ProviderConfig does not support "InjectedIdentity" as source.identity
#216
Labels
bug
Something isn't working
source.identity
#216
What happened?
We have a GKE management cluster with crossplane 1.15.0 and we are writing a composition to provision managed GKE clusters along with addons services.
To achieve this, we followed the GCP upbound reference platform.
In this reference, the GKE composition creates a ServiceAccount and a ServiceAccountKey : https://github.com/upbound/configuration-gcp-gke/blob/main/apis/composition.yaml#L66-L89 to be used by both the GKE cluster and the Helm ProviderConfig.
However our company organization policy forbids the creation of a ServiceAccount Key : we are allowed to create
ServiceAccount
but not aServiceAccountKey
hence we cannot use the composition "as is".Since #109 , it is possible to use
identity
in the Helm ProviderConfig (initially the need was to be able to use a ServiceAccount key in addition to the kubeconfig to authenticate to a GKE cluster).In our case, as we cannot use a ServiceAccount key, we tried to use this
identity
field to reference a workloadIdentity for the ServiceAccount :ProjectIAMMember
to add the IAM roleroles/iam.workloadIdentityUser
to the GCP ServiceAccount created by the compositionidentity.source: InjectedIdentity
(instead of referencing a secret containing a serviceaccount key)In the end, we tried this :
(the ServiceAccount and the kubeconfig secret referenced below have already been created by the composition)
Provider
ControllerConfig
ProviderConfig
Result :
cgp-config-sa-tg
exists and is annotated with the GCP serviceaccountiam.gke.io/gcp-service-account: platform-ref-gcp-cluster@gcpXXXd-i3x5x6ms.iam.gserviceaccount.com
cgp-config-sa-tg
serviceaccount (so it should have the permision of the corresonding GCP IAM ServiceAccount, right...?)But when we create a
Release
resource that references theplatform-ref-gcp-cluster-test
providerConfigRef, we get the following error :it seems that Helm Provider is not supporting to have
injectedIdentity
inside theidentity.source
field : is that right ?Is it something that needs to be implemented in the helm provider code or is there another solution we can use to achieve what we want without having to create a ServiceAccount key ?
What environment did it happen in?
Crossplane version: 1.15.0
The text was updated successfully, but these errors were encountered: