feat: Add internalJWTMap variables used for inter service request aut…

…hentication (#177) * add vars and handling * wip * add new var and handling * terraform-docs: automated action * improve description * terraform-docs: automated action --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
wandb · Dec 2, 2024 · 69732e0 · 69732e0
1 parent ce99cb0
commit 69732e0
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -149,6 +149,7 @@ resources that lack official modules.
 | <a name="input_gke_max_node_count"></a> [gke\_max\_node\_count](#input\_gke\_max\_node\_count) | Maximum number of nodes for the GKE cluster. Defaults to null and value from deployment-size.tf is used | `number` | `null` | no |
 | <a name="input_gke_min_node_count"></a> [gke\_min\_node\_count](#input\_gke\_min\_node\_count) | Initial number of nodes for the GKE cluster, if gke\_max\_node\_count is set, this is the minimum number of nodes. Defaults to null and value from deployment-size.tf is used | `number` | `null` | no |
 | <a name="input_ilb_proxynetwork_cidr"></a> [ilb\_proxynetwork\_cidr](#input\_ilb\_proxynetwork\_cidr) | Internal load balancer proxy subnetwork | `string` | `"10.127.0.0/24"` | no |
+| <a name="input_kubernetes_cluster_oidc_issuer_url"></a> [kubernetes\_cluster\_oidc\_issuer\_url](#input\_kubernetes\_cluster\_oidc\_issuer\_url) | OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration` | `string` | `""` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Labels to apply to resources | `map(string)` | `{}` | no |
 | <a name="input_license"></a> [license](#input\_license) | Your wandb/local license | `string` | n/a | yes |
 | <a name="input_local_restore"></a> [local\_restore](#input\_local\_restore) | Restores W&B to a stable state if needed | `bool` | `false` | no |

diff --git a/main.tf b/main.tf
@@ -318,6 +318,12 @@ module "wandb" {
           name        = ""
           annotations = {}
         }
+        internalJWTMap = [
+          {
+            subject = "system:serviceaccount:default:${local.k8s_sa_map.weave_trace}"
+            issuer = var.kubernetes_cluster_oidc_issuer_url
+          }
+        ]
       }
 
       ingress = {

diff --git a/variables.tf b/variables.tf
@@ -413,3 +413,12 @@ variable "clickhouse_subnetwork_cidr" {
   description = "ClickHouse private service connect subnetwork"
   type        = string
 }
+
+###########################################
+# Internal Service                        #
+###########################################
+variable "kubernetes_cluster_oidc_issuer_url" {
+  type        = string
+  description = "OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration`"
+  default     = ""
+}