feat(helm): dual-mode nullify-k8s-collector for EKS and GKE#41
Merged
Conversation
Adds `cloudProvider: aws|gcp` to the chart so the same collector image can authenticate from EKS (IRSA, existing behaviour) or GKE (Workload Identity → sts:AssumeRoleWithWebIdentity). Default stays `aws`, so existing EKS deployments upgrade in place with no values changes. GKE mode: - Renders `iam.gke.io/gcp-service-account` on the ServiceAccount - Projects the Workload-Identity-signed SA token into the pod - Sets `AWS_WEB_IDENTITY_TOKEN_FILE` and `NULLIFY_AWS_ROLE_ARN` so the collector exchanges the Google-signed token for short-lived AWS creds Chart bump 0.1.2 → 0.2.0. See chart README for GKE onboarding steps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…entity setup Creates the minimal customer-side GCP resources for the k8s-collector running on GKE: - google_service_account — OIDC identity anchor (no GCP IAM roles needed; it only signs tokens AWS STS validates) - google_service_account_iam_member — roles/iam.workloadIdentityUser binding from the in-cluster Kubernetes SA to the GCP SA Outputs service_account_email (for the Helm annotation) and service_account_unique_id (for Nullify's AWS trust-policy allowlist). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tim-thacker-nullify
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the existing
nullify-k8s-collectorHelm chart so the same collector image deploys to both EKS and GKE with a singlecloudProvider: aws|gcpvalues switch. EKS stays the default — existing deployments upgrade with no values changes.On GKE the chart wires up AWS's OIDC-federation story in reverse: GKE Workload Identity →
accounts.google.comID token →sts:AssumeRoleWithWebIdentity→ short-lived AWS creds → S3. No long-lived AWS credential is ever stored in the customer cluster.What's in this PR
Chart (
helm-charts/nullify-k8s-collector/)values.yaml— new top-levelcloudProviderkey (awsdefault) and acollector.gkesubsection holdingnullifyAwsRoleArn,audience,webIdentityTokenPath.templates/serviceaccount.yaml— renders only the annotation that matches the selected provider (eks.amazonaws.com/role-arnfor AWS,iam.gke.io/gcp-service-accountfor GCP). Extra custom annotations pass through unchanged.templates/cronjob.yaml— addsAWS_WEB_IDENTITY_TOKEN_FILE/NULLIFY_AWS_ROLE_ARNenv vars and a projected service-account-token volume (audiencests.amazonaws.com) when running on GKE.templates/NOTES.txt— post-install notes show the active provider and the right auth summary.README.md— new Supported platforms table and a GKE with Workload Identity Federation section with the full onboarding runbook (create GCP SA → shareuniqueIdwith Nullify → bind viaworkloadIdentityUser→ install chart).values-example.yaml— commented GKE example at the bottom alongside the existing EKS example.Chart.yaml— bump0.1.2→0.2.0.Top-level README
What's Included,Deployment Options,Prerequisites, andComponent Overviewrows to reflect that the chart now supports both platforms. Everything else is unchanged.Backwards compatibility
cloudProviderdefaults toaws, so the rendered EKS output is byte-for-byte identical to 0.1.2 except for chart-version labels.helm templatethat default (EKS) mode renders no GKE fields (iam.gke.io,NULLIFY_AWS_ROLE_ARN,AWS_WEB_IDENTITY_TOKEN_FILE, projected token volume) — clean isolation.Test plan
helm lint helm-charts/nullify-k8s-collector/— passes.helm template test helm-charts/nullify-k8s-collector/(default EKS mode) — renders the expected CronJob + SA with only the EKS annotation and no WIF wiring.helm template test helm-charts/nullify-k8s-collector/ --set cloudProvider=gcp ...— SA has only theiam.gke.io/gcp-service-accountannotation, CronJob has both WIF env vars and the projected token volume with audiencests.amazonaws.com.sts:AssumeRoleWithWebIdentitysucceeds and the collector uploads to S3 (blocked on the Nullify-side federated IAM role landing — see the companion backend PR in the monorepo).Follow-ups (not in this PR)
gcp-integration-setup/that creates the GCP service account, binds it to the in-cluster ServiceAccount via Workload Identity, and outputs theuniqueIdfor the customer to share with Nullify. Today the chart README documents the equivalentgcloudcommands.