feat: Add internalJWTMap variables used for inter service request aut…

…hentication (#309) * ini commit * update variables and main with new var
wandb · Dec 2, 2024 · f281ca4 · f281ca4
1 parent 7ed0c92
commit f281ca4
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/main.tf b/main.tf
@@ -246,6 +246,10 @@ module "iam_role" {
   aws_iam_openid_connect_provider_url = module.app_eks.aws_iam_openid_connect_provider
 }
 
+locals {
+  weave_trace_sa_name = "wandb-weave-trace"
+}
+
 module "wandb" {
   source  = "wandb/wandb/helm"
   version = "1.2.0"
@@ -320,7 +324,14 @@ module "wandb" {
 
       }
 
-      app = {}
+      app = {
+        internalJWTMap = [
+          {
+            "subject" = "system:serviceaccount:default:${local.weave_trace_sa_name}",
+            "issuer"  = var.kubernetes_cluster_oidc_issuer_url
+          }
+        ]
+      }
 
       # To support otel rds and redis metrics, we need operator-wandb chart min version 0.13.8 (yace subchart)
       yace = var.enable_yace ? {

diff --git a/variables.tf b/variables.tf
@@ -522,3 +522,13 @@ variable "clickhouse_endpoint_service_id" {
   description = "The service ID of the VPC endpoint service for Clickhouse"
   default     = ""
 }
+
+##########################################
+# Internal Service                       #
+##########################################
+
+variable "kubernetes_cluster_oidc_issuer_url" {
+  type        = string
+  description = "OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration`"
+  default     = ""
+}