Skip to content

feat: workload_identity - add image pull secrets #2276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Feb 13, 2025
Merged

feat: workload_identity - add image pull secrets #2276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e1312a3
feat: support image_pull_secrets for k8s SA in workload identity module
Feb 11, 2025
08dc233
Merge branch 'main' into feat/wid-add-image-pull-secrets
apeabody Feb 11, 2025
ae42e15
Merge branch 'main' into feat/wid-add-image-pull-secrets
apeabody Feb 12, 2025
eb30c34
Merge branch 'main' into feat/wid-add-image-pull-secrets
apeabody Feb 12, 2025
db34a6b
Merge branch 'main' into feat/wid-add-image-pull-secrets
apeabody Feb 13, 2025
ee4b9f2
Merge branch 'main' into feat/wid-add-image-pull-secrets
apeabody Feb 13, 2025
21b45a7
Merge branch 'main' into feat/wid-add-image-pull-secrets
emalihin Feb 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/workload-identity/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ Error: Get "http://localhost/api/v1/namespaces/default/serviceaccounts/your-serv
| gcp\_sa\_description | The Service Google service account desciption; if null, will be left out | `string` | `null` | no |
| gcp\_sa\_display\_name | The Google service account display name; if null, a default string will be used | `string` | `null` | no |
| gcp\_sa\_name | Name for the Google service account; overrides `var.name`. | `string` | `null` | no |
| image\_pull\_secrets | A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account | `list(string)` | `[]` | no |
| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no |
| k8s\_sa\_project\_id | GCP project ID of the k8s service account; overrides `var.project_id`. | `string` | `null` | no |
Expand Down
9 changes: 9 additions & 0 deletions modules/workload-identity/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,15 @@ resource "kubernetes_service_account" "main" {
count = var.use_existing_k8s_sa ? 0 : 1

automount_service_account_token = var.automount_service_account_token

dynamic "image_pull_secret" {
for_each = var.image_pull_secrets

content {
name = image_pull_secret.value
}
}

metadata {
name = local.k8s_given_name
namespace = var.namespace
Expand Down
6 changes: 6 additions & 0 deletions modules/workload-identity/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,12 @@ variable "automount_service_account_token" {
default = false
}

variable "image_pull_secrets" {
description = "A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account"
type = list(string)
default = []
}

variable "roles" {
description = "A list of roles to be added to the created service account"
type = list(string)
Expand Down