Open
Conversation
Add GCP Workload Identity annotation support to both main and inference service accounts, following the same pattern as Azure PR #762. Changes: - service_account.yaml: Add iam.gke.io/gcp-service-account annotation using gcp.iam_service_account value - service_account_inference.yaml: Add iam.gke.io/gcp-service-account annotation with fallback from gcp.inference_service_account to gcp.iam_service_account (allows separate SA for inference pods) This enables proper GCP Workload Identity binding for model-engine pods on GKE clusters. Implements SGPINF-1123
arniechops
force-pushed
the
arnavchopra/gcp-model-engine-support
branch
from
a84ead4 to
28df380
Compare
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
lilyz-ai
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Summary
What is this PR changing? Why is this change being made? Any caveats you'd like to highlight? Link any relevant documents, links, or screenshots here if applicable.
Test Plan and Usage Guide
How did you validate that your PR works correctly? How do you run or demo the code? Provide enough detail so a reviewer can reasonably reproduce the testing procedure. Paste example command line invocations if applicable.
Greptile Summary
This PR adds GCP Workload Identity Federation (WIF) support to the Helm chart by annotating both Kubernetes Service Accounts with the required
iam.gke.io/gcp-service-accountannotation.Key changes:
service_account.yaml: Fixes the annotation guard so theannotations:block renders whenever any of$annotations,.Values.azure, or.Values.gcpis set — correctly addressing the previously identified bug where the GCP annotation was silently dropped if no base annotations were configured.service_account_inference.yaml: Adds GCP WIF support for the inference SA with a sensible two-level lookup:gcp.inference_service_accounttakes priority, falling back to the sharedgcp.iam_service_account. The block is placed inside the existing{{- with $annotations }}scope, which is safe since the outerifguard on line 1 already requiresserviceTemplate.serviceAccountAnnotationsto be present.One asymmetry to be aware of: the
service_account_inference.yamlouterifstill requiresserviceTemplate.serviceAccountAnnotationsto render the inference SA at all. GCP-only deployments without any base annotations to set on the inference SA will need to supply a non-emptyserviceAccountAnnotations(e.g., a placeholder) to enable the inference SA. This is a pre-existing structural constraint — not introduced by this PR — but worth documenting in values files for GCP deployers.Confidence Score: 4/5
Important Files Changed
{{- if or $annotations .Values.azure .Values.gcp }}, ensuring theannotations:block renders whenever GCP, Azure, or base annotations are configured — regardless of whether base annotations are present.gcp.inference_service_account→gcp.iam_service_account. The block is correctly placed inside the existing{{- with $annotations }}scope, which is always truthy when reached due to the outer guard requiringserviceAccountAnnotations.Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[Helm Template Render] --> B{service_account.yaml} A --> C{service_account_inference.yaml} B --> D{"or $annotations\n.Values.azure\n.Values.gcp"} D -- "true" --> E[Render annotations block] D -- "false" --> F[No annotations key] E --> G{"$annotations set?"} G -- "yes" --> H[Render base annotations] G -- "no" --> I[Skip] E --> J{".Values.azure?"} J -- "yes" --> K["azure.workload.identity/client-id"] J -- "no" --> L[Skip] E --> M{".Values.gcp?"} M -- "yes" --> N{".Values.gcp.iam_service_account?"} N -- "yes" --> O["iam.gke.io/gcp-service-account\n= iam_service_account"] N -- "no" --> P[Skip GCP annotation] M -- "no" --> Q[Skip] C --> R{"outer if: serviceTemplate\n+ createServiceAccount\n+ serviceAccountAnnotations\n+ serviceAccountName\n+ endpoint_namespace"} R -- "ALL true" --> S["{{- with $annotations }}"] R -- "any false" --> T[No SA rendered] S --> U[Render base annotations] S --> V{".Values.gcp?"} V -- "yes" --> W{".Values.gcp.inference_service_account?"} W -- "yes" --> X["iam.gke.io/gcp-service-account\n= inference_service_account"] W -- "no" --> Y{".Values.gcp.iam_service_account?"} Y -- "yes" --> Z["iam.gke.io/gcp-service-account\n= iam_service_account"] Y -- "no" --> AA[Skip] V -- "no" --> AB[Skip]Reviews (2): Last reviewed commit: "fix" | Re-trigger Greptile