Hello, in the process of deploying on GKE it seems...
# feedback-and-requests
o
Hello, in the process of deploying on GKE it seems there's not really a way to deploy it using workload identity, you have to specify a service account json file to load as secret. Is there a limitation that would prevent us to just use the loaded service account ?
u
You mean the default service account on the GKE nodes?
o
yes
u
or rather you know you can define the serviceAccountName to use for the pod
u
which is the foundation for using authentication using workload identity
u
hey oliver, sorry for the late reply, was looking into this
y
we don’t support configuring this today
the change is pretty simple. we just haven’t gotten to it
u
I can guide you through it if you are interested in contributing
u
otherwise can you open an issue?
u
I'd be interested in contributing
u
I think the main point is the check in the config to "relax"
u
great!
y
check in which config?
u
let me find back the point
y
because of the check on isBlank for google application credentials
u
by default it should work out of the box
u
in the validate part we could try a GoogleCredentials.getApplicationDefault()
u
it would fail using a IOException that we can catch fail the checkArgument
y
or we could just relax this check and "go with the flow"
u
it will fail when trying to initiate the storage connection
u
what do you think ?
u
I haven’t done this myself so my understanding might be wrong - from the docs it looks like it should be adding the
serviceAccountName
annotation on the core Airbyte deployment yamls
u
since Airbyte spins up pods dynamically to serve jobs, we then have to inject this annotation into the pods that are created