Skip to content

Commit d87cbee

Browse files
patrickblackjrpatrickblackjr
authored
docs: add multicluster configuration note (terraform-google-modules#1883)
1 parent 12cf40f commit d87cbee

File tree

1 file changed

+45
-0
lines changed

1 file changed

+45
-0
lines changed

modules/workload-identity/README.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,51 @@ module "my-app-workload-identity" {
9494
If annotation is disabled (via `annotate_k8s_sa = false`), the existing Kubernetes service account must
9595
already bear the `"iam.gke.io/gcp-service-account"` annotation.
9696

97+
## Using with multiple clusters
98+
99+
This module accommodates configurations involving multiple clusters within the kubernetes provider.
100+
101+
To begin, initialize the kubernetes provider for each cluster with a unique alias, as demonstrated below:
102+
103+
Initialize your `kubernetes` provider with an alias like the following:
104+
105+
```hcl
106+
provider "kubernetes" {
107+
alias = "alias-for-your-cluster"
108+
host = "https://your-cluster-host-url.com"
109+
token = "your-cluster-token"
110+
cluster_ca_certificate = base64decode("Your-Cluster-Certificate")
111+
}
112+
```
113+
114+
Ensure each cluster configuration has a distinct alias. Repeat this step for every cluster you intend to manage.
115+
116+
In your module configuration, include the providers attribute to assign the appropriate provider alias:
117+
118+
```hcl
119+
module "workload_identity_for_cluster" {
120+
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
121+
122+
providers = {
123+
kubernetes = kubernetes.alias-for-your-cluster
124+
}
125+
126+
name = "service-account-name"
127+
namespace = "desired-namespace"
128+
// Other module configurations
129+
}
130+
```
131+
132+
This approach is required when managing multiple clusters. Omitting this step can lead to errors like the one shown below:
133+
134+
```shell
135+
Error: Get "http://localhost/api/v1/namespaces/default/serviceaccounts/your-service-account": dial tcp [::1]:80: connect: connection refused
136+
137+
│ with module.your_workload_identity.kubernetes_service_account.main[0],
138+
│ on .terraform/modules/your_workload_identity/modules/workload-identity/main.tf line 50, in resource "kubernetes_service_account" "main":
139+
│ 50: resource "kubernetes_service_account" "main" {
140+
```
141+
97142
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
98143
## Inputs
99144

0 commit comments

Comments
 (0)