Nephio is a Kubernetes-based automation platform for deploying and managing highly distributed, interconnected workloads such as 5G Network Functions, and the underlying infrastructure on which those workloads depend.
Original issue URL: https://github.com/kptdev/kpt/issues/3521
Original issue user: https://github.com/johnbelamaric
Original issue created at: 2022-08-30T23:06:17Z
Original issue last updated at: 2022-11-15T22:23:32Z
Original issue body: We now have an operator for annotating a KSA for Workload Identity (#3456). This is helpful when the KSA lives in the Porch cluster. But it's not helpful for KSAs that are in the workload clusters that do not have Porch running.
Some examples:
I want to use WI to authenticate ConfigSync to a CSR.
Almost any other non-CC use case for Workload Identity
I think we just need a function to do this. At least, that is true in the case of a 1:1 relationship between the deployment repository and the workload cluster. Or maybe more accurately, it is true if the project-id of all clusters reading from a given deployment repository is the same. See https://github.com/GoogleContainerTools/kpt/pull/3456#issuecomment-1219532855 for a little more context.
Original issue comments:
Comment user: https://github.com/johnbelamaric
Comment created at: 2022-09-07T03:17:44Z
Comment last updated at: 2022-09-07T03:17:44Z
Comment body: Actually it seems this is not what the operator does; rather it handles only the GCP side of the binding. So this raises the priority of this issue.
Original issue URL: https://github.com/kptdev/kpt/issues/3521 Original issue user: https://github.com/johnbelamaric Original issue created at: 2022-08-30T23:06:17Z Original issue last updated at: 2022-11-15T22:23:32Z Original issue body: We now have an operator for annotating a KSA for Workload Identity (#3456). This is helpful when the KSA lives in the Porch cluster. But it's not helpful for KSAs that are in the workload clusters that do not have Porch running.
Some examples:
I think we just need a function to do this. At least, that is true in the case of a 1:1 relationship between the deployment repository and the workload cluster. Or maybe more accurately, it is true if the project-id of all clusters reading from a given deployment repository is the same. See https://github.com/GoogleContainerTools/kpt/pull/3456#issuecomment-1219532855 for a little more context.
Original issue comments: Comment user: https://github.com/johnbelamaric Comment created at: 2022-09-07T03:17:44Z Comment last updated at: 2022-09-07T03:17:44Z Comment body: Actually it seems this is not what the operator does; rather it handles only the GCP side of the binding. So this raises the priority of this issue.