Enable Workload Identity Federation to work with provider #454
Conversation
joekiller
requested review from
amitmodak,
NaMNDV and
dargudear-google
as code owners
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Thanks for the PR. Will take a look at this. |
joekiller
had a problem deploying
to
e2e-test
GitHub Actions
Failure
|
I don't believe the e2e failure was directly due to the PR. seemed transient from the logs. |
|
Can you split the PR into 2? |
|
@dargudear-google by split, you mean one for the workload identity federation fix and one for the debug stuff? |
Yes |
|
@dargudear-google I am closing this for #459 and #460. |
Presently the provider is limited to only work with GKE or Fleet Workload Identity pool providers. This PR ensures that the gcp provider may retrieve secrets on a cluster utilizing GOOGLE_APPLICATION_CREDENTIALS pointing to an audience pool provider backed by Workload Identity Federation with Kubernetes.
Included as well is a debug workflow which was instrumental in determining the most precise way to fix the absence of function and documentation updates to fill out points to help others utilize the secret driver backed by workload identity federation with kubernetes.
Fixes: #206