feat: add fields to support workload identity

salasberryfin · salasberryfin · commit a1e46dd16816 · 2025-08-26T14:55:29.000+02:00
Signed-off-by: Carlos Salas &lt;carlos.salas@suse.com&gt;
diff --git a/cloud/services/container/clusters/reconcile.go b/cloud/services/container/clusters/reconcile.go
@@ -306,16 +306,35 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 			}
 		}
 	}
+
 	if !s.scope.IsAutopilotCluster() {
 		cluster.NodePools = scope.ConvertToSdkNodePools(nodePools, machinePools, isRegional, cluster.GetName())
+
 		if s.scope.GCPManagedControlPlane.Spec.LoggingService != nil {
 			cluster.LoggingService = s.scope.GCPManagedControlPlane.Spec.LoggingService.String()
 		}
+
 		if s.scope.GCPManagedControlPlane.Spec.MonitoringService != nil {
 			cluster.MonitoringService = s.scope.GCPManagedControlPlane.Spec.MonitoringService.String()
 		}
 	}
 
+	if s.scope.GCPManagedControlPlane.Spec.ClusterSecurity != nil {
+		cs := s.scope.GCPManagedControlPlane.Spec.ClusterSecurity
+		if cs.WorkloadIdentityConfig != nil {
+			cluster.WorkloadIdentityConfig = &containerpb.WorkloadIdentityConfig{
+				WorkloadPool: cs.WorkloadIdentityConfig.WorkloadPool,
+			}
+		}
+
+		if cs.AuthenticatorGroupConfig != nil {
+			cluster.AuthenticatorGroupsConfig = &containerpb.AuthenticatorGroupsConfig{
+				Enabled:       true,
+				SecurityGroup: cs.AuthenticatorGroupConfig.SecurityGroups,
+			}
+		}
+	}
+
 	createClusterRequest := &containerpb.CreateClusterRequest{
 		Cluster: cluster,
 		Parent:  s.scope.ClusterLocation(),
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml
@@ -132,6 +132,34 @@ spec:
                       pod IPs in the cluster.
                     type: boolean
                 type: object
+              clusterSecurity:
+                description: ClusterSecurity defines the cluster security.
+                properties:
+                  authenticatorGroupConfig:
+                    description: AuthenticatorGroupConfig is RBAC security group for
+                      use with Google security groups in Kubernetes RBAC.
+                    properties:
+                      securityGroups:
+                        description: SecurityGroups is the name of the security group-of-groups
+                          to be used.
+                        type: string
+                    required:
+                    - securityGroups
+                    type: object
+                  workloadIdentityConfig:
+                    description: |-
+                      WorkloadIdentityConfig allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM)
+                      service accounts to access Google Cloud services
+                    properties:
+                      workloadPool:
+                        description: |-
+                          WorkloadPool is the workload pool to attach all Kubernetes service accounts to Google Cloud services.
+                          Only relevant when enabled is true
+                        type: string
+                    required:
+                    - workloadPool
+                    type: object
+                type: object
               controlPlaneVersion:
                 description: |-
                   ControlPlaneVersion represents the control plane version of the GKE cluster.
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanetemplates.yaml
@@ -115,6 +115,35 @@ spec:
                               pod IPs in the cluster.
                             type: boolean
                         type: object
+                      clusterSecurity:
+                        description: ClusterSecurity defines the cluster security.
+                        properties:
+                          authenticatorGroupConfig:
+                            description: AuthenticatorGroupConfig is RBAC security
+                              group for use with Google security groups in Kubernetes
+                              RBAC.
+                            properties:
+                              securityGroups:
+                                description: SecurityGroups is the name of the security
+                                  group-of-groups to be used.
+                                type: string
+                            required:
+                            - securityGroups
+                            type: object
+                          workloadIdentityConfig:
+                            description: |-
+                              WorkloadIdentityConfig allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM)
+                              service accounts to access Google Cloud services
+                            properties:
+                              workloadPool:
+                                description: |-
+                                  WorkloadPool is the workload pool to attach all Kubernetes service accounts to Google Cloud services.
+                                  Only relevant when enabled is true
+                                type: string
+                            required:
+                            - workloadPool
+                            type: object
+                        type: object
                       enableAutopilot:
                         description: EnableAutopilot indicates whether to enable autopilot
                           for this GKE cluster.
diff --git a/exp/api/v1beta1/gcpmanagedcontrolplane_types.go b/exp/api/v1beta1/gcpmanagedcontrolplane_types.go
@@ -113,6 +113,18 @@ type AuthenticatorGroupConfig struct {
 	SecurityGroups string `json:"securityGroups,omitempty"`
 }
 
+// ClusterSecurity defines the cluster security options.
+type ClusterSecurity struct {
+	// WorkloadIdentityConfig allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM)
+	// service accounts to access Google Cloud services
+	// +optional
+	WorkloadIdentityConfig *WorkloadIdentityConfig `json:"workloadIdentityConfig,omitempty"`
+
+	// AuthenticatorGroupConfig is RBAC security group for use with Google security groups in Kubernetes RBAC.
+	// +optional
+	AuthenticatorGroupConfig *AuthenticatorGroupConfig `json:"authenticatorGroupConfig,omitempty"`
+}
+
 // GCPManagedControlPlaneSpec defines the desired state of GCPManagedControlPlane.
 type GCPManagedControlPlaneSpec struct {
 	GCPManagedControlPlaneClassSpec `json:",inline"`
diff --git a/exp/api/v1beta1/types_class.go b/exp/api/v1beta1/types_class.go
@@ -31,6 +31,10 @@ type GCPManagedControlPlaneClassSpec struct {
 	// +optional
 	ClusterNetwork *ClusterNetwork `json:"clusterNetwork,omitempty"`
 
+	// ClusterSecurity defines the cluster security.
+	// +optional
+	ClusterSecurity *ClusterSecurity `json:"clusterSecurity,omitempty"`
+
 	// Project is the name of the project to deploy the cluster to.
 	Project string `json:"project"`
 
diff --git a/exp/api/v1beta1/zz_generated.deepcopy.go b/exp/api/v1beta1/zz_generated.deepcopy.go
