[K8SPSMDB-410] Add support for Workload Identity Authentication

[spron-in]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about the feature Instead of specifying GCS keys rely on Workload Identity.

Which product(s) is this request for? MongoDB, Operators

Tell us about the problem Authorization to upload backups to GCS without providing the keys

Describe alternatives you've considered Auth with keys

Additional context Anything else that you think might be useful

[sorenmat]

Just looked a bit into this, it seems fairly easy to do IMHO. We just need an option to run the backup in a pod where we can specify a specific Kubernetes services account. Since with the workload identity setup you can tell a pod to assume a role given that it has the correct service account.

---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: mongo-backup-sa
  namespace: managed-resources
spec:
  displayName: Service account for taking mongo backups
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: bucket-policy-mongodb-backup
  namespace: managed-resources
spec:
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    name: kapeta-production-mongo-backup
    namespace: managed-resources
  bindings:
    - role: roles/storage.admin
      members:
        - serviceAccount:mongo-backup-sa@gke-cluster.iam.gserviceaccount.com

---
# Kubernetes service account
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ksa-mongodb-backup
  namespace: default
  annotations:
    iam.gke.io/gcp-service-account: mongo-backup-sa@gke-cluster.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: sa-wi-policy-mongodb-backup
  namespace: managed-resources
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name:  mongo-backup-sa
    namespace: managed-resources
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:gke-cluster.svc.id.goog[default/ksa-mongodb-backup]

With this setup any pod that are using the ksa-mongodb-backup will be able to write to the bucket.

[sonnysideup]

I guess I'm slightly confused here. I have already extended the psmdb-db Helm chart locally to create separate service accounts for the replsets, configrs, mongos, and backup workloads.

I already have workload identity set up in my GKE clusters and every other workload uses this feature, so does this mean that this will work after I add the iam.gke.io/gcp-service-account annotation to my backup service account? I guess I can try and report back my findings.