Hope you don't mind this contribution but we'd like to see theatre support workload identity in the rbac-manager instead of using service account keys. I've made the change such that if workload identity is not configured, the rbac-manager will fallback to using service account keys.
This is how we're currently using it with workload identity in our GKE cluster (after removing GOOGLE_APPLICATION_CREDENTIALS):
Hey folks ππ»
Hope you don't mind this contribution but we'd like to see theatre support workload identity in the
rbac-manager
instead of using service account keys. I've made the change such that if workload identity is not configured, therbac-manager
will fallback to using service account keys.This is how we're currently using it with workload identity in our GKE cluster (after removing
GOOGLE_APPLICATION_CREDENTIALS
):Same change on our fork: https://github.com/duffelhq/theatre/pull/3