From 28df38036093e5a51e0babea751d9946068b79ef Mon Sep 17 00:00:00 2001
From: Arnav Chopra <arnav.chopra@scale.com>
Date: Wed, 18 Mar 2026 12:11:56 -0400
Subject: [PATCH] feat(chart): Add GCP Workload Identity support for service
 accounts

Add GCP Workload Identity annotation support to both main and inference
service accounts, following the same pattern as Azure PR #762.

Changes:
- service_account.yaml: Add iam.gke.io/gcp-service-account annotation
  using gcp.iam_service_account value
- service_account_inference.yaml: Add iam.gke.io/gcp-service-account
  annotation with fallback from gcp.inference_service_account to
  gcp.iam_service_account (allows separate SA for inference pods)

This enables proper GCP Workload Identity binding for model-engine pods
on GKE clusters.

Implements SGPINF-1123
---
 charts/model-engine/templates/service_account.yaml         | 5 +++++
 .../model-engine/templates/service_account_inference.yaml  | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/charts/model-engine/templates/service_account.yaml b/charts/model-engine/templates/service_account.yaml
index c226505f4..63ca6d270 100644
--- a/charts/model-engine/templates/service_account.yaml
+++ b/charts/model-engine/templates/service_account.yaml
@@ -16,6 +16,11 @@ metadata:
     {{- if $.Values.azure }}
     azure.workload.identity/client-id: {{ $.Values.azure.client_id }}
     {{- end }}
+    {{- if $.Values.gcp }}
+    {{- if $.Values.gcp.iam_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.iam_service_account }}
+    {{- end }}
+    {{- end }}
   {{- end }}
 {{- if $.Values.azure }}
 imagePullSecrets:
diff --git a/charts/model-engine/templates/service_account_inference.yaml b/charts/model-engine/templates/service_account_inference.yaml
index 712f9df57..4907a05d5 100644
--- a/charts/model-engine/templates/service_account_inference.yaml
+++ b/charts/model-engine/templates/service_account_inference.yaml
@@ -20,6 +20,13 @@ metadata:
     azure.workload.identity/client-id: {{ $.Values.azure.client_id }}
     {{- end }}
     {{- end }}
+    {{- if $.Values.gcp }}
+    {{- if $.Values.gcp.inference_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.inference_service_account }}
+    {{- else if $.Values.gcp.iam_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.iam_service_account }}
+    {{- end }}
+    {{- end }}
   {{- end }}
 {{- if $.Values.azure }}
 imagePullSecrets: