Skip to content

Use GKE workload identity federation in composer #4023

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use GKE workload identity federation in composer #4023

wants to merge 1 commit into from

Conversation

ohrite
Copy link
Contributor

@ohrite ohrite commented Jul 1, 2025

Description

This PR proposes to stop passing service_account.json as a secret, and instead rely on GKE workload identity federation, just like we do for Github Actions.

Relates to #3780

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation

How has this been tested?

terraform plan and test runs on staging

Post-merge follow-ups

  • No action required
  • Actions required (specified below)

Remove service_acount.json/service-account.json from the jobs-data Kubernetes secret.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 1, 2025
edited
Loading

Terraform plan in iac/cal-itp-data-infra-staging/airflow/us

Plan: 0 to add, 3 to change, 0 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # google_storage_bucket_object.calitp-staging-composer["dags/publish_open_data/publish_california_open_data.yml"] will be updated in-place
!~  resource "google_storage_bucket_object" "calitp-staging-composer" {
!~      crc32c              = "Wx+C0A==" -> (known after apply)
!~      detect_md5hash      = "Dmn2ccrjkUs7GTsL5zO+rw==" -> "different hash"
!~      generation          = 1751416049286660 -> (known after apply)
        id                  = "calitp-staging-composer-dags/publish_open_data/publish_california_open_data.yml"
!~      md5hash             = "Dmn2ccrjkUs7GTsL5zO+rw==" -> (known after apply)
        name                = "dags/publish_open_data/publish_california_open_data.yml"
#        (17 unchanged attributes hidden)
    }

  # google_storage_bucket_object.calitp-staging-composer["dags/unzip_and_validate_gtfs_schedule_hourly/validate_gtfs_schedule.yml"] will be updated in-place
!~  resource "google_storage_bucket_object" "calitp-staging-composer" {
!~      crc32c              = "WAOTIw==" -> (known after apply)
!~      detect_md5hash      = "Q2KZHpa145QxEt0qrMVrvQ==" -> "different hash"
!~      generation          = 1751929677147947 -> (known after apply)
        id                  = "calitp-staging-composer-dags/unzip_and_validate_gtfs_schedule_hourly/validate_gtfs_schedule.yml"
!~      md5hash             = "Q2KZHpa145QxEt0qrMVrvQ==" -> (known after apply)
        name                = "dags/unzip_and_validate_gtfs_schedule_hourly/validate_gtfs_schedule.yml"
#        (17 unchanged attributes hidden)
    }

  # google_storage_bucket_object.calitp-staging-composer-dags["profiles.yml"] will be updated in-place
!~  resource "google_storage_bucket_object" "calitp-staging-composer-dags" {
!~      crc32c              = "fcYfVw==" -> (known after apply)
!~      detect_md5hash      = "8XK0sntGMFxIy7Ve/HuJzg==" -> "different hash"
!~      generation          = 1749663111897003 -> (known after apply)
        id                  = "calitp-staging-composer-data/warehouse/profiles.yml"
!~      md5hash             = "8XK0sntGMFxIy7Ve/HuJzg==" -> (known after apply)
        name                = "data/warehouse/profiles.yml"
#        (17 unchanged attributes hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

📝 Plan generated in Plan Terraform for Warehouse and DAG changes #724

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 1, 2025
edited
Loading

Terraform plan in iac/cal-itp-data-infra/airflow/us

Plan: 0 to add, 3 to change, 0 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # google_storage_bucket_object.calitp-composer["dags/publish_open_data/publish_california_open_data.yml"] will be updated in-place
!~  resource "google_storage_bucket_object" "calitp-composer" {
!~      crc32c              = "Wx+C0A==" -> (known after apply)
!~      detect_md5hash      = "Dmn2ccrjkUs7GTsL5zO+rw==" -> "different hash"
!~      generation          = 1751416675383240 -> (known after apply)
        id                  = "calitp-composer-dags/publish_open_data/publish_california_open_data.yml"
!~      md5hash             = "Dmn2ccrjkUs7GTsL5zO+rw==" -> (known after apply)
        name                = "dags/publish_open_data/publish_california_open_data.yml"
#        (17 unchanged attributes hidden)
    }

  # google_storage_bucket_object.calitp-composer["dags/unzip_and_validate_gtfs_schedule_hourly/validate_gtfs_schedule.yml"] will be updated in-place
!~  resource "google_storage_bucket_object" "calitp-composer" {
!~      crc32c              = "WAOTIw==" -> (known after apply)
!~      detect_md5hash      = "Q2KZHpa145QxEt0qrMVrvQ==" -> "different hash"
!~      generation          = 1751416672802943 -> (known after apply)
        id                  = "calitp-composer-dags/unzip_and_validate_gtfs_schedule_hourly/validate_gtfs_schedule.yml"
!~      md5hash             = "Q2KZHpa145QxEt0qrMVrvQ==" -> (known after apply)
        name                = "dags/unzip_and_validate_gtfs_schedule_hourly/validate_gtfs_schedule.yml"
#        (17 unchanged attributes hidden)
    }

  # google_storage_bucket_object.calitp-composer-dags["profiles.yml"] will be updated in-place
!~  resource "google_storage_bucket_object" "calitp-composer-dags" {
!~      crc32c              = "fcYfVw==" -> (known after apply)
!~      detect_md5hash      = "8XK0sntGMFxIy7Ve/HuJzg==" -> "different hash"
!~      generation          = 1751416670054928 -> (known after apply)
        id                  = "calitp-composer-data/warehouse/profiles.yml"
!~      md5hash             = "8XK0sntGMFxIy7Ve/HuJzg==" -> (known after apply)
        name                = "data/warehouse/profiles.yml"
#        (17 unchanged attributes hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

📝 Plan generated in Plan Terraform for Warehouse and DAG changes #724

@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch from fc07b7a to b52c9e8 Compare July 1, 2025 16:17
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 1, 2025
edited
Loading

Terraform plan in iac/cal-itp-data-infra-staging/composer/us

Plan: 0 to add, 1 to change, 0 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # kubernetes_secret.composer will be updated in-place
!~  resource "kubernetes_secret" "composer" {
!~      data                           = (sensitive value)
        id                             = "airflow-jobs/jobs-data"
#        (5 unchanged attributes hidden)

#        (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

📝 Plan generated in Terraform Plan #556

@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch from b52c9e8 to 63ae226 Compare July 1, 2025 16:24
@ohrite ohrite changed the title Use GKE workload identity federation in composer [DO NOT MERGE] Use GKE workload identity federation in composer Jul 1, 2025
@ohrite ohrite mentioned this pull request Jul 3, 2025
Merged
6 tasks
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch from 63ae226 to 86dae11 Compare July 8, 2025 22:02
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 8, 2025
edited
Loading

Terraform plan in iac/cal-itp-data-infra/composer/us

Plan: 0 to add, 1 to change, 0 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # kubernetes_secret.composer will be updated in-place
!~  resource "kubernetes_secret" "composer" {
!~      data                           = (sensitive value)
        id                             = "airflow-jobs/jobs-data"
#        (5 unchanged attributes hidden)

#        (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

📝 Plan generated in Terraform Plan #556

@ohrite ohrite changed the title [DO NOT MERGE] Use GKE workload identity federation in composer Use GKE workload identity federation in composer Jul 9, 2025
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch 2 times, most recently from dd95d59 to b60e119 Compare July 10, 2025 15:39
@ohrite ohrite requested a review from fsalemi as a code owner July 10, 2025 15:39
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch 3 times, most recently from 3b09d73 to 72cdba4 Compare July 15, 2025 15:14
@ohrite ohrite requested a review from raebot as a code owner July 15, 2025 15:14
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch 2 times, most recently from 75c403d to 8f4034c Compare July 15, 2025 19:30
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch 3 times, most recently from 80f2403 to f79fbf0 Compare July 22, 2025 20:55
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch from f79fbf0 to 46909fa Compare July 29, 2025 21:13
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch from 46909fa to 02dd0af Compare August 7, 2025 21:14
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch from 02dd0af to 37c675b Compare September 26, 2025 04:08
@ohrite ohrite force-pushed the mov/3780-workflow-identity-federation branch from 37c675b to ab40722 Compare September 26, 2025 04:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikamov erikamov erikamov approved these changes

@evansiroky evansiroky Awaiting requested review from evansiroky evansiroky is a code owner

@vevetron vevetron Awaiting requested review from vevetron vevetron is a code owner

@tiffanychu90 tiffanychu90 Awaiting requested review from tiffanychu90 tiffanychu90 is a code owner

@charlie-costanzo charlie-costanzo Awaiting requested review from charlie-costanzo charlie-costanzo is a code owner

@mjumbewu mjumbewu Awaiting requested review from mjumbewu mjumbewu is a code owner

@themightychris themightychris Awaiting requested review from themightychris

@fsalemi fsalemi Awaiting requested review from fsalemi fsalemi is a code owner

@raebot raebot Awaiting requested review from raebot raebot is a code owner

Assignees

@ohrite ohrite

@erikamov erikamov

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ohrite @erikamov