Use Case k8s Allowed Network Policy workload identity GCP - GoogleCloudPlatform/anthos-appconfig GitHub Wiki
Use Case - Allowed Services (Network Policies) & Secrets Injection (Vault)
- Namespace: uc-workload-identity
We will use pubsub topic ACLβs to demonstrate the adding the secrets to the pod via a mutating webhook. At this point, the secret is available and protected by RBAC in the Controller workspace βappconfigmgrv2-systemβ. Webhook copies the appropriate secret into the application namespace and adds it as a volume and as an Environment Variable (pointing to the volume mount) named GOOGLE_APPLICATION_CREDENTIALS as required by Google APIβs.
gsutil cat gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-workload-identity/deploy-apps.yaml | kubectl apply -f -
*NOTE - will document vault in wiki
curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq" app-secrets-vault-k8s-appconfigv2-service-sm-2.uc-secrets-vault-k8s/testcallseq
Svc 2 -> Svc 1 -> pubsub topic1 Outbound Should Work
curl "http://$INGRESS_NO_ISTIO_HOST/testcallseq?call1=http://workload-identity-pubsub-app.uc-workload-identity:8000?gcpProjectID=$PROJECT_NAME&topic=workload-identity-topic&message=hello"
gcloud pubsub subscriptions pull --auto-ack workload-identity-topic --page-size 20 --limit 20 --project $PROJECT_NAME
host:hello-app-drv-py-1-677775646f-b8gm5
Publish Success: 776104906071903
ββββββββββ¬ββββββββββββββββββ¬βββββββββββββ
β DATA β MESSAGE_ID β ATTRIBUTES β
ββββββββββΌββββββββββββββββββΌβββββββββββββ€
β hello1 β 608858688012712 β β
ββββββββββ΄ββββββββββββββββββ΄βββββββββββββ