From f281ca486abe22d76f531051a870762d321b32ea Mon Sep 17 00:00:00 2001
From: KyleGoyette <kdgoyette@gmail.com>
Date: Mon, 2 Dec 2024 15:30:04 -0800
Subject: [PATCH] feat: Add internalJWTMap variables used for inter service
 request authentication (#309)

* ini commit

* update variables and main with new var
---
 main.tf      | 13 ++++++++++++-
 variables.tf | 10 ++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 4b42b080..38523389 100644
--- a/main.tf
+++ b/main.tf
@@ -246,6 +246,10 @@ module "iam_role" {
   aws_iam_openid_connect_provider_url = module.app_eks.aws_iam_openid_connect_provider
 }
 
+locals {
+  weave_trace_sa_name = "wandb-weave-trace"
+}
+
 module "wandb" {
   source  = "wandb/wandb/helm"
   version = "1.2.0"
@@ -320,7 +324,14 @@ module "wandb" {
 
       }
 
-      app = {}
+      app = {
+        internalJWTMap = [
+          {
+            "subject" = "system:serviceaccount:default:${local.weave_trace_sa_name}",
+            "issuer"  = var.kubernetes_cluster_oidc_issuer_url
+          }
+        ]
+      }
 
       # To support otel rds and redis metrics, we need operator-wandb chart min version 0.13.8 (yace subchart)
       yace = var.enable_yace ? {
diff --git a/variables.tf b/variables.tf
index 2740aa31..37231270 100644
--- a/variables.tf
+++ b/variables.tf
@@ -522,3 +522,13 @@ variable "clickhouse_endpoint_service_id" {
   description = "The service ID of the VPC endpoint service for Clickhouse"
   default     = ""
 }
+
+##########################################
+# Internal Service                       #
+##########################################
+
+variable "kubernetes_cluster_oidc_issuer_url" {
+  type        = string
+  description = "OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration`"
+  default     = ""
+}