From c5c9739a00466abbeb33cf1fc20cbfc7a8cf28af Mon Sep 17 00:00:00 2001
From: "Yuan (Bob) Gong" <gongyuan94@gmail.com>
Date: Thu, 9 Jul 2020 18:24:54 +0800
Subject: [PATCH] fix(deployment): gcp managed storage - add service account to
 minio and cloudsql proxy deployments for workload identity (#4188)

---
 .../env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml     | 1 +
 .../kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml   | 4 ++++
 manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml | 3 ++-
 .../kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml    | 1 +
 .../gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml   | 1 +
 .../env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml       | 4 ++++
 manifests/kustomize/gcp-workload-identity-setup.sh            | 4 ++++
 7 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml
 create mode 100644 manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml

diff --git a/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml b/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml
index 434afd2ee86..10e1f6aafe8 100644
--- a/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml
+++ b/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-deployment.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         app: cloudsqlproxy
     spec:
+      serviceAccountName: kubeflow-pipelines-cloudsql-proxy
       containers:
         - image: gcr.io/cloudsql-docker/gce-proxy:1.14
           name: cloudsqlproxy
diff --git a/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml b/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml
new file mode 100644
index 00000000000..a4cc9c43dfe
--- /dev/null
+++ b/manifests/kustomize/env/gcp/cloudsql-proxy/cloudsql-proxy-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubeflow-pipelines-cloudsql-proxy
diff --git a/manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml b/manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml
index 704e59c336c..a336cb50f9e 100644
--- a/manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml
+++ b/manifests/kustomize/env/gcp/cloudsql-proxy/kustomization.yaml
@@ -3,4 +3,5 @@ kind: Kustomization
 
 resources:
 - cloudsql-proxy-deployment.yaml
-- mysql-service.yaml
\ No newline at end of file
+- cloudsql-proxy-sa.yaml
+- mysql-service.yaml
diff --git a/manifests/kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml b/manifests/kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml
index 4f2c428c493..877ad81746a 100644
--- a/manifests/kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml
+++ b/manifests/kustomize/env/gcp/minio-gcs-gateway/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 
 resources:
 - minio-gcs-gateway-deployment.yaml
+- minio-gcs-gateway-sa.yaml
 - minio-gcs-gateway-service.yaml
 
 secretGenerator:
diff --git a/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml b/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml
index e8dd6e2509c..f26d27cc61f 100644
--- a/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml
+++ b/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-deployment.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app: minio
     spec:
+      serviceAccountName: kubeflow-pipelines-minio-gcs-gateway
       containers:
         - name: minio
           image: gcr.io/ml-pipeline/minio:RELEASE.2019-08-14T20-37-41Z-license-compliance
diff --git a/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml b/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml
new file mode 100644
index 00000000000..2aa4f937685
--- /dev/null
+++ b/manifests/kustomize/env/gcp/minio-gcs-gateway/minio-gcs-gateway-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubeflow-pipelines-minio-gcs-gateway
diff --git a/manifests/kustomize/gcp-workload-identity-setup.sh b/manifests/kustomize/gcp-workload-identity-setup.sh
index e749ccbc0de..1a22267f0ac 100755
--- a/manifests/kustomize/gcp-workload-identity-setup.sh
+++ b/manifests/kustomize/gcp-workload-identity-setup.sh
@@ -21,6 +21,10 @@ SYSTEM_GSA=${SYSTEM_GSA:-$CLUSTER_NAME-kfp-system}
 USER_GSA=${USER_GSA:-$CLUSTER_NAME-kfp-user}
 
 # Kubernetes Service Account (KSA)
+# Note, if deploying manifests/kustomize/env/gcp, you can add the following KSAs
+# to the array of SYSTEM_KSA:
+# * kubeflow-pipelines-minio-gcs-gateway needs gcs permissions
+# * kubeflow-pipelines-cloudsql-proxy needs cloudsql permissions
 SYSTEM_KSA=(ml-pipeline-ui ml-pipeline-visualizationserver)
 USER_KSA=(pipeline-runner kubeflow-pipelines-container-builder)