Skip to content

feat(workload-identity)!: replace kubectl-wrapper with native kubernetes_annotations#2610

Draft
apeabody wants to merge 1 commit into
mainfrom
ap/wi
Draft

feat(workload-identity)!: replace kubectl-wrapper with native kubernetes_annotations#2610
apeabody wants to merge 1 commit into
mainfrom
ap/wi

Conversation

@apeabody

Copy link
Copy Markdown
Contributor

Replace the legacy module "annotate-sa" (which executed kubectl_wrapper.sh via local-exec) in modules/workload-identity with the native resource "kubernetes_annotations" "main" from hashicorp/kubernetes.

This resolves Python AttributeError: 'Credentials' object has no attribute 'private_key_id' failures in gke-gcloud-auth-plugin / gcloud config config-helper when executing inside keyless authentication pipelines (Service Account Impersonation, Workload Identity Federation, ADC).

Key changes:

  • Replace kubectl-wrapper local-exec bash execution with declarative kubernetes_annotations using Server-Side Apply (force = true).
  • Remove obsolete input variables (cluster_name, location, impersonate_service_account, use_existing_context).
  • Ensure google_service_account_iam_member.main and var.module_depends_on are explicitly included in depends_on for both KSA creation and annotation resources to prevent IAM propagation race conditions.
  • Update module metadata (metadata.yaml, metadata.display.yaml), README, and examples.
  • Add upgrade guide docs/upgrading_to_v45.0.md detailing breaking changes, provider prerequisites, and state migration.

@apeabody apeabody requested review from a team, ayushmjain and krprabhat-eng as code owners June 30, 2026 23:21

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the workload-identity submodule to replace the legacy kubectl-wrapper script with the native kubernetes_annotations resource for annotating Kubernetes Service Accounts. This change removes several obsolete input variables (cluster_name, location, impersonate_service_account, and use_existing_context) and updates the corresponding documentation, examples, and metadata. However, a critical circular dependency was introduced in modules/workload-identity/main.tf because kubernetes_service_account_v1.main now depends on google_service_account_iam_member.main, which itself depends on the service account name when use_existing_k8s_sa is false. This cycle needs to be resolved by updating local.k8s_sa_gcp_derived_name to use local.k8s_given_name instead of local.output_k8s_name.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread modules/workload-identity/main.tf
@apeabody

Copy link
Copy Markdown
Contributor Author

/gemini review

@apeabody apeabody changed the title feat!(workload-identity): replace kubectl-wrapper with native kubernetes_annotations feat(workload-identity)!: replace kubectl-wrapper with native kubernetes_annotations Jun 30, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request replaces the legacy kubectl-wrapper (which executed local bash scripts via local-exec) with the native kubernetes_annotations resource in the workload-identity submodule. This change removes several input variables (cluster_name, location, impersonate_service_account, and use_existing_context) from the module, its examples, and documentation. An upgrade guide has been added to detail these breaking changes. The feedback suggests adding a note to the upgrade guide advising users to remove any ignore_annotations configurations from their kubernetes provider block, as keeping them would interfere with the new native kubernetes_annotations resource.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread docs/upgrading_to_v45.0.md
@apeabody apeabody force-pushed the ap/wi branch 2 times, most recently from ecc7e33 to 66953b2 Compare July 2, 2026 00:52
…tes_annotations

Replace the legacy `module "annotate-sa"` (which executed `kubectl_wrapper.sh` via local-exec) in `modules/workload-identity` with the native `resource "kubernetes_annotations" "main"` from `hashicorp/kubernetes`.

This resolves Python `AttributeError: 'Credentials' object has no attribute 'private_key_id'` failures in `gke-gcloud-auth-plugin` / `gcloud config config-helper` when executing inside keyless authentication pipelines (Service Account Impersonation, Workload Identity Federation, ADC).

Key changes:
- Replace `kubectl-wrapper` local-exec bash execution with declarative `kubernetes_annotations` using Server-Side Apply (`force = true`).
- Remove obsolete input variables (`cluster_name`, `location`, `impersonate_service_account`, `use_existing_context`).
- Ensure `google_service_account_iam_member.main` and `var.module_depends_on` are explicitly included in `depends_on` for both KSA creation and annotation resources to prevent IAM propagation race conditions.
- Update module metadata (`metadata.yaml`, `metadata.display.yaml`), README, and examples.
- Add upgrade guide `docs/upgrading_to_v45.0.md` detailing breaking changes, provider prerequisites, and state migration.
@apeabody apeabody marked this pull request as draft July 6, 2026 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant