Kapp deploy on GKE using keyless authentication (OIDC)
by Yash Sethiya — Jul 21, 2022
This article can be helpful for anyone who wants to create the Github Action workflow to authenticate with GCP and to deploy Kubernetes manifest on GKE using kapp.
Earlier, we used to authenticate to Google Cloud from GitHub Actions by storing JSON service account key in GitHub Secrets.
Now, that GitHub introduced OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using OIDC (Workload Identity Federation), removing the need to export a long lived JSON service account key. Please refer here to know more about the benefits of using OIDC.
Now we will see how we can use GitHub Action – auth to set up and configure authentication to Google Cloud. We need to perform the following configurations on GCP -
- Create a new Workload Identity Pool (IAM -> Workload Identity Federation -> Workload Identity Pool) and add an OIDC Provider to it with Issuer URL as
- Configure the Attribute mapping and conditions of the provider.
- Create a service account and connect Workload Identity Pool you just created to the service account by assigning Workload Identity User role. For more information, see the GCP documentation.
To update workflows for OIDC, you will need to make two changes to your GitHub Action YAML:
- Add permissions settings for the token. The job or workflow run requires a permissions setting with
id-token: write. You won’t be able to request the OIDC JWT ID token if the permissions setting for
id-tokenis set to
permissions: id-token: write
- Use the google-github-actions/auth action to exchange the OIDC token (JWT) for a cloud access token.
steps: - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'firstname.lastname@example.org' with: workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' service_account: 'email@example.com'
This will use the configured workload_identity_provider and service_account to authenticate future steps. Make sure to replace the value of
workload_identity_provider with the path to your identity provider in GCP and also replace the value of
service_account key with the name of your service account in GCP.
Here is a sample GitHub Action which gets triggered when a new tag is created on the repo. It authenticates with GCP, gets the GKE credentials, installs Carvel tools on the GKE cluster, and deploys a simple app using kapp.
name: Deploy using kapp on: push: tags: - "v*" jobs: deploy: runs-on: ubuntu-latest permissions: id-token: 'write' steps: # actions/checkout MUST come before auth - uses: 'actions/checkout@v3' - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'firstname.lastname@example.org' with: workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' service_account: 'email@example.com' - id: get-gke-credentials uses: firstname.lastname@example.org with: cluster_name: cluster-yash location: us-central1-a - id: install-kapp uses: vmware-tanzu/carvel-setup-action@v1 with: only: kapp - id: 'deploy-with-kapp' run: |- kapp deploy -a app -f simple-app.yml -y kapp ls
We created this sample GitHub repo for reference to help guide you, which contains a GitHub Action and simple-app.yml which we deploy on GKE using kapp as mentioned above. Thanks for following along! We hope you found this helpful.
Join us on Slack and GitHub ¶
We are excited to hear from you and learn with you! Here are several ways you can get involved:
- Join Carvel’s slack channel, #carvel in Kubernetes workspace, and connect with over 1000+ Carvel users.
- Find us on GitHub. Suggest how we can improve the project, the docs, or share any other feedback.
- Attend our Community Meetings! Check out the Community page for full details on how and when to attend.