Skip to content

livewyer-ops/crossplane-configuration-gcp-workload-identity

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.github/workflows
.github/workflows
 
 
apis
apis
 
 
examples
examples
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
NOTES.txt
NOTES.txt
 
 
README.md
README.md
 
 
crossplane.yaml
crossplane.yaml
 
 
upbound.yaml
upbound.yaml
 
 

Repository files navigation

crossplane-configuration-gcp-workload-identity

A Crossplane Configuration for setting up GCP Workload Identity to enable Kubernetes workloads to authenticate with Google Cloud services using service accounts.

Overview

This Configuration provides a Composite Resource Definition (XRD) and Composition for automating the setup of GCP Workload Identity, which allows Kubernetes pods to authenticate to Google Cloud services without storing service account keys.

The configuration automates:

  • Creation of GCP Service Accounts
  • IAM role bindings for GCP projects
  • Kubernetes Service Account creation with appropriate annotations
  • Workload Identity IAM policy bindings

Features

  • Multi-Project Support: Grant permissions across multiple GCP projects
  • Flexible IAM Roles: Assign multiple IAM roles to the workload identity
  • Kubernetes Integration: Automatically creates and configures Kubernetes Service Accounts
  • Customizable: Control service account mounting and namespace placement

Prerequisites

This Configuration requires:

Installation

Install this Configuration using the Crossplane CLI:

kubectl crossplane install configuration ghcr.io/livewyer-ops/crossplane-configuration-gcp-workload-identity:latest

Or create a Configuration resource:

apiVersion: pkg.crossplane.io/v1
kind: Configuration
metadata:
  name: gcp-workload-identity
spec:
  package: ghcr.io/livewyer-ops/crossplane-configuration-gcp-workload-identity:latest

Usage

Create a WorkloadIdentity resource:

apiVersion: gcp.livewyer.io/v1alpha1
kind: WorkloadIdentity
metadata:
  name: my-app-workload-identity
  namespace: default
spec:
  forProvider:
    projectId: my-gcp-project
    serviceAccountName: my-app
    roles:
      - roles/storage.objectViewer
      - roles/cloudsql.client
    additionalProjects:
      - projectId: another-project
        roles:
          - roles/secretmanager.secretAccessor

Parameters

Parameter Required Description
projectId Yes GCP project ID where the service account will be created
roles Yes List of IAM roles to grant in the primary project
serviceAccountName No Name for the Kubernetes Service Account
serviceAccountNamespace No Namespace for the Kubernetes Service Account (defaults to resource namespace)
additionalProjects No List of additional projects with roles to grant access
automountServiceAccountToken No Enable automatic token mounting (default: true)

Examples

See the examples/ directory for more usage examples:

Development

Building the Configuration

Build the Configuration package using the Crossplane CLI:

crossplane xpkg build

With custom options:

crossplane xpkg build --package-root=. --package-file=gcp-workload-identity.xpkg --examples-root=./examples

Publishing

Login to your registry:

crossplane xpkg login

Push the package:

crossplane xpkg push -f gcp-workload-identity.xpkg your-org/crossplane-configuration-gcp-workload-identity:v1.0.0

License

MIT License - see LICENSE for details

Maintainer

Maintained by Livewyer - [email protected]

Links

About

Crossplane Composite Resource Definitions (XRDs) package for creating Workload Identity in GCP.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published