However when deploying the config-validator the git-sync-init initContainer is crashlooping:
kubectl logs --previous deployment/config-validator-debug -n forseti -c git-sync-init
Found 2 pods, using pod/config-validator-764ff4f958-xvx4v
I0115 19:22:45.673995 1 main.go:269] "level"=0 "msg"="starting up" "args"=["/git-sync","-repo=https://source.developers.google.com/p/<my project ID>/r/<my git repo>","-branch=dev","-dest=policy-library","-one-time"]
E0115 19:22:45.834602 1 main.go:294] "msg"="failed to sync repo, aborting" "error"="error running command: exit status 128: \"Cloning into '/tmp/git'...\\nfatal: could not read Username for 'https://source.developers.google.com': No such device or address\\n\""
If I manually exec in a container using the same service account I can confirm that workload identity is properly configured and I'm able to do a manual git clone.
Here's a snippet of the config-validator Deployment manifest that shows the initContainer in question:
Is GKE workload identity supported by the config-validator ? If it isn't then the chart will need to be updated. If it is, I would love to hear what I've been doing wrong and maybe raise a PR to update the documentation.
Based on the helm chart for the config-validator, workload identity is a valid option (https://github.com/forseti-security/helm-charts/blob/master/charts/config-validator/values.yaml#L75-L77).
However when deploying the config-validator the git-sync-init initContainer is crashlooping:
If I manually exec in a container using the same service account I can confirm that workload identity is properly configured and I'm able to do a manual git clone.
Here's a snippet of the config-validator Deployment manifest that shows the initContainer in question:
Is GKE workload identity supported by the config-validator ? If it isn't then the chart will need to be updated. If it is, I would love to hear what I've been doing wrong and maybe raise a PR to update the documentation.
Thanks, N