator ? If it isn't then the chart will need to be updated. If it is, I would love to hear what I've been doing wrong and maybe raise a PR to update the documentation.

Thanks,
N

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant