This help set up workload identity so that argocd can deploy applicatioGKE's n to external GKE cluster. Refer to
- Using Workload Identity to learn about workload identity.
- Argo CD GKE Cluster to learn about argocd with GKE cluster.
- Enable GKE's workload identity
- Create a Google service account
- Grant the Google service account permission to operate on target GKE
- Allow Argo CD's Kubernetes service accounts (
argocd-application-controllerandargocd-server) to impersonate as this Google service account
- Enable workload identity for the GKE that deploys Argo CD, refer to official document.
- Review
.env. just create-gsa-account, create Google service account on the project that hosts Argo CD's GKE.just grant-gsa-gke-develop-role TARGET_PROJECT_ID- This grants Google service account to deploy to TARGET_PROJECT_ID.
- This grants argocd service account in GKE_PROJECT ro impersonate as Google service account.