{"id":25970573,"url":"https://github.com/charlesgm/oidc-gcp-integration-project","last_synced_at":"2026-05-27T20:32:26.461Z","repository":{"id":280116107,"uuid":"941030054","full_name":"CharlesGM/oidc-gcp-integration-project","owner":"CharlesGM","description":"This was once an interview response but now open, but in a new repository - the aim of this project is to showcase how you can use GCP's workload identinty for your CI/CD with Github Actions.","archived":false,"fork":false,"pushed_at":"2025-03-01T10:13:31.000Z","size":52,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-01T11:21:02.428Z","etag":null,"topics":["gcp","github-actions","oidc","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CharlesGM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-03-01T10:09:18.000Z","updated_at":"2025-03-01T10:13:34.000Z","dependencies_parsed_at":"2025-03-01T11:21:05.085Z","dependency_job_id":"97f7a5b3-a518-4613-8cc9-021a7a357c15","html_url":"https://github.com/CharlesGM/oidc-gcp-integration-project","commit_stats":null,"previous_names":["charlesgm/oidc-gcp-integration-project"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/CharlesGM/oidc-gcp-integration-project","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CharlesGM%2Foidc-gcp-integration-project","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CharlesGM%2Foidc-gcp-integration-project/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CharlesGM%2Foidc-gcp-integration-project/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CharlesGM%2Foidc-gcp-integration-project/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CharlesGM","download_url":"https://codeload.github.com/CharlesGM/oidc-gcp-integration-project/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CharlesGM%2Foidc-gcp-integration-project/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27440617,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-01T02:00:06.371Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcp","github-actions","oidc","terraform"],"created_at":"2025-03-04T23:17:50.977Z","updated_at":"2025-12-01T23:06:01.600Z","avatar_url":"https://github.com/CharlesGM.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OIDC, GitHub Actions, GCP Integration Project 🚀 \nA complete CI/CD pipeline with GKE, GitHub Actions, and Terraform using Workload Identity Federation. 🔄\nThe aim of this project is to showcase how you can use GCP's workload identinty for your CI/CD with Github Actions.\n\nAdditional components like Argo and Crossplane are just for plays-sake.\n\n## Prerequisites ✅\n- GCP Account\n- GitHub Repository\n- Terraform installed\n- gcloud CLI\n\n## Project Structure 📁\n\n      ├── Dockerfile\n      ├── README.md\n      ├── app.py\n      ├── argocd\n      │   ├── application.yaml\n      │   └── argo.yaml\n      ├── ledgerndary-helm\n      │   ├── Chart.yaml\n      │   ├── templates\n      │   │   ├── deployment.yaml\n      │   │   ├── rbac.yaml\n      │   │   └── service.yaml\n      │   └── values.yaml\n      ├── crossplane.yaml\n      ├── requirements.txt\n      └── terraform\n            ├── backend.tf\n            ├── main.tf\n            ├── modules\n            │   ├── artifact-registry\n            │   │   ├── main.tf\n            │   │   ├── outputs.tf\n            │   │   └── variables.tf\n            │   ├── gke\n            │   │   ├── main.tf\n            │   │   ├── outputs.tf\n            │   │   └── variables.tf\n            │   └── vpc\n            │       ├── main.tf\n            │       ├── outputs.tf\n            │       └── variables.tf\n            ├── outputs.tf\n            ├── provider.tf\n            ├── sp.auto.tfvars\n            ├── terraform.tfvars\n            └── variables.tf\n\n## Infrastructure Overview 🏗️\n\n### Components\n- GKE Cluster\n- Artifact Registry\n- VPC Network\n- Workload Identity Federation\n- RBAC Configuration\n- ArgoCD\n\n### Infrastructure Details 🌐\n\n#### VPC Configuration 🔌\n- Custom VPC with secondary IP ranges\n- Private GKE cluster setup\n- Firewall rules for cluster access\n\n#### GKE Configuration 🎛️\n- Private cluster with public endpoint\n- Node pool with autoscaling\n- Workload Identity enabled\n- Network policies enabled\n\n#### Security Features 🔒\n- Workload Identity Federation for keyless authentication\n- RBAC for Kubernetes access control\n- Private GKE cluster\n- Limited service account permissions\n\n## Deployment Process 🚀\n\n### 1. Initial Setup 🛠️\n\n#### Create GCP Project and enable APIs ⚡\n\n      gcloud projects create PROJECT_ID\n      gcloud services enable container.googleapis.com artifactregistry.googleapis.com\n\n#### Configure Terraform backend 💾\nCreate storage bucket for Terraform state:\n\n      gsutil mb gs://ledgerndarytfstate\n\n#### Initialize Terraform 🎮\n\n      terraform init\n      terraform apply\n\n#### Configure GitHub Secrets 🔐\n\n      GCP_WORKLOAD_IDENTITY_PROVIDER\n      GCP_SERVICE_ACCOUNT\n      AUDIENCE\n      TOKEN_GITHUB\n\n\n### 2. Application Setup 💻\n\n#### Application Specifications\nSimple Python Flask application deployed with:\n- Node pool: e2-small (1 node)\n- Disk size: 30GB\n- Region: europe-west1\n\n#### ArgoCD Setup 🎯\nArgoCD is installed automatically via Terraform. After infrastructure is deployed:\n\n1. Access ArgoCD UI:\n\n         kubectl port-forward svc/argocd-server -n argocd 8080:443\n\n2. Get initial admin password:\n\n         kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath=\"{.data.password}\" | base64 -d\n\n3. Access UI at: https://localhost:8080\n- Username: admin\n- Password: (from step 2)\n\n### 3. Pipeline Configuration\n\n#### GitOps Pipeline 🔄\nThe complete pipeline:\n- Push to main triggers GitHub Actions\n- Builds Docker image\n- Pushes to Artifact Registry\n- Updates Helm values with new image tag\n- ArgoCD detects changes\n- ArgoCD automatically deploys to GKE\n\n#### GitHub Actions Configuration ⚙️\nRequired Secrets:\n\n      1. GCP_WORKLOAD_IDENTITY_PROVIDER: Full Workload Identity Provider path\n      2. GCP_SERVICE_ACCOUNT: Service account email\n      3. AUDIENCE: https://token.actions.githubusercontent.com\n      4. TOKEN_GITHUB: GitHub token for repository access\n\n### 4. Terraform Configuration\n\n#### Variables and State Management ⚙️\nKey variables in terraform.tfvars:\n\n      vpc_name                      = \"ledgerndary-vpc\"\n      subnet_name                   = \"ledgerndary-subnet\"\n      subnet_cidr                   = \"10.0.0.0/24\"\n      pod_cidr                      = \"10.16.0.0/24\"\n      service_cidr                  = \"10.32.0.0/24\"\n      cluster_name                  = \"ledgerndary-cluster\"\n\nKey variables in sp.auto.tfvars:\n\n      project_id                    = \"project-id\"\n      region                        = \"region\"\n      workload_identity_pool_id     = \"xxxxxx-xxxxxxx-xxxxxx\"\n      workload_identity_provider_id = \"xxxxxx-xxxxxxx-xxxxxx\"\n      github_repo                   = \"xxxxxx-xxxxxxx-xxxxxx\"\n      project_owner_email          = \"xxxxxx-xxxxxxx-xxxxxx\"\n\n#### Variable Precedence Order\nTerraform loads variables in the following order (highest to lowest priority):\n- CLI arguments (-var=\"name=value\" or -var-file=custom.tfvars)\n- Environment variables (TF_VAR_name=value)\n- terraform.tfvars file (explicitly recognized and loaded)\n- *.auto.tfvars files (including sp.auto.tfvars)\n- Default values in variables.tf\n\n#### State Configuration 💾\nState is stored in Google Cloud Storage:\n\n      terraform {\n            backend \"gcs\" {\n               bucket = \"ledgerndarytfstate\"\n               prefix = \"terraform/state\"\n            }\n      }\n\n## Authentication and Security 🔑\n\n### Authentication Methods\n\n#### 1. Workload Identity Federation\nWhat it is: Allows GitHub Actions to authenticate to GCP without storing service account keys \\\nHow it works:\n\n- Uses OpenID Connect (OIDC) tokens from GitHub Actions\n- Exchanges OIDC tokens for GCP access tokens\n- No long-lived credentials stored in GitHub\n\n      # Set up GCP authentication using Workload Identity Federation\n      - id: 'auth'\n         name: 'Authenticate to Google Cloud'\n         uses: 'google-github-actions/auth@v1'\n         with:\n            workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}\n            service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}\n            token_format: 'access_token'\n            audience: ${{ secrets.AUDIENCE }}\n\n#### 2. Service Account Keys (Traditional Method)\n\nWhat it is: JSON key file for service account authentication \\\nDrawbacks:\n\n- Long-lived credentials stored in GitHub Secrets\n- Need to rotate keys regularly\n- Security risk if keys are compromised\n\n       # GitHub Actions example\n       - uses: 'google-github-actions/auth@v1'\n         with:\n           credentials_json: ${{ secrets.GCP_SA_KEY }}\n\n#### 3. Application Default Credentials\nWhat it is: Local authentication method \\\nDrawbacks:\n\n- Only works for local development\n- Not suitable for CI/CD\n- Requires gcloud login\n\n## Operations and Maintenance 🔧\n\n### Usage 📋\n- Push to main branch triggers workflow\n- Monitor GitHub Actions\n- Check GKE deployment:\n\n       kubectl get pods -n ledgerndary\n\n### Verification ✅\nCheck deployment status:\n\n      # View ArgoCD application status\n      kubectl get applications -n argocd\n\n      # Check pods in application namespace\n      kubectl get pods -n ledgerndary\n\n      # View deployment history\n      kubectl rollout history deployment/ledgerndary -n ledgerndary\n\n### Troubleshooting 🔧\n\n#### 1. Authentication Issues:\n\n      # Verify Workload Identity setup\n      gcloud iam workload-identity-pools providers describe ledgerndary-gh-provider --location=\"global\" --workload-identity-pool=\"ledgerndary-gh-pool\"\n\n#### 2. GKE Access Issues:\n\n      # Update kubeconfig\n      gcloud container clusters get-credentials ledgerndary-cluster --region europe-west1 --project play-project-325908\n\n### Maintenance Tasks 🔄\n- Monitor GKE logs\n- Check Artifact Registry storage\n- Review RBAC permissions periodically\n- Update dependencies as needed\n\n## Notes 📝\n- Workload Identity eliminates need for stored credentials\n- Uses GCP Artifact Registry for container images\n- Helm manages Kubernetes deployments\n- RBAC configured for least privilege access\n\nFor detailed setup instructions, refer to individual component comments/documentation.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcharlesgm%2Foidc-gcp-integration-project","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcharlesgm%2Foidc-gcp-integration-project","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcharlesgm%2Foidc-gcp-integration-project/lists"}