feat: Workload identity for GKE

Author: gtoonstra

examples/deployment/application/versions.tf

@@ -8,11 +8,15 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = "~> 2.25.2"
     }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.17.0"
+    }
   }
 }
 
 locals {
   operator_version = "1.2.8"
-  helm_version     = "0.6.83"
+  helm_version     = "0.7.1"
   crd_version      = "0.1.1"
 }

examples/deployment/infra/config.tf

@@ -3,33 +3,62 @@ resource "local_file" "infra_config" {
   content = templatefile(
     "${path.module}/../templates/datafold/infra_settings.tpl",
     {
-      aws_target_group_arn         = "",
-      cluster_scaler_role_arn      = "",
-      clickhouse_access_key        = "",
-      clickhouse_backup_sa         = module.gcp[0].clickhouse_backup_sa,
-      clickhouse_data_size         = module.gcp[0].clickhouse_data_size,
-      clickhouse_data_volume_id    = module.gcp[0].clickhouse_data_volume_id,
-      clickhouse_gcs_bucket        = module.gcp[0].clickhouse_gcs_bucket,
-      clickhouse_logs_size         = module.gcp[0].clickhouse_logs_size,
-      clickhouse_log_volume_id     = module.gcp[0].clickhouse_logs_volume_id,
-      clickhouse_s3_bucket         = "",
-      clickhouse_s3_region         = "",
-      clickhouse_secret_key        = "",
-      cloud_provider               = module.gcp[0].cloud_provider,
-      cluster_name                 = module.gcp[0].cluster_name,
-      gcp_neg_name                 = module.gcp[0].neg_name,
-      load_balancer_ips            = module.gcp[0].lb_external_ip,
-      load_balancer_controller_arn = "",
-      postgres_database            = module.gcp[0].postgres_database_name,
-      postgres_password            = module.gcp[0].postgres_password,
-      postgres_port                = module.gcp[0].postgres_port,
-      postgres_server              = module.gcp[0].postgres_host,
-      postgres_user                = module.gcp[0].postgres_username,
-      redis_password               = module.gcp[0].redis_password,
-      redis_data_size              = module.gcp[0].redis_data_size,
-      redis_data_volume_id         = module.gcp[0].redis_data_volume_id,
-      server_name                  = module.gcp[0].domain_name,
-      vpc_cidr                     = module.gcp[0].vpc_cidr,
+      aws_target_group_arn           = "",
+      cluster_scaler_role_arn        = "",
+      clickhouse_s3_backup_role      = "",
+      clickhouse_data_size           = module.gcp[0].clickhouse_data_size,
+      clickhouse_data_volume_id      = module.gcp[0].clickhouse_data_volume_id,
+      clickhouse_gcs_bucket          = module.gcp[0].clickhouse_gcs_bucket,
+      gcp_backup_account             = module.gcp[0].clickhouse_backup_sa,
+      clickhouse_logs_size           = module.gcp[0].clickhouse_logs_size,
+      clickhouse_log_volume_id       = module.gcp[0].clickhouse_logs_volume_id,
+      clickhouse_s3_bucket           = "",
+      clickhouse_s3_region           = "",
+      clickhouse_azblob_account_name = "",
+      clickhouse_azblob_container    = "",
+      clickhouse_azblob_account_key  = "",
+      cloud_provider                 = module.gcp[0].cloud_provider,
+      cluster_name                   = module.gcp[0].cluster_name,
+      gcp_neg_name                   = module.gcp[0].neg_name,
+      load_balancer_ips              = jsondecode(module.gcp[0].lb_external_ip),
+      load_balancer_controller_arn   = "",
+      postgres_database              = module.gcp[0].postgres_database_name,
+      postgres_password              = module.gcp[0].postgres_password,
+      postgres_port                  = module.gcp[0].postgres_port,
+      postgres_server                = module.gcp[0].postgres_host,
+      postgres_user                  = module.gcp[0].postgres_username,
+      redis_password                 = module.gcp[0].redis_password,
+      redis_data_size                = module.gcp[0].redis_data_size,
+      redis_data_volume_id           = module.gcp[0].redis_data_volume_id,
+      server_name                    = module.gcp[0].domain_name,
+      vpc_cidr                       = module.gcp[0].vpc_cidr,
+
+      # service accounts vars
+      dfshell_role_arn                        = try(module.gcp[0].dfshell_role_arn, "")
+      dfshell_service_account_name            = try(module.gcp[0].dfshell_service_account_name, "datafold-dfshell")
+      worker_portal_role_arn                  = try(module.gcp[0].worker_portal_role_arn, "")
+      worker_portal_service_account_name      = try(module.gcp[0].worker_portal_service_account_name, "datafold-worker-portal")
+      operator_role_arn                       = try(module.gcp[0].operator_role_arn, "")
+      operator_service_account_name           = try(module.gcp[0].operator_service_account_name, "datafold-operator")
+      server_role_arn                         = try(module.gcp[0].server_role_arn, "")
+      server_service_account_name             = try(module.gcp[0].server_service_account_name, "datafold-server")
+      scheduler_role_arn                      = try(module.gcp[0].scheduler_role_arn, "")
+      scheduler_service_account_name          = try(module.gcp[0].scheduler_service_account_name, "datafold-scheduler")
+      worker_role_arn                         = try(module.gcp[0].worker_role_arn, "")
+      worker_service_account_name             = try(module.gcp[0].worker_service_account_name, "datafold-worker")
+      worker_catalog_role_arn                 = try(module.gcp[0].worker_catalog_role_arn, "")
+      worker_catalog_service_account_name     = try(module.gcp[0].worker_catalog_service_account_name, "datafold-worker-catalog")
+      worker_interactive_role_arn             = try(module.gcp[0].worker_interactive_role_arn, "")
+      worker_interactive_service_account_name = try(module.gcp[0].worker_interactive_service_account_name, "datafold-worker-interactive")
+      worker_singletons_role_arn              = try(module.gcp[0].worker_singletons_role_arn, "")
+      worker_singletons_service_account_name  = try(module.gcp[0].worker_singletons_service_account_name, "datafold-worker-singletons")
+      worker_lineage_role_arn                 = try(module.gcp[0].worker_lineage_role_arn, "")
+      worker_lineage_service_account_name     = try(module.gcp[0].worker_lineage_service_account_name, "datafold-worker-lineage")
+      worker_monitor_role_arn                 = try(module.gcp[0].worker_monitor_role_arn, "")
+      worker_monitor_service_account_name     = try(module.gcp[0].worker_monitor_service_account_name, "datafold-worker-monitor")
+      storage_worker_role_arn                 = try(module.gcp[0].storage_worker_role_arn, "")
+      storage_worker_service_account_name     = try(module.gcp[0].storage_worker_service_account_name, "datafold-storage-worker")
+
     }
   )
 

examples/deployment/infra/main.tf

@@ -36,14 +36,20 @@ module "gcp" {
   # Virtual Private Cloud
   whitelisted_ingress_cidrs = local.lb_whitelisted_ingress_cidrs
   whitelisted_egress_cidrs = concat(
-    local.github_cidrs
+    local.github_cidrs,
   )
-  deploy_vpc_flow_logs = true
+  vpc_cidr = "10.0.0.0/16"
+
+  # Clickhouse
+  clickhouse_data_disk_size = 200
+
+  # Database
+  database_version       = "POSTGRES_15"
+  deploy_vpc_flow_logs   = true
 
   # Clickhouse
   clickhouse_data_disk_size = 50
 
   # k8s
   k8s_authorized_networks = local.authorized_networks
-  k8s_cluster_version     = "1.28.11-gke.1260000"
 }

examples/deployment/templates/infra_settings.tpl

@@ -3,6 +3,8 @@ clickhouse:
     gcs_bucket: ${clickhouse_gcs_bucket}
     s3_bucket: ${clickhouse_s3_bucket}
     s3_region: ${clickhouse_s3_region}
+    s3_backup_role: ${clickhouse_s3_backup_role}
+    gcp_backup_account: ${gcp_backup_account}
     azblob_account_name: ${clickhouse_azblob_account_name}
     azblob_container: ${clickhouse_azblob_container}
   storage:
@@ -11,9 +13,6 @@ clickhouse:
     logSize: ${clickhouse_logs_size}
     logVolumeId: ${clickhouse_log_volume_id}
   secrets:
-    access_key: ${clickhouse_access_key}
-    secret_key: ${clickhouse_secret_key}
-    clickhouse_backup_sa: ${clickhouse_backup_sa}
     azblob_account_key: ${clickhouse_azblob_account_key}
 
 redis:
@@ -47,3 +46,73 @@ secrets:
     password: ${postgres_password}
     port: ${postgres_port}
     user: ${postgres_user}
+
+dfshell:
+  serviceAccount:
+    name: ${dfshell_service_account_name}
+    roleArn: ${dfshell_role_arn}
+
+worker-portal:
+  serviceAccount:
+    name: ${worker_portal_service_account_name}
+    roleArn: ${worker_portal_role_arn}
+
+operator:
+  serviceAccount:
+    name: ${operator_service_account_name}
+    roleArn: ${operator_role_arn}
+
+server:
+  serviceAccount:
+    name: ${server_service_account_name}
+    roleArn: ${server_role_arn}
+
+scheduler:
+  serviceAccount:
+    name: ${scheduler_service_account_name}
+    roleArn: ${scheduler_role_arn}
+
+worker:
+  serviceAccount:
+    name: ${worker_service_account_name}
+    roleArn: ${worker_role_arn}
+
+worker2:
+  serviceAccount:
+    name: ${worker_service_account_name}
+    roleArn: ${worker_role_arn}
+
+worker3:
+  serviceAccount:
+    name: ${worker_service_account_name}
+    roleArn: ${worker_role_arn}
+
+worker-catalog:
+  serviceAccount:
+    name: ${worker_catalog_service_account_name}
+    roleArn: ${worker_catalog_role_arn}
+
+worker-interactive:
+  serviceAccount:
+    name: ${worker_interactive_service_account_name}
+    roleArn: ${worker_interactive_role_arn}
+
+worker-singletons:
+  serviceAccount:
+    name: ${worker_singletons_service_account_name}
+    roleArn: ${worker_singletons_role_arn}
+
+worker-lineage:
+  serviceAccount:
+    name: ${worker_lineage_service_account_name}
+    roleArn: ${worker_lineage_role_arn}
+
+worker-monitor:
+  serviceAccount:
+    name: ${worker_monitor_service_account_name}
+    roleArn: ${worker_monitor_role_arn}
+
+storage-worker:
+  serviceAccount:
+    name: ${storage_worker_service_account_name}
+    roleArn: ${storage_worker_role_arn}

modules/clickhouse_backup/iam.tf

@@ -20,7 +20,3 @@ resource "google_project_iam_member" "clickhouse" {
   member  = "serviceAccount:${google_service_account.clickhouse.email}"
 }
 
-resource "google_service_account_key" "clickhouse" {
-  count              = var.clickhouse_get_backup_sa_from_secrets_yaml ? 0 : 1
-  service_account_id = resource.google_service_account.clickhouse.id
-}

modules/clickhouse_backup/outputs.tf

@@ -3,5 +3,5 @@ output "clickhouse_gcs_bucket" {
 }
 
 output "clickhouse_backup_sa" {
-  value = var.clickhouse_get_backup_sa_from_secrets_yaml ? var.clickhouse_backup_sa_key : one(resource.google_service_account_key.clickhouse[*].private_key)
+  value = resource.google_service_account.clickhouse.account_id
 }

modules/gke/main.tf

@@ -20,6 +20,7 @@ resource "google_container_cluster" "default" {
   project            = var.project_id
   network            = var.vpc_id
   subnetwork         = var.subnetwork
+  location           = var.azs[0]
   min_master_version = data.google_container_engine_versions.cluster.latest_master_version
 
   networking_mode = "VPC_NATIVE"
@@ -120,6 +121,10 @@ resource "google_container_cluster" "default" {
     autoscaling_profile = "OPTIMIZE_UTILIZATION"
   }
 
+  workload_identity_config {
+    workload_pool = "${var.project_id}.svc.id.goog"
+  }
+
   deletion_protection = var.k8s_deletion_protection
 }
 

variables.tf

@@ -52,7 +52,7 @@ variable "restricted_roles" {
 
 variable "redis_data_size" {
   type        = number
-  default     = 10
+  default     = 50
   description = "Redis volume size"
 }