-
Notifications
You must be signed in to change notification settings - Fork 1.3k
[terraform/gcp] Create separate SA credentials for each dependency #12614
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
340fce8
to
d6b69ab
Compare
Converting to draft to fix a bug I encountered |
d6b69ab
to
5cb447c
Compare
The issue was that the naming for service accounts started with numerals in test environments, this is not abiding by the pattern GCP accepts. Hence tests were failing. Force pushed the fix for it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments added, some questions might be out of scope as they may touch code that's being purely refactored.
In summary:
- We can probably snip out some repetitive code with a
for_each
loop (note that we need to use afor_each
over iteration because terraform does silly things when iterating over arrays) - We're passing the dns credentials as a local file; this looks like a hidden dependency.
- The service account and OAuth scopes seem broadly scoped for the workspaces; we may be able to trim this down (but this may be out of scope)
5cb447c
to
4cff490
Compare
Flagging this as a potential concern:
Edit: I tracked down the origin of the issue; it looks like our kubectl credential fetching tries a handful of methods and may emit an error if one of those methods failed. This appears to be a spurious failure. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold for comment review, merge at your discretion
Noting this for later - reviewing this PR required having a moderate amount of self-hosted knowledge to understand the different moving parts and what configuration is required. When we've gotten automated testing to a fairly stable test let's bring in an outside perspective on running through this to identify the assumptions we're making and how customers might use this module.
Looks good otherwise! 🚢 at your discretion
4cff490
to
1b1ef89
Compare
/unhold |
Description
Currently, in the GCP single cluster setup, we suggest the user to use the same service account for database, registry, etc. This PR splits the GKE terraform module to multiple smaller files and creates separate service accounts for each of the resource being creating including DNS, database, registry & storage and GKE cluster. This makes this module work very similar to the
gitpod-gke-guide
.Related Issue(s)
Fixes #12609
How to test
Please follow the README of the GCP module.
Release Notes
Documentation
Werft options: