Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for service accounts managed by Gardener operators #365

Closed
wants to merge 6 commits into from
Closed

Support for service accounts managed by Gardener operators #365

wants to merge 6 commits into from

Conversation

dkistner
Copy link
Member

How to categorize this PR?
/area security
/kind enhancement
/platform gcp

What this PR does / why we need it:
Add support to use a service account managed by Gardener operators for a GCP Shoot.

This eliminates the need for users to bring their own service account.
The service account can be managed by the Gardener operator in a different project in the same GCP organisation.
Users just need to assign the managed service account to their own project with proper permissions.
This gives the operator also the ability to rotate credentials in centralised way.

Which issue(s) this PR fixes:
Fixes #362

Special notes for your reviewer:

Release note:

A feature has been added that allow to use a service account for a GCP Shoot that is managed by the Gardener operators. This eliminates the need for users for provide and manage the service account on his/her own. Find more information how to use this feature in the [end user documentation](https://github.com/gardener/gardener-extension-provider-gcp/blob/master/docs/usage-as-end-user.md#managed-service-accounts)

Draft until a few pending tests are completed.

/squash
/cc @donistz

@gardener-robot gardener-robot added area/security Security related kind/enhancement Enhancement, improvement, extension merge/squash Should be merged via 'Squash and merge' platform/gcp Google cloud platform/infrastructure needs/review Needs review size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py) needs/second-opinion Needs second review by someone else labels Dec 20, 2021
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Dec 20, 2021
@dkistner dkistner force-pushed the feature/managed-service-account branch from 15694e6 to 0c6d4a3 Compare January 17, 2022 08:11
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 17, 2022
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 17, 2022
@dkistner dkistner force-pushed the feature/managed-service-account branch from 0c6d4a3 to e7a812f Compare January 17, 2022 14:14
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 17, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 17, 2022
@dkistner dkistner force-pushed the feature/managed-service-account branch from e7a812f to 54b0743 Compare January 17, 2022 15:06
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 17, 2022
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 17, 2022
@dkistner dkistner force-pushed the feature/managed-service-account branch from 54b0743 to 4f64496 Compare January 17, 2022 15:14
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 17, 2022
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 17, 2022
@dkistner
Copy link
Member Author

/ready-for-review
/invite @kon-angelo

@gardener-robot gardener-robot marked this pull request as ready for review January 17, 2022 15:45
@gardener-robot gardener-robot requested review from a team as code owners January 17, 2022 15:45
kon-angelo
kon-angelo reviewed Jan 17, 2022
View reviewed changes
pkg/webhook/cloudprovider/ensurer.go
@@ -0,0 +1,130 @@
// Copyright (c) 2021 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nit but I think copyrights should be 2022

@rfranzke rfranzke mentioned this pull request Jan 18, 2022
Closed
@gardener-robot
Copy link

@dkistner You need rebase this pull request with latest master branch. Please check.

@gardener-robot gardener-robot added the needs/rebase Needs git rebase label Jan 20, 2022
@gardener-robot gardener-robot added the lifecycle/stale Nobody worked on this for 6 months (will further age) label Jul 20, 2022
@dkistner
Copy link
Member Author

/close currently there is no work on this topic. Reopen a new pr when it become relevant again.

@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Aug 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kon-angelo kon-angelo kon-angelo left review comments

Assignees
No one assigned
Labels
area/security Security related kind/enhancement Enhancement, improvement, extension lifecycle/stale Nobody worked on this for 6 months (will further age) merge/squash Should be merged via 'Squash and merge' needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/rebase Needs git rebase needs/review Needs review needs/second-opinion Needs second review by someone else platform/gcp Google cloud platform/infrastructure size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement a default centrally managed GCP service account for authentication to GCP API across GCP projects
6 participants
@dkistner @gardener-robot @kon-angelo @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3