Using Workload Identity Continuous Integration(CI) Pipelines

kameshsampath

Kamesh Sampath

Posted on March 23, 2023

Using Workload Identity Continuous Integration(CI) Pipelines

Overview

In the first part of this series we understood what a Workload Identity is and in the second part how it can help in doing keyless Google API invocations by deploying a demo application. In this blog we learn how to use Workload Identity with SaaS Continuous Integration(CI) providers.

Many SaaS Continuous Integration(CI) providers e.g Harness CI uses what is called a Delegate

Harness Delegate is a service you run in your local laptop or on Cloud to connect your artifacts, infrastructure, collaboration, verification and other providers, with Harness Manager.

Here are some advantages of using Delegates,

  • Total control of source code, as they can be within organisations cloud infrastructure
  • Cloud Cost Optimisations as CI pipelines can leverage organisations existing cloud infrastructure
  • Leverage the native cloud services from CI pipelines

In this tutorial we will deploy a Harness Delegate on to GKE and understand how enabling Workload Identity on GKE can simplify the CI Pipeline.

CI Pipeline UseCase

  • Builds go application, ideally you can build any application but go is taken as an example here.
  • Package application build artifact as a container image
  • Push the image to Google Artifact Registry(GAR).
  • Cache the build artifacts, dependencies(go modules) on to Google Cloud Storage(GCS) to make build process faster and quicker.

Tutorial

Before we get to tutorial make sure you have signed up for free tier Harness CI account.

Pre-requisites

  • A Google Cloud Account with a Service Account with roles:

    • Kubernetes Engine Admin - to create GKE cluster
    • Service Account roles used to create/update/delete Service Account
      • iam.serviceAccounts.actAs
      • iam.serviceAccounts.get
      • iam.serviceAccounts.create
      • iam.serviceAccounts.delete
      • iam.serviceAccounts.update
      • iam.serviceAccounts.get
      • iam.serviceAccounts.getIamPolicy
      • iam.serviceAccounts.setIamPolicy
      • (OR) simply you can add Service Account Admin and Service Account User roles
    • Compute Network Admin - to create the VPC networks
  • Google Cloud SDK

  • terraform

  • kubectl

  • helm

  • Taskfile

Download Sources

git clone https://github.com/harness-apps/workload-identity-gke-demo.git && cd "$(basename "$_" .git)"
export DEMO_HOME="$PWD"
Enter fullscreen mode Exit fullscreen mode

Environment Setup

Variables

When working with Google Cloud the following environment variables helps in setting the right Google Cloud context like Service Account Key file, project etc., You can use direnv or set the following variables on your shell,

export GOOGLE_APPLICATION_CREDENTIALS="the google cloud service account key json file to use"
export CLOUDSDK_ACTIVE_CONFIG_NAME="the google cloud cli profile to use"
export GOOGLE_CLOUD_PROJECT="the google cloud project to use"
export KUBECONFIG="$DEMO_HOME/.kube/config"
Enter fullscreen mode Exit fullscreen mode

You can find more information about gcloud cli configurations at https://cloud.google.com/sdk/docs/configurations.

As you may need to override few terraform variables that you don't want to check in to VCS, add them to a file called .local.tfvars and set the following environment variable to be picked up by terraform runs,

export TFVARS_FILE=.local.tfvars
Enter fullscreen mode Exit fullscreen mode

Check the Inputs section for all possible terraform variables that are configurable.

An example .local.tfvars looks like,

project_id                 = "my-awesome-gcp-project"
region                     = "asia-south1"
cluster_name               = "wi-demos"
kubernetes_version         = "1.24."
harness_account_id         = "REPLACE WITH YOUR HARNESS ACCOUNT ID"
harness_delegate_token     = "REPLACE WITH YOUR HARNESS DELEGATE TOKEN"
harness_delegate_name      = "wi-demos-delegate"
harness_delegate_namespace = "harness-delegate-ng"
harness_manager_endpoint   = "https://app.harness.io/gratis"
Enter fullscreen mode Exit fullscreen mode

Create Environment

We will use terraform to create a GKE cluster with WorkloadIdentity enabled for its nodes,

task init
Enter fullscreen mode Exit fullscreen mode

Create GKE cluster

The terraform apply will creates a GKE Cluster,

task create_cluster
Enter fullscreen mode Exit fullscreen mode

Deploy Harness Delegate

The following section deploys a Harness Delegate on to our GKE cluster. To be able to successfully deploy a Harness Delegate we need update the following values in our .local.tfvars file,

  • harness_account_id
  • harness_delegate_token
  • harness_delegate_namespace
  • harness_manager_endpoint

  • Use Account Id from Account Overview as the value for harness_account_id,

account details

  • Use the Harness Cluster Hosting Account from the account details to find the matching endpoint URL. e.g for prod-2 it is https://app.harness.io/gratis and set that as value for harness_manager_endpoint.

TIP:
You can find the endpoint corresponding to your Harness Cluster Hosting Account from https://developer.harness.io/tutorials/platform/install-delegate/

  • Copy the default token from Projects --> Project Setup --> Delegates(Tokens) and set it as value for harness_delegate_token.

copy default token

  • harness_delegate_name: defaults to harness-delegate
  • harness_delegate_namespace: defaults to harness-delegate-ng

With us having updated the .local.tfvars, run the following command to deploy the Harness Delegate,

task deploy_harness_delegate
Enter fullscreen mode Exit fullscreen mode

NOTE: It will take some time for delegate to come up and get connected.

Wait for the delegate to be connected before proceeding to next steps.

You can view status of the delegate from the Project --> Project Setup --> Delegates page,

delegate status

You can also check the running Harness delegate pods by using kubectl,

kubectl get pods -n harness-delegate-ng    
Enter fullscreen mode Exit fullscreen mode

The output should be something like the pod name may vary based on your harness_delegate_name value.

NAME                                 READY   STATUS    RESTARTS   AGE
harness-delegate-6bfd78d5cb-5h8x9   1/1     Running   0          2m23s
Enter fullscreen mode Exit fullscreen mode

Build Application

Having deployed the Harness delegate, let us build a CI pipeline that will build and push the same go app to GAR.

Import Template

The sources already has build stage template that can be used to create the CI pipeline.

Navigate to your Harness Account, Account Overview --> Organizations and select default.

default org select

From the Organization overview page select Templates,

templates select

Click New Template and choose Import From Git option,

import from git

Fill the wizard with values as shown,

import from git details

NOTE: If you want to use your fork of harness-apps/workload-identity-gke-demo then update Repository with your fork.

import template successful

Create Pipeline

Navigate to Builds --> Pipelines, click Create Pipeline.

create pipeline

Click Add Stage and click Use template, choose ko_gar_build_push template that we imported earlier and click Use template to complete import.

Enter details about the stage,

stage details

Click Setup Stage to create the stage and fill other details i.e Template Inputs,

template inputs

We use default namespace to run builder pods. The build pod runs with a Kubernetes Service Account(KSA) harness-builder.

NOTE:
The harness-builder KSA is mapped to Google IAM Service Account(GSA) harness-delegate to inherit the GCP roles using Workload Identity in this case to push the images to Google Artifact Registry(GAR).

Click Run to run the pipeline to see the image build and pushed to GAR,

Run Pipeline

As successful run would have pushed the image into GAR in this example its asia-south1-docker.pkg.dev/pratyakshika/demos/lingua-greeter:latest

Build Success

Cleanup

To clean up all the Google Cloud resources that were created as part of this demo,

task destroy
Enter fullscreen mode Exit fullscreen mode

Summary

By using Workload Identity Delegate we have simplified and secured our CI pipelines which can now use any Google API services by configuring the GSA with right roles/permissions. The CI SaaS platform no longer need to store/update the Google API credentials.

Having deployed Workload Identity Delegate you can also do keyless signing of your container images using Google Application Credentials. For more info check cosign.

For more tutorials and documentation please visit https://developer.harness.io.

đź’– đź’Ş đź™… đźš©
kameshsampath
Kamesh Sampath

Posted on March 23, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related