Install Harness Delegate on Google Kubernetes Engine (GKE) With Workload Identity

Workload Identity allows a Kubernetes service account in your GKE cluster to act as a Google IAM Service account. Pods that use the configured KSA automatically authenticate as the IAM service account when accessing Google Cloud APIs.

To learn more about Workload Identity check out the blog that explains it with an example.

At the end of this tutorial you will know how to:

• Enable Workload Identity on GKE.
• Deploy Harness Delegate onto Workload Identity-enabled GKE.
• Build a simple CI pipeline to push the image to Google Artifact Registry without using GCP connectors or configuring secrets.

CI pipeline scenario

• Build a Go application. You can build any application, but Go is used as an example here.
• Package the application build artifact as a container image.
• Push the image to Google Artifact Registry (GAR).
• Cache the build artifacts and dependencies (Go modules) onto Google Cloud Storage(GCS) to make the build process faster.

Glossary

Review the following terms and their abbreviations.

Abbreviation	Meaning
API	Application Programming Interface
ACL	Access Control List
GAR	Google Artifact Registry
GCS	Google Cloud Storage
GKE	Google Kubernetes Engine
GSA	Google Service Account
IAM	Identity and Access Management
KSA	Kubernetes Service Account
RBAC	Role-based Access Control
SA	Service Account
VPC	Virtual Private Cloud

Pre-requisites

• A Google Cloud Account with a Service Account with the following roles:
  • Kubernetes Engine Adminto create a GKE cluster
  • Service Account roles used to create, update, or delete a Service Account
    • iam.serviceAccounts.actAs
    • iam.serviceAccounts.get
    • iam.serviceAccounts.create
    • iam.serviceAccounts.delete
    • iam.serviceAccounts.update
    • iam.serviceAccounts.get
    • iam.serviceAccounts.getIamPolicy
    • iam.serviceAccounts.setIamPolicy
    • (OR) simply you can add Service Account Admin and Service Account User roles
  • Compute Network Admin to create the VPC networks

Required tools

Download and install the following tools locally onto your laptop:

• Google Cloud SDK
• Terraform
• kubectl
• Helm
• Taskfile

Download sources

As we will be using Terraform pipelines to deploy GKE and Harness Delegate, clone the sources locally:

git clone https://github.com/harness-apps/workload-identity-gke-demo.git && cd "$(basename "$_" .git)"
export DEMO_HOME="$PWD"

Environment setup

Variables

When working with Google Cloud, the following environment variables help in setting the right Google Cloud context like Service Account Key file, project etc.

You can use direnv or set the following variables on your shell:

export GOOGLE_APPLICATION_CREDENTIALS="the google cloud service account key json file to use"
export CLOUDSDK_ACTIVE_CONFIG_NAME="the google cloud cli profile to use"
export GOOGLE_CLOUD_PROJECT="the google cloud project to use"
export KUBECONFIG="$DEMO_HOME/.kube/config"

You can find more information about gcloud cli configurations at https://cloud.google.com/sdk/docs/configurations.

As you may need to override a few Terraform variables that you don't want to check in to VCS, add them to a file called .local.tfvars and set the following environment variable to be picked up by Terraform runs:

export TFVARS_FILE=.local.tfvars

Check the Inputs section for all possible Terraform variables that are configurable.

An example .local.tfvars looks like,

project_id                 = "my-awesome-gcp-project"
region                     = "asia-south1"
cluster_name               = "wi-demos"
kubernetes_version         = "1.24."
harness_account_id         = "REPLACE WITH YOUR HARNESS ACCOUNT ID"
harness_delegate_token     = "REPLACE WITH YOUR HARNESS DELEGATE TOKEN"
harness_delegate_name      = "wi-demos-delegate"
harness_delegate_namespace = "harness-delegate-ng"
harness_manager_endpoint   = "https://app.harness.io/gratis"

Create an environment

We will use Terraform to create a GKE cluster with WorkloadIdentity enabled for its nodes:

task init

Create a GKE cluster

The Terraform apply creates a GKE Cluster:

task create_cluster

Deploy a Harness Delegate

The following section deploys a Harness Delegate onto the GKE cluster.

1. To be able to successfully deploy a Harness Delegate, update the following values in the .local.tfvars file,

   • harness_account_id

   • harness_delegate_token

   • harness_delegate_namespace

   • harness_manager_endpoint

   • Use Account Id from Account Overview as the value for harness_account_id,

   

   • Use the Harness Cluster Hosting Account from the account details to find the matching endpoint URL. For example, for prod-2 it is https://app.harness.io/gratis and set that as the value for harness_manager_endpoint.
   tip

   You can find the endpoint corresponding to your Harness Cluster Hosting Account from </tutorials/platform/install-delegate/>

2. Copy the default token from Projects --> Project Setup --> Delegates(Tokens) and set it as the value for harness_delegate_token.

   

   • harness_delegate_name: defaults to harness-delegate
   • harness_delegate_namespace: defaults to harness-delegate-ng

3. Run the following command to deploy the Harness Delegate:

   task deploy_harness_delegate
   note

   It will take some time for the delegate to connect.

   Wait for the delegate to be connected before proceeding to the next steps.

   You can view the status of the delegate from the Project --> Project Setup --> Delegates page.

   

   You can also check the running Harness delegate pods by using kubectl:

   kubectl get pods -n harness-delegate-ng    

   The output should be something like the following. The pod name may vary based on your harness_delegate_name value.

   NAME                                 READY   STATUS    RESTARTS   AGE
   harness-delegate-6bfd78d5cb-5h8x9   1/1     Running   0          2m23s

   As part of Harness Delegate we also did the following extra tasks:

   • Created a Google Service Account (SA) harness-delegate.
   • Added an IAM binding policy to the harness-delegate SA, with the role roles/iam.workloadIdentityUser and a member "serviceAccount:$GOOGLE_CLOUD_PROJECT.svc.id.goog[\default/harness-builder]".
   • Added a harness-delegate SA with the role roles/artifactregistry.createOnPushRepoAdmin, enabling it to push images to Google Artifact Registry(GAR).
   • Created a Kubernetes Service Account harness-builder annotated with iam.gke.io/gcp-service-account to harness-delegate, allowing it to impersonate the GSA thereby enabling it to push the built application image to GAR.

Build the application

Having deployed the Harness Delegate, you can now build a CI pipeline that will build and push the same Go app to GAR.

Import a template

The sources already have a build stage template that can be used to create the CI pipeline.

1. Navigate to your Harness Account, Account Overview --> Organizations, and then select default organization.

   

2. From the Organization overview page select Templates,

   

3. Select New Template, and then select the Import From Git option,

   

4. Fill the wizard with values as shown:

   

   note

   If you want to use your fork of harness-apps/workload-identity-gke-demo, then update Repository with your fork.

   

Create a pipeline

1. Navigate to Builds --> Pipelines, and then select Create Pipeline.

   

2. Select Add Stage, and then select Use template. Select the ko_gar_build_push template that we imported earlier, and then select Use template to complete the import.

3. Enter details about the stage:

   

4. Select Setup Stage to create the stage and fill other details, such as Template Inputs:

   

   We use default namespace to run builder pods. The build pod runs with a Kubernetes Service Account(KSA) harness-builder.

   note

   The harness-builder KSA is mapped to Google IAM Service Account (GSA) harness-delegate to inherit the GCP roles, using Workload Identity in this case to push the images to Google Artifact Registry (GAR).

5. Select Run to run the pipeline to see the image being built and pushed to GAR:

   

   A successful run would have pushed the image into GAR. In this example it's asia-south1-docker.pkg.dev/pratyakshika/demos/lingua-greeter:latest

   

Clean up resources

To clean up all the Google Cloud resources that were created as part of this demo, do the following:

task destroy

Summary

By using Workload Identity Delegate we have simplified and secured our CI pipelines, which can now use any Google API services by configuring the GSA with the correct roles and permissions. The CI SaaS platform no longer needs to store or update the Google API credentials.

Having deployed Workload Identity Delegate, you can also do keyless signing of your container images using Google Application Credentials using cosign.