https://linen.dev logo
#feedback-and-requests
Title
# feedback-and-requests
o

Olivier Girardot

12/08/2021, 9:10 PM
Hello, in the process of deploying on GKE it seems there's not really a way to deploy it using workload identity, you have to specify a service account json file to load as secret. Is there a limitation that would prevent us to just use the loaded service account ?
u

user

12/09/2021, 5:21 AM
You mean the default service account on the GKE nodes?
o

Olivier Girardot

12/09/2021, 8:02 AM
yes
u

user

12/09/2021, 8:02 AM
or rather you know you can define the serviceAccountName to use for the pod
u

user

12/09/2021, 8:08 AM
which is the foundation for using authentication using workload identity
u

user

12/10/2021, 5:18 AM
hey oliver, sorry for the late reply, was looking into this
y

yu

12/10/2021, 5:20 AM
we don’t support configuring this today
the change is pretty simple. we just haven’t gotten to it
u

user

12/10/2021, 5:21 AM
I can guide you through it if you are interested in contributing
u

user

12/10/2021, 5:21 AM
otherwise can you open an issue?
u

user

12/10/2021, 10:57 AM
I'd be interested in contributing
u

user

12/10/2021, 10:58 AM
I think the main point is the check in the config to "relax"
u

user

12/10/2021, 10:58 AM
great!
y

yu

12/10/2021, 10:58 AM
check in which config?
u

user

12/10/2021, 11:02 AM
let me find back the point
y

yu

12/10/2021, 11:12 AM
because of the check on isBlank for google application credentials
u

user

12/10/2021, 11:14 AM
by default it should work out of the box
u

user

12/10/2021, 11:20 AM
in the validate part we could try a GoogleCredentials.getApplicationDefault()
u

user

12/10/2021, 11:20 AM
it would fail using a IOException that we can catch fail the checkArgument
y

yu

12/10/2021, 11:20 AM
or we could just relax this check and "go with the flow"
u

user

12/10/2021, 11:20 AM
it will fail when trying to initiate the storage connection
u

user

12/10/2021, 11:21 AM
what do you think ?
u

user

12/10/2021, 11:37 AM
I haven’t done this myself so my understanding might be wrong - from the docs it looks like it should be adding the
serviceAccountName
annotation on the core Airbyte deployment yamls
u

user

12/10/2021, 11:39 AM
since Airbyte spins up pods dynamically to serve jobs, we then have to inject this annotation into the pods that are created
3 Views