From d194e3988bc030b9d522831fcfb9dd4a88b00ca2 Mon Sep 17 00:00:00 2001 From: Jeff McCollum Date: Mon, 22 Dec 2025 12:10:04 -0600 Subject: [PATCH 1/3] support workload identity for API --- braintrust/templates/api-configmap.yaml | 5 +++++ braintrust/templates/api-deployment.yaml | 8 +++++++- braintrust/templates/api-serviceaccount.yaml | 3 +++ braintrust/values.yaml | 1 + 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/braintrust/templates/api-configmap.yaml b/braintrust/templates/api-configmap.yaml index 04202c4..9149078 100644 --- a/braintrust/templates/api-configmap.yaml +++ b/braintrust/templates/api-configmap.yaml @@ -31,8 +31,13 @@ data: CODE_BUNDLE_BUCKET: {{ .Values.objectStorage.google.apiBucket | quote }} CODE_BUNDLE_BUCKET_PREFIX: "code-bundle/" BRAINSTORE_REALTIME_WAL_BUCKET: {{ .Values.objectStorage.google.brainstoreBucket | quote }} + {{- if .Values.api.serviceAccount.googleServiceAccount }} + GCS_SERVICE_ACCOUNT: {{ .Values.api.serviceAccount.googleServiceAccount | quote }} + {{- end }} + {{- if not .Values.api.serviceAccount.googleServiceAccount }} AWS_ENDPOINT_URL: "https://storage.googleapis.com" {{- end }} + {{- end }} ALLOW_CODE_FUNCTION_EXECUTION: {{ .Values.api.allowCodeFunctionExecution | quote }} BRAINSTORE_ENABLED: "true" diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 136534a..82f0d7a 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -23,10 +23,16 @@ spec: {{- if eq .Values.cloud "azure" }} azure.workload.identity/use: "true" {{- end }} + {{- if and (eq .Values.cloud "google") .Values.api.serviceAccount.googleServiceAccount }} + gke-workload-identity/use: "true" + {{- end }} {{- with (merge .Values.global.labels .Values.api.labels) }} {{- toYaml . | nindent 8 }} {{- end }} annotations: + {{- if and (eq .Values.cloud "google") .Values.api.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ .Values.api.serviceAccount.googleServiceAccount }} + {{- end }} {{- with .Values.api.annotations.pod }} {{- toYaml . | nindent 8 }} {{- end }} @@ -91,7 +97,7 @@ spec: name: braintrust-secrets key: AZURE_STORAGE_CONNECTION_STRING {{- end }} - {{- if eq .Values.cloud "google" }} + {{- if and (eq .Values.cloud "google") (not .Values.api.serviceAccount.googleServiceAccount) }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: diff --git a/braintrust/templates/api-serviceaccount.yaml b/braintrust/templates/api-serviceaccount.yaml index 082f959..72e09e0 100644 --- a/braintrust/templates/api-serviceaccount.yaml +++ b/braintrust/templates/api-serviceaccount.yaml @@ -14,6 +14,9 @@ metadata: {{- if eq .Values.cloud "azure" }} azure.workload.identity/client-id: {{ .Values.api.serviceAccount.azureClientId }} {{- end }} + {{- if and (eq .Values.cloud "google") .Values.api.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ .Values.api.serviceAccount.googleServiceAccount }} + {{- end }} {{- with .Values.api.annotations.serviceaccount }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/braintrust/values.yaml b/braintrust/values.yaml index f80a9a4..bb2957f 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -93,6 +93,7 @@ api: name: "braintrust-api" awsRoleArn: "" azureClientId: "" + googleServiceAccount: "" resources: requests: cpu: "2" From 961b140629508c7f6ec60e14a58d562ae786ab31 Mon Sep 17 00:00:00 2001 From: Jeff McCollum Date: Mon, 12 Jan 2026 17:05:19 -0600 Subject: [PATCH 2/3] control native gcs auth with value --- braintrust/templates/api-configmap.yaml | 7 +++---- braintrust/templates/api-deployment.yaml | 6 +++--- braintrust/templates/api-serviceaccount.yaml | 2 +- braintrust/values.yaml | 2 ++ 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/braintrust/templates/api-configmap.yaml b/braintrust/templates/api-configmap.yaml index 9149078..9b090d3 100644 --- a/braintrust/templates/api-configmap.yaml +++ b/braintrust/templates/api-configmap.yaml @@ -31,10 +31,9 @@ data: CODE_BUNDLE_BUCKET: {{ .Values.objectStorage.google.apiBucket | quote }} CODE_BUNDLE_BUCKET_PREFIX: "code-bundle/" BRAINSTORE_REALTIME_WAL_BUCKET: {{ .Values.objectStorage.google.brainstoreBucket | quote }} - {{- if .Values.api.serviceAccount.googleServiceAccount }} - GCS_SERVICE_ACCOUNT: {{ .Values.api.serviceAccount.googleServiceAccount | quote }} - {{- end }} - {{- if not .Values.api.serviceAccount.googleServiceAccount }} + {{- if .Values.api.enableGcsAuth }} + ENABLE_GCS_AUTH: "true" + {{- else }} AWS_ENDPOINT_URL: "https://storage.googleapis.com" {{- end }} {{- end }} diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 82f0d7a..4300866 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -23,14 +23,14 @@ spec: {{- if eq .Values.cloud "azure" }} azure.workload.identity/use: "true" {{- end }} - {{- if and (eq .Values.cloud "google") .Values.api.serviceAccount.googleServiceAccount }} + {{- if and (eq .Values.cloud "google") .Values.api.enableGcsAuth }} gke-workload-identity/use: "true" {{- end }} {{- with (merge .Values.global.labels .Values.api.labels) }} {{- toYaml . | nindent 8 }} {{- end }} annotations: - {{- if and (eq .Values.cloud "google") .Values.api.serviceAccount.googleServiceAccount }} + {{- if and (eq .Values.cloud "google") .Values.api.enableGcsAuth }} iam.gke.io/gcp-service-account: {{ .Values.api.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.api.annotations.pod }} @@ -97,7 +97,7 @@ spec: name: braintrust-secrets key: AZURE_STORAGE_CONNECTION_STRING {{- end }} - {{- if and (eq .Values.cloud "google") (not .Values.api.serviceAccount.googleServiceAccount) }} + {{- if and (eq .Values.cloud "google") (not .Values.api.enableGcsAuth) }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: diff --git a/braintrust/templates/api-serviceaccount.yaml b/braintrust/templates/api-serviceaccount.yaml index 72e09e0..552de7b 100644 --- a/braintrust/templates/api-serviceaccount.yaml +++ b/braintrust/templates/api-serviceaccount.yaml @@ -14,7 +14,7 @@ metadata: {{- if eq .Values.cloud "azure" }} azure.workload.identity/client-id: {{ .Values.api.serviceAccount.azureClientId }} {{- end }} - {{- if and (eq .Values.cloud "google") .Values.api.serviceAccount.googleServiceAccount }} + {{- if and (eq .Values.cloud "google") .Values.api.enableGcsAuth }} iam.gke.io/gcp-service-account: {{ .Values.api.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.api.annotations.serviceaccount }} diff --git a/braintrust/values.yaml b/braintrust/values.yaml index bb2957f..669f9dd 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -94,6 +94,8 @@ api: awsRoleArn: "" azureClientId: "" googleServiceAccount: "" + # Enable native GCS authentication via workload identity (defaults to false for S3-compatible access) + enableGcsAuth: false resources: requests: cpu: "2" From 5afd3eb4ddfe465508983f18b3996fe2501db735 Mon Sep 17 00:00:00 2001 From: Jeff McCollum Date: Tue, 13 Jan 2026 14:50:24 -0600 Subject: [PATCH 3/3] Require service account when google for brainstore or for api when google and use gcs auth --- braintrust/templates/api-deployment.yaml | 2 +- braintrust/templates/api-serviceaccount.yaml | 2 +- braintrust/templates/brainstore-reader-deployment.yaml | 2 +- braintrust/templates/brainstore-serviceaccount.yaml | 2 +- braintrust/templates/brainstore-writer-deployment.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 4300866..5a55c93 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -31,7 +31,7 @@ spec: {{- end }} annotations: {{- if and (eq .Values.cloud "google") .Values.api.enableGcsAuth }} - iam.gke.io/gcp-service-account: {{ .Values.api.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ required "api.serviceAccount.googleServiceAccount is required when api.enableGcsAuth is true" .Values.api.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.api.annotations.pod }} {{- toYaml . | nindent 8 }} diff --git a/braintrust/templates/api-serviceaccount.yaml b/braintrust/templates/api-serviceaccount.yaml index 552de7b..6645e32 100644 --- a/braintrust/templates/api-serviceaccount.yaml +++ b/braintrust/templates/api-serviceaccount.yaml @@ -15,7 +15,7 @@ metadata: azure.workload.identity/client-id: {{ .Values.api.serviceAccount.azureClientId }} {{- end }} {{- if and (eq .Values.cloud "google") .Values.api.enableGcsAuth }} - iam.gke.io/gcp-service-account: {{ .Values.api.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ required "api.serviceAccount.googleServiceAccount is required when api.enableGcsAuth is true" .Values.api.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.api.annotations.serviceaccount }} {{- toYaml . | nindent 4 }} diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index dd2f2ee..dc4fe1c 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -31,7 +31,7 @@ spec: {{- end }} annotations: {{- if eq .Values.cloud "google" }} - iam.gke.io/gcp-service-account: {{ .Values.brainstore.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ required "brainstore.serviceAccount.googleServiceAccount is required when cloud is google" .Values.brainstore.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.brainstore.reader.annotations.pod }} {{- toYaml . | nindent 8 }} diff --git a/braintrust/templates/brainstore-serviceaccount.yaml b/braintrust/templates/brainstore-serviceaccount.yaml index c608ee5..2cabcd2 100644 --- a/braintrust/templates/brainstore-serviceaccount.yaml +++ b/braintrust/templates/brainstore-serviceaccount.yaml @@ -15,7 +15,7 @@ metadata: azure.workload.identity/client-id: {{ .Values.brainstore.serviceAccount.azureClientId }} {{- end }} {{- if eq .Values.cloud "google" }} - iam.gke.io/gcp-service-account: {{ .Values.brainstore.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ required "brainstore.serviceAccount.googleServiceAccount is required when cloud is google" .Values.brainstore.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.brainstore.serviceAccount.annotations }} {{- toYaml . | nindent 4 }} diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index 11294e4..c98dbc0 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -31,7 +31,7 @@ spec: {{- end }} annotations: {{- if eq .Values.cloud "google" }} - iam.gke.io/gcp-service-account: {{ .Values.brainstore.serviceAccount.googleServiceAccount }} + iam.gke.io/gcp-service-account: {{ required "brainstore.serviceAccount.googleServiceAccount is required when cloud is google" .Values.brainstore.serviceAccount.googleServiceAccount }} {{- end }} {{- with .Values.brainstore.writer.annotations.pod }} {{- toYaml . | nindent 8 }}