Open spron-in opened 3 years ago
Just looked a bit into this, it seems fairly easy to do IMHO. We just need an option to run the backup in a pod where we can specify a specific Kubernetes services account. Since with the workload identity setup you can tell a pod to assume a role given that it has the correct service account.
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: mongo-backup-sa
namespace: managed-resources
spec:
displayName: Service account for taking mongo backups
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
name: bucket-policy-mongodb-backup
namespace: managed-resources
spec:
resourceRef:
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
name: kapeta-production-mongo-backup
namespace: managed-resources
bindings:
- role: roles/storage.admin
members:
- serviceAccount:mongo-backup-sa@gke-cluster.iam.gserviceaccount.com
---
# Kubernetes service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: ksa-mongodb-backup
namespace: default
annotations:
iam.gke.io/gcp-service-account: mongo-backup-sa@gke-cluster.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
name: sa-wi-policy-mongodb-backup
namespace: managed-resources
spec:
resourceRef:
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
name: mongo-backup-sa
namespace: managed-resources
bindings:
- role: roles/iam.workloadIdentityUser
members:
- serviceAccount:gke-cluster.svc.id.goog[default/ksa-mongodb-backup]
With this setup any pod that are using the ksa-mongodb-backup
will be able to write to the bucket.
I guess I'm slightly confused here. I have already extended the psmdb-db Helm chart locally to create separate service accounts for the replsets, configrs, mongos, and backup workloads.
I already have workload identity set up in my GKE clusters and every other workload uses this feature, so does this mean that this will work after I add the iam.gke.io/gcp-service-account
annotation to my backup service account? I guess I can try and report back my findings.
Community Note
Tell us about the feature Instead of specifying GCS keys rely on Workload Identity.
Which product(s) is this request for? MongoDB, Operators
Tell us about the problem Authorization to upload backups to GCS without providing the keys
Describe alternatives you've considered Auth with keys
Additional context Anything else that you think might be useful