[CI] Enable Workload Identity Federation on Linux/Windows Nodepools

This patch enables workload identity federation on the Linux and Windows node
pools as described in
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. This
is necessary for authenticating with the GCS APIs so that we can use sccache
with a GCS bucket for caching.

Reviewers: cmtice, dschuff, lnihlen, Keenuts, gburgessiv

Reviewed By: cmtice

Pull Request: #506

Author: boomanaiden154

premerge/gke_cluster/main.tf

@@ -12,6 +12,13 @@ resource "google_container_cluster" "llvm_premerge" {
   # for adding windows nodes to the cluster.
   networking_mode = "VPC_NATIVE"
   ip_allocation_policy {}
+
+  # Set the workload identity config so that we can authenticate with Google
+  # Cloud APIs using workload identity federation as described in
+  # https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity.
+  workload_identity_config {
+    workload_pool = "llvm-premerge-checks.svc.id.goog"
+  }
 }
 
 resource "google_container_node_pool" "llvm_premerge_linux_service" {
@@ -62,6 +69,12 @@ resource "google_container_node_pool" "llvm_premerge_linux" {
     resource_labels = {
       "goog-gke-node-pool-provisioning-model" = "on-demand"
     }
+
+    # Enable workload identity federation for this pool so that we can access
+    # GCS buckets.
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
   }
 }
 
@@ -139,6 +152,12 @@ resource "google_container_node_pool" "llvm_premerge_windows_2022" {
     resource_labels = {
       "goog-gke-node-pool-provisioning-model" = "on-demand"
     }
+
+    # Enable workload identity federation for this pool so that we can access
+    # GCS buckets.
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
   }
 }