Install Harness Delegate on Google Kubernetes Engine (GKE) With Workload Identity
Workload Identity allows a Kubernetes service account in your GKE cluster to act as a Google IAM Service account. Pods that use the configured KSA automatically authenticate as the IAM service account when accessing Google Cloud APIs.
To learn more about Workload Identity check out the blog that explains it with an example.
At the end of this tutorial you will know how to:
- Enable Workload Identity on GKE.
- Deploy Harness Delegate onto Workload Identity-enabled GKE.
- Build a simple CI pipeline to push the image to Google Artifact Registry without using GCP connectors or configuring secrets.
CI pipeline scenario
- Build a Go application. You can build any application, but Go is used as an example here.
- Package the application build artifact as a container image.
- Push the image to Google Artifact Registry (GAR).
- Cache the build artifacts and dependencies (Go modules) onto Google Cloud Storage(GCS) to make the build process faster.
Glossary
Review the following terms and their abbreviations.
| Abbreviation | Meaning |
|---|---|
| API | Application Programming Interface |
| ACL | Access Control List |
| GAR | Google Artifact Registry |
| GCS | Google Cloud Storage |
| GKE | Google Kubernetes Engine |
| GSA | Google Service Account |
| IAM | Identity and Access Management |
| KSA | Kubernetes Service Account |
| RBAC | Role-based Access Control |
| SA | Service Account |
| VPC | Virtual Private Cloud |
Pre-requisites
- A Google Cloud Account with a Service Account with the following roles:
Kubernetes Engine Adminto create a GKE clusterService Accountroles used to create, update, or delete a Service Account- iam.serviceAccounts.actAs
- iam.serviceAccounts.get
- iam.serviceAccounts.create
- iam.serviceAccounts.delete
- iam.serviceAccounts.update
- iam.serviceAccounts.get
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.setIamPolicy
- (OR) simply you can add
Service Account AdminandService Account Userroles
Compute Network Adminto create the VPC networks
Required tools
Download and install the following tools locally onto your laptop:
Download sources
As we will be using Terraform pipelines to deploy GKE and Harness Delegate, clone the sources locally:
git clone https://github.com/harness-apps/workload-identity-gke-demo.git && cd "$(basename "$_" .git)"
export DEMO_HOME="$PWD"
Environment setup��
Variables
When working with Google Cloud, the following environment variables help in setting the right Google Cloud context like Service Account Key file, project etc.
You can use direnv or set the following variables on your shell:
export GOOGLE_APPLICATION_CREDENTIALS="the google cloud service account key json file to use"
export CLOUDSDK_ACTIVE_CONFIG_NAME="the google cloud cli profile to use"
export GOOGLE_CLOUD_PROJECT="the google cloud project to use"
export KUBECONFIG="$DEMO_HOME/.kube/config"
You can find more information about gcloud cli configurations at https://cloud.google.com/sdk/docs/configurations.
As you may need to override a few Terraform variables that you don't want to check in to VCS, add them to a file called .local.tfvars and set the following environment variable to be picked up by Terraform runs:
export TFVARS_FILE=.local.tfvars
Check the Inputs section for all possible Terraform variables that are configurable.
An example .local.tfvars looks like,
project_id = "my-awesome-gcp-project"
region = "asia-south1"
cluster_name = "wi-demos"
kubernetes_version = "1.24."
harness_account_id = "REPLACE WITH YOUR HARNESS ACCOUNT ID"
harness_delegate_token = "REPLACE WITH YOUR HARNESS DELEGATE TOKEN"
harness_delegate_name = "wi-demos-delegate"
harness_delegate_namespace = "harness-delegate-ng"
harness_manager_endpoint = "https://app.harness.io/gratis"
Create an environment
We will use Terraform to create a GKE cluster with WorkloadIdentity enabled for its nodes:
task init
Create a GKE cluster
The Terraform apply creates a GKE Cluster:
task create_cluster
Deploy a Harness Delegate
The following section deploys a Harness Delegate onto the GKE cluster.
-
To be able to successfully deploy a Harness Delegate, update the following values in the
.local.tfvarsfile,-
harness_account_id -
harness_delegate_token -
harness_delegate_namespace -
harness_manager_endpoint -
Use Account Id from Account Overview as the value for harness_account_id,
- Use the Harness Cluster Hosting Account from the account details to find the matching endpoint URL. For example, for
prod-2it is https://app.harness.io/gratis and set that as the value forharness_manager_endpoint.
tipYou can find the endpoint corresponding to your Harness Cluster Hosting Account from </tutorials/platform/install-delegate/>
-
-
Copy the default token from Projects --> Project Setup --> Delegates(Tokens) and set it as the value for
harness_delegate_token.
harness_delegate_name: defaults to harness-delegateharness_delegate_namespace: defaults to harness-delegate-ng
-
Run the following command to deploy the Harness Delegate:
task deploy_harness_delegatenoteIt will take some time for the delegate to connect.
Wait for the delegate to be connected before proceeding to the next steps.
You can view the status of the delegate from the Project --> Project Setup --> Delegates page.
You can also check the running Harness delegate pods by using
kubectl:kubectl get pods -n harness-delegate-ngThe output should be something like the following. The pod name may vary based on your
harness_delegate_namevalue.NAME READY STATUS RESTARTS AGE
harness-delegate-6bfd78d5cb-5h8x9 1/1 Running 0 2m23sAs part of Harness Delegate we also did the following extra tasks:
- Created a Google Service Account (SA)
harness-delegate. - Added an IAM binding policy to the
harness-delegateSA, with the roleroles/iam.workloadIdentityUserand a member "serviceAccount:$GOOGLE_CLOUD_PROJECT.svc.id.goog[\default/harness-builder]". - Added a
harness-delegateSA with the roleroles/artifactregistry.createOnPushRepoAdmin, enabling it to push images to Google Artifact Registry(GAR). - Created a Kubernetes Service Account
harness-builderannotated withiam.gke.io/gcp-service-accounttoharness-delegate, allowing it to impersonate the GSA thereby enabling it to push the built application image to GAR.
- Created a Google Service Account (SA)
Build the application
Having deployed the Harness Delegate, you can now build a CI pipeline that will build and push the same Go app to GAR.
Import a template
The sources already have a build stage template that can be used to create the CI pipeline.
-
Navigate to your Harness Account, Account Overview --> Organizations, and then select default organization.
-
From the Organization overview page select Templates,
-
Select New Template, and then select the Import From Git option,
-
Fill the wizard with values as shown:
noteIf you want to use your fork of
harness-apps/workload-identity-gke-demo, then update Repository with your fork.
Create a pipeline
-
Navigate to Builds --> Pipelines, and then select Create Pipeline.
-
Select Add Stage, and then select Use template. Select the ko_gar_build_push template that we imported earlier, and then select Use template to complete the import.
-
Enter details about the stage:
-
Select Setup Stage to create the stage and fill other details, such as Template Inputs:
We use
defaultnamespace to run builder pods. The build pod runs with a Kubernetes Service Account(KSA)harness-builder.noteThe
harness-builderKSA is mapped to Google IAM Service Account (GSA)harness-delegateto inherit the GCP roles, using Workload Identity in this case to push the images to Google Artifact Registry (GAR). -
Select Run to run the pipeline to see the image being built and pushed to GAR:
A successful run would have pushed the image into GAR. In this example it's
asia-south1-docker.pkg.dev/pratyakshika/demos/lingua-greeter:latest
Clean up resources
To clean up all the Google Cloud resources that were created as part of this demo, do the following:
task destroy
Summary
By using Workload Identity Delegate we have simplified and secured our CI pipelines, which can now use any Google API services by configuring the GSA with the correct roles and permissions. The CI SaaS platform no longer needs to store or update the Google API credentials.
Having deployed Workload Identity Delegate, you can also do keyless signing of your container images using Google Application Credentials using cosign.