From 4af2ecd50494a58699a7def16b74b54477fe5990 Mon Sep 17 00:00:00 2001
From: Gene Heinrich <gtrog@renttherunway.com>
Date: Wed, 8 Sep 2021 08:59:39 -0400
Subject: [PATCH 1/2] SR-2692: Support enabling workload identity during hub
 registration

---
 modules/hub/main.tf                         |  7 ++++---
 modules/hub/scripts/gke_hub_registration.sh | 12 +++++++++---
 modules/hub/variables.tf                    |  6 ++++++
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/modules/hub/main.tf b/modules/hub/main.tf
index 428d4d8e5e..af611e5c11 100644
--- a/modules/hub/main.tf
+++ b/modules/hub/main.tf
@@ -17,12 +17,13 @@
 locals {
   gke_hub_sa_key = var.use_existing_sa ? var.sa_private_key : google_service_account_key.gke_hub_key[0].private_key
 
-  is_gke_flag = var.use_kubeconfig ? 0 : 1
-  hub_project = var.hub_project_id == "" ? var.project_id : var.hub_project_id
+  is_gke_flag              = var.use_kubeconfig ? 0 : 1
+  hub_project              = var.hub_project_id == "" ? var.project_id : var.hub_project_id
+  enable_workload_identity = var.enable_workload_identity ? 1 : 0
 
   cluster_uri               = "https://container.googleapis.com/projects/${var.project_id}/locations/${var.location}/clusters/${var.cluster_name}"
   create_cmd_gke_entrypoint = "${path.module}/scripts/gke_hub_registration.sh"
-  create_cmd_gke_body       = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${local.gke_hub_sa_key} ${local.cluster_uri} ${local.hub_project} ${var.labels}"
+  create_cmd_gke_body       = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${local.gke_hub_sa_key} ${local.cluster_uri} ${local.hub_project} ${local.enable_workload_identity} ${var.labels}"
   destroy_gke_entrypoint    = "${path.module}/scripts/gke_hub_unregister.sh"
   destroy_gke_body          = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${local.cluster_uri} ${local.hub_project}"
 }
diff --git a/modules/hub/scripts/gke_hub_registration.sh b/modules/hub/scripts/gke_hub_registration.sh
index c40aa6baac..ab23c5774d 100755
--- a/modules/hub/scripts/gke_hub_registration.sh
+++ b/modules/hub/scripts/gke_hub_registration.sh
@@ -25,7 +25,8 @@ MEMBERSHIP_NAME=$2
 SERVICE_ACCOUNT_KEY=$3
 CLUSTER_URI=$4
 HUB_PROJECT_ID=$5
-LABELS=$6
+ENABLE_WORKLOAD_IDENTITY=$6
+LABELS=$7
 
 #write temp key, cleanup at exit
 tmp_file=$(mktemp)
@@ -35,8 +36,13 @@ base64 --help | grep "\--decode" && B64_ARG="--decode" || B64_ARG="-d"
 echo "${SERVICE_ACCOUNT_KEY}" | base64 ${B64_ARG} > "$tmp_file"
 
 if [[ ${GKE_CLUSTER_FLAG} == 1 ]]; then
-    echo "Registering GKE Cluster."
-    gcloud container hub memberships register "${MEMBERSHIP_NAME}" --gke-uri="${CLUSTER_URI}" --service-account-key-file="${tmp_file}" --project="${HUB_PROJECT_ID}" --quiet
+    if [[ ${ENABLE_WORKLOAD_IDENTITY} == 1 ]]; then
+      echo "Registering GKE Cluster with workload identity."
+      gcloud container hub memberships register "${MEMBERSHIP_NAME}" --gke-uri="${CLUSTER_URI}" --project="${HUB_PROJECT_ID}" --enable-workload-identity --quiet
+    else
+      echo "Registering GKE Cluster."
+      gcloud container hub memberships register "${MEMBERSHIP_NAME}" --gke-uri="${CLUSTER_URI}" --service-account-key-file="${tmp_file}" --project="${HUB_PROJECT_ID}"--quiet
+    fi
 else
     echo "Registering a non-GKE Cluster. Using current-context to register Hub membership."
     #Get the kubeconfig
diff --git a/modules/hub/variables.tf b/modules/hub/variables.tf
index b9b15d8295..31929c8f79 100644
--- a/modules/hub/variables.tf
+++ b/modules/hub/variables.tf
@@ -98,3 +98,9 @@ variable "labels" {
   type        = string
   default     = ""
 }
+
+variable "enable_workload_identity" {
+  description = "Enables workload identity when registering."
+  type        = bool
+  default     = false
+}

From 67f67898b6948fc623c4f03db3f276a692fb9d50 Mon Sep 17 00:00:00 2001
From: Gene Heinrich <gtrog@renttherunway.com>
Date: Wed, 8 Sep 2021 10:10:20 -0400
Subject: [PATCH 2/2] SR-2692: Update modules/hub/README.md

---
 modules/hub/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/hub/README.md b/modules/hub/README.md
index d978c49f71..9c2fadaebd 100644
--- a/modules/hub/README.md
+++ b/modules/hub/README.md
@@ -36,6 +36,7 @@ To deploy this config:
 | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes |
 | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes |
 | enable\_gke\_hub\_registration | Enables GKE Hub Registration when set to true | `bool` | `true` | no |
+| enable\_workload\_identity | Enables workload identity when registering. | `bool` | `false` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
 | gke\_hub\_membership\_name | Membership name that uniquely represents the cluster being registered on the Hub | `string` | `"gke-hub-membership"` | no |
 | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | `string` | `"gke-hub-sa"` | no |