diff --git a/braintrust/templates/api-configmap.yaml b/braintrust/templates/api-configmap.yaml index 04202c4..9b090d3 100644 --- a/braintrust/templates/api-configmap.yaml +++ b/braintrust/templates/api-configmap.yaml @@ -31,8 +31,12 @@ data: CODE_BUNDLE_BUCKET: {{ .Values.objectStorage.google.apiBucket | quote }} CODE_BUNDLE_BUCKET_PREFIX: "code-bundle/" BRAINSTORE_REALTIME_WAL_BUCKET: {{ .Values.objectStorage.google.brainstoreBucket | quote }} + {{- if .Values.api.enableGcsAuth }} + ENABLE_GCS_AUTH: "true" + {{- else }} AWS_ENDPOINT_URL: "https://storage.googleapis.com" {{- end }} + {{- end }} ALLOW_CODE_FUNCTION_EXECUTION: {{ .Values.api.allowCodeFunctionExecution | quote }} BRAINSTORE_ENABLED: "true" diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 136534a..5a55c93 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -23,10 +23,16 @@ spec: {{- if eq .Values.cloud "azure" }} azure.workload.identity/use: "true" {{- end }} + {{- if and (eq .Values.cloud "google") .Values.api.enableGcsAuth }} + gke-workload-identity/use: "true" + {{- end }} {{- with (merge .Values.global.labels .Values.api.labels) }} {{- toYaml . | nindent 8 }} {{- end }} annotations: + {{- if and (eq .Values.cloud "google") .Values.api.enableGcsAuth }} + iam.gke.io/gcp-service-account: {{ required "api.serviceAccount.googleServiceAccount is required when api.enableGcsAuth is true" .Values.api.serviceAccount.googleServiceAccount }} + {{- end }} {{- with .Values.api.annotations.pod }} {{- toYaml . | nindent 8 }} {{- end }} @@ -91,7 +97,7 @@ spec: name: braintrust-secrets key: AZURE_STORAGE_CONNECTION_STRING {{- end }} - {{- if eq .Values.cloud "google" }} + {{- if and (eq .Values.cloud "google") (not .Values.api.enableGcsAuth) }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: diff --git a/braintrust/templates/api-serviceaccount.yaml b/braintrust/templates/api-serviceaccount.yaml index 082f959..6645e32 100644 --- a/braintrust/templates/api-serviceaccount.yaml +++ b/braintrust/templates/api-serviceaccount.yaml @@ -14,6 +14,9 @@ metadata: {{- if eq .Values.cloud "azure" }} azure.workload.identity/client-id: {{ .Values.api.serviceAccount.azureClientId }} {{- end }} + {{- if and (eq .Values.cloud "google") .Values.api.enableGcsAuth }} + iam.gke.io/gcp-service-account: {{ required "api.serviceAccount.googleServiceAccount is required when api.enableGcsAuth is true" .Values.api.serviceAccount.googleServiceAccount }} + {{- end }} {{- with .Values.api.annotations.serviceaccount }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index dd2f2ee..dc4fe1c 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -31,7 +31,7 @@ spec: {{- end }} annotations: {{- if eq .Values.cloud "google" }} - iam.gke.io/gcp-service-account: {{ .Values.brainstore.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ required "brainstore.serviceAccount.googleServiceAccount is required when cloud is google" .Values.brainstore.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.brainstore.reader.annotations.pod }} {{- toYaml . | nindent 8 }} diff --git a/braintrust/templates/brainstore-serviceaccount.yaml b/braintrust/templates/brainstore-serviceaccount.yaml index c608ee5..2cabcd2 100644 --- a/braintrust/templates/brainstore-serviceaccount.yaml +++ b/braintrust/templates/brainstore-serviceaccount.yaml @@ -15,7 +15,7 @@ metadata: azure.workload.identity/client-id: {{ .Values.brainstore.serviceAccount.azureClientId }} {{- end }} {{- if eq .Values.cloud "google" }} - iam.gke.io/gcp-service-account: {{ .Values.brainstore.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ required "brainstore.serviceAccount.googleServiceAccount is required when cloud is google" .Values.brainstore.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.brainstore.serviceAccount.annotations }} {{- toYaml . | nindent 4 }} diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index 11294e4..c98dbc0 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -31,7 +31,7 @@ spec: {{- end }} annotations: {{- if eq .Values.cloud "google" }} - iam.gke.io/gcp-service-account: {{ .Values.brainstore.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ required "brainstore.serviceAccount.googleServiceAccount is required when cloud is google" .Values.brainstore.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.brainstore.writer.annotations.pod }} {{- toYaml . | nindent 8 }} diff --git a/braintrust/values.yaml b/braintrust/values.yaml index f80a9a4..669f9dd 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -93,6 +93,9 @@ api: name: "braintrust-api" awsRoleArn: "" azureClientId: "" + googleServiceAccount: "" + # Enable native GCS authentication via workload identity (defaults to false for S3-compatible access) + enableGcsAuth: false resources: requests: cpu: "2"