A Google Cloud demo using Workload Identity on GKE and IAM Account Login for Cloud SQL to provide secure auth for GKE workloads. There are no stored credentials (key files or GKE/managed secrets) in the entire workflow.
- have a logged in
gcloud
instance with anOwner
role. This is likely not a hard requirement, but creating a Project and enabling APIs needs significant capabilities. If you don't have access to an account with these capabilities you can usebootstrap.sh
as a reference to get this done and edit the script itself. - clone this repo and
cd
to the checked out code - copy
envars.sample
toenvars
and add the needed configuration.export PROJECT=my-project export REGION=us-central1 export ZONE=us-central1-a export APP_NAME=sample export DB_USER=postgres export DB_PASS=k8FixjcynEFF7cvB export GCP_BILLING_ACCT=XXXXX-XXXXX-XXXXX export GCP_FOLDER=XXXXXXXXXXXX
PROJECT
- the name of the Project you want to createREGION
- the Region you want to deploy toZONE
- the Zone in the Region you want to useAPP_NAME
- the name you want to call the sample app. It defaults tosample
DB_USER
- this should remainpostgres
DB_PASS
- a password for$DB_USER
GCP_BILLING_ACCT
- your GCP billing account to link with your ProjectGCP_FOLDER
- Folder to put your Project in. This is my default behavior. You may need to edit this depending on how your organize your GCP Projects.
- Run `bootstrap.sh
./bootstrap.sh
That's it! The process takes a little while (enabling APIs, creating the Cloud SQL instance and dpeloying GKE are the primary time sinks).
The following output is created to signify success:
BOOTSTRAP COMPLETE: Google Cloud Artifacts Created:
GCP Project: jduncan-wi-12
Google Cloud API: compute.googleapis.com
Google Cloud API: sql-component.googleapis.com
Google Cloud API: sqladmin.googleapis.com
Google Cloud API: container.googleapis.com
Google Cloud API: artifactregistry.googleapis.com
Google Cloud API: cloudbuild.googleapis.com
Google Cloud API: servicenetworking.googleapis.com
Cloud SQL Instace: sample-db
Cloud SQL User: [email protected]
Cloud SQL Database: sample-db
GKE Cluster: sample-gke
IAM Service Account: sample-gsa
IAM Service Account: sample-psql-gsa
Artifact Registry: sample-repo
VPC Peering Address Space: google-managed-services-default
The demo doesn't set up Ingress for the service. To see the app live use
kubectl
port-forwarding. The bootstrap script sets the context for the GKE
cluster to your active context, so the following command should work cleanly.
source envars
kubectl port-forward --namespace $APP_NAME $(kubectl get pod --namespace $APP_NAME --selector="app=$APP_NAME-app" --output jsonpath='{.items[0].metadata.name}') 8080:8080
Then just browse to port 8080
on your local machine!
Running cleanup.sh
turns down the entire Project you've just created.
Please feel free to open an issue, send me a message, or whatever is expedient.