From 837e7690c79ec770420441e99f7c4f914070bbd1 Mon Sep 17 00:00:00 2001 From: Megan O'Keefe <3137106+askmeegs@users.noreply.github.com> Date: Mon, 9 Nov 2020 09:35:59 -0500 Subject: [PATCH] Add instructions for workload identity-enabled GKE clusters (#423) * Add workload identity instructions * Adds links from README * cleanup --- .gitignore | 3 +- README.md | 7 +++- docs/workload-identity.md | 40 +++++++++++++++++++ kubernetes-manifests/adservice.yaml | 1 + kubernetes-manifests/cartservice.yaml | 1 + kubernetes-manifests/checkoutservice.yaml | 1 + kubernetes-manifests/currencyservice.yaml | 1 + kubernetes-manifests/emailservice.yaml | 1 + kubernetes-manifests/frontend.yaml | 1 + kubernetes-manifests/loadgenerator.yaml | 1 + kubernetes-manifests/paymentservice.yaml | 1 + .../productcatalogservice.yaml | 1 + release/kubernetes-manifests.yaml | 8 ++++ 13 files changed, 65 insertions(+), 2 deletions(-) create mode 100644 docs/workload-identity.md diff --git a/.gitignore b/.gitignore index 66f5f93f344..a2b326cadd8 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,5 @@ pkg/ .skaffold-*.yaml .kubernetes-manifests-*/ .project -.eclipse.buildship.core.prefs \ No newline at end of file +.eclipse.buildship.core.prefs +release/wi-kubernetes-manifests.yaml \ No newline at end of file diff --git a/README.md b/README.md index a1eb769cc59..6dc27dd252d 100644 --- a/README.md +++ b/README.md @@ -169,7 +169,8 @@ We offer the following installation methods: ### Option 2: Running on Google Kubernetes Engine (GKE) > 💡 Recommended if you're using Google Cloud Platform and want to try it on -> a realistic cluster. +> a realistic cluster. **Note**: If your cluster has Workload Identity enabled, +> [see these instructions](/docs/workload-identity.md) 1. Create a Google Kubernetes Engine cluster and make sure `kubectl` is pointing to the cluster. @@ -306,6 +307,10 @@ by deploying the [release manifest](./release) directly to an existing cluster. curl -v "http://$INGRESS_HOST" ``` +### Option 5: Deploying on a Workload Identity-enabled GKE cluster + +See [this doc](/docs/workload-identity.md). + ### Cleanup If you've deployed the application with `skaffold run` command, you can run diff --git a/docs/workload-identity.md b/docs/workload-identity.md new file mode 100644 index 00000000000..728e42feb4a --- /dev/null +++ b/docs/workload-identity.md @@ -0,0 +1,40 @@ +# Setup for Workload Identity clusters + +If you have enabled [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) on your GKE cluster ([a requirement for Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/gke-anthos-cli-new-cluster#requirements)), follow these instructions to ensure that OnlineBoutique pods can communicate with GCP APIs. + +*Note* - These instructions have only been validated in GKE on GCP clusters. [Workload Identity is not yet supported](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas) in Anthos GKE on Prem. + + + +1. **Set up Workload Identity** on your GKE cluster [using the instructions here](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_on_new_cluster). These instructions create the Kubernetes Service Account (KSA) and Google Service Account (GSA) that the OnlineBoutique pods will use to authenticate to GCP. Take note of what Kubernetes `namespace` you use during setup. + +2. **Add IAM Roles** to your GSA. These roles allow workload identity-enabled OnlineBoutique pods to send traces and metrics to GCP. + +```bash +PROJECT_ID= +GSA_NAME= + +gcloud projects add-iam-policy-binding ${PROJECT_ID} \ + --member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \ + --role roles/cloudtrace.agent + +gcloud projects add-iam-policy-binding ${PROJECT_ID} \ + --member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \ + --role roles/monitoring.metricWriter +``` + +3. **Generate OnlineBoutique manifests** using your KSA as the Pod service account. In `kubernetes-manifests/`, replace `serviceAccountName: default` with the name of your KSA. (**Note** - sample below is Bash.) + +```bash + +KSA_NAME= +sed "s/serviceAccountName: default/serviceAccountName: ${KSA_NAME}/g" release/kubernetes-manifests.yaml > release/wi-kubernetes-manifests.yaml +done +``` + +4. **Deploy OnlineBoutique** to your GKE cluster using the install instructions above, except make sure that instead of the default namespace, you're deploying the manifests into your KSA namespace: + +```bash +NAMESPACE= +kubectl apply -n ${NAMESPACE} -f release/wi-kubernetes-manifests.yaml +``` \ No newline at end of file diff --git a/kubernetes-manifests/adservice.yaml b/kubernetes-manifests/adservice.yaml index 05dd9bb0b61..78a234ddc49 100644 --- a/kubernetes-manifests/adservice.yaml +++ b/kubernetes-manifests/adservice.yaml @@ -25,6 +25,7 @@ spec: labels: app: adservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server diff --git a/kubernetes-manifests/cartservice.yaml b/kubernetes-manifests/cartservice.yaml index 31175da6316..d16cdc69cab 100644 --- a/kubernetes-manifests/cartservice.yaml +++ b/kubernetes-manifests/cartservice.yaml @@ -25,6 +25,7 @@ spec: labels: app: cartservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server diff --git a/kubernetes-manifests/checkoutservice.yaml b/kubernetes-manifests/checkoutservice.yaml index 3e244c41c39..194a9d1e4af 100644 --- a/kubernetes-manifests/checkoutservice.yaml +++ b/kubernetes-manifests/checkoutservice.yaml @@ -25,6 +25,7 @@ spec: labels: app: checkoutservice spec: + serviceAccountName: default containers: - name: server image: checkoutservice diff --git a/kubernetes-manifests/currencyservice.yaml b/kubernetes-manifests/currencyservice.yaml index 5c10ec71e49..482e6825282 100644 --- a/kubernetes-manifests/currencyservice.yaml +++ b/kubernetes-manifests/currencyservice.yaml @@ -25,6 +25,7 @@ spec: labels: app: currencyservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server diff --git a/kubernetes-manifests/emailservice.yaml b/kubernetes-manifests/emailservice.yaml index bc7e6b9d13b..c30f226ffb4 100644 --- a/kubernetes-manifests/emailservice.yaml +++ b/kubernetes-manifests/emailservice.yaml @@ -25,6 +25,7 @@ spec: labels: app: emailservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server diff --git a/kubernetes-manifests/frontend.yaml b/kubernetes-manifests/frontend.yaml index faf461d3c2b..214daa0ceeb 100644 --- a/kubernetes-manifests/frontend.yaml +++ b/kubernetes-manifests/frontend.yaml @@ -27,6 +27,7 @@ spec: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: + serviceAccountName: default containers: - name: server image: frontend diff --git a/kubernetes-manifests/loadgenerator.yaml b/kubernetes-manifests/loadgenerator.yaml index 53e947e47a1..3e8cb1e0c3e 100644 --- a/kubernetes-manifests/loadgenerator.yaml +++ b/kubernetes-manifests/loadgenerator.yaml @@ -27,6 +27,7 @@ spec: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 restartPolicy: Always containers: diff --git a/kubernetes-manifests/paymentservice.yaml b/kubernetes-manifests/paymentservice.yaml index fa62c0880b5..f35285b12a3 100644 --- a/kubernetes-manifests/paymentservice.yaml +++ b/kubernetes-manifests/paymentservice.yaml @@ -25,6 +25,7 @@ spec: labels: app: paymentservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server diff --git a/kubernetes-manifests/productcatalogservice.yaml b/kubernetes-manifests/productcatalogservice.yaml index 6949be08cc2..d57166028bb 100644 --- a/kubernetes-manifests/productcatalogservice.yaml +++ b/kubernetes-manifests/productcatalogservice.yaml @@ -25,6 +25,7 @@ spec: labels: app: productcatalogservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server diff --git a/release/kubernetes-manifests.yaml b/release/kubernetes-manifests.yaml index eb29927df76..cd3f30ca1c6 100644 --- a/release/kubernetes-manifests.yaml +++ b/release/kubernetes-manifests.yaml @@ -29,6 +29,7 @@ spec: labels: app: emailservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server @@ -152,6 +153,7 @@ spec: labels: app: recommendationservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server @@ -306,6 +308,7 @@ spec: labels: app: paymentservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server @@ -355,6 +358,7 @@ spec: labels: app: productcatalogservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server @@ -412,6 +416,7 @@ spec: labels: app: cartservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server @@ -471,6 +476,7 @@ spec: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 restartPolicy: Always containers: @@ -502,6 +508,7 @@ spec: labels: app: currencyservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server @@ -668,6 +675,7 @@ spec: labels: app: adservice spec: + serviceAccountName: default terminationGracePeriodSeconds: 5 containers: - name: server