feat(cert-manager): cloudDNS clusterissuer using wif

manifests/platform/cert-manager/base/deployment.yaml

@@ -134,6 +134,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: GOOGLE_APPLICATION_CREDENTIALS
+            value: /var/run/secrets/google/credentials.json
           # LivenessProbe settings are based on those used for the Kubernetes
           # controller-manager. See:
           # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
@@ -154,6 +156,26 @@ spec:
             limits:
               cpu: 30m
               memory: 40Mi
+          volumeMounts:
+            - name: google-creds
+              mountPath: /var/run/secrets/google
+              readOnly: true
+            - name: bound-sa-token
+              mountPath: /var/run/secrets/openshift/serviceaccount
+              readOnly: true
+      volumes:
+        - name: google-creds
+          configMap:
+            name: google-creds
+            defaultMode: 420
+        - name: bound-sa-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  audience: openshift
+                  expirationSeconds: 3600
+                  path: token
+            defaultMode: 420
       nodeSelector:
         kubernetes.io/os: "linux"
 ---

manifests/platform/cert-manager/overlays/okd/google-creds-configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: google-creds
+  namespace: cert-manager
+data:
+  credentials.json: |
+    {
+      "type": "external_account",
+      "audience": "//iam.googleapis.com/projects/1086456784694/locations/global/workloadIdentityPools/okd-pool/providers/okd-provider",
+      "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+      "token_url": "https://sts.googleapis.com/v1/token",
+      "credential_source": {
+        "file": "/var/run/secrets/openshift/serviceaccount/token",
+        "format": {
+          "type": "text"
+        }
+      },
+      "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/cert-manager-dns-solver@okd-homelab.iam.gserviceaccount.com:generateAccessToken"
+    }

manifests/platform/cert-manager/overlays/okd/kustomization.yaml

@@ -4,4 +4,5 @@ namespace: cert-manager
 resources:
   - ../../base
   - ../../components
+  - google-creds-configmap.yaml
   # - clusterissuer-staging.yaml

terraform/okd/main.tf

@@ -123,6 +123,12 @@ resource "google_project_iam_custom_role" "cert_manager_dns_solver_role" {
     ]
 }
 
+resource "google_project_iam_member" "cert_manager_dns_solver_role_binding" {
+    project = data.google_project.okd_homelab.project_id
+    role    = "projects/${data.google_project.okd_homelab.project_id}/roles/${google_project_iam_custom_role.cert_manager_dns_solver_role.role_id}"
+    member  = "serviceAccount:${google_service_account.cert_manager_dns_solver.email}"
+}
+
 resource "google_service_account_iam_member" "cert_manager_wif_binding" {
     service_account_id = "projects/${data.google_project.okd_homelab.project_id}/serviceAccounts/${google_service_account.cert_manager_dns_solver.email}"
     role               = "roles/iam.workloadIdentityUser"