@@ -1414,16 +1414,17 @@ There are 3 options to provide cloud credentials on GCE:
14141414
14151415Notice that builds will be running in a single availability zone, so you must specify AvailabilityZone parameters.
14161416
1417- Install Runner using GCE Disks:
14181417
1419- ```
1418+ ######Runner installation with GCE Disks (Google SA JSON key):
1419+ Using the Wizard:
1420+ ``` shell
14201421codefresh runner init [options] --set-value=Storage.Backend=gcedisk \
1421- --set-value=Storage.AvailabilityZone=us-central1-a \
1422- [ --kube-node-selector=failure-domain.beta. kubernetes.io/zone=us-central1-a \]
1423- --build-node-selector=failure-domain.beta. kubernetes.io/zone=us-central1-a \
1424- [ --set-file=Storage.GoogleServiceAccount=/path/to/google-service-account.json]
1422+ --set-value=Storage.AvailabilityZone=us-central1-c \
1423+ --kube-node-selector=topology. kubernetes.io/zone=us-central1-c \
1424+ --build-node-selector=topology. kubernetes.io/zone=us-central1-c \
1425+ --set-file=Storage.GoogleServiceAccount=/path/to/google-service-account.json
14251426```
1426-
1427+ Using the values file:
14271428` values-example.yaml `
14281429{% highlight yaml %}
14291430{% raw %}
@@ -1445,15 +1446,55 @@ codefresh runner init [options] --set-value=Storage.Backend=gcedisk \
14451446 "auth_provider_x509_cert_url": "...",
14461447 "client_x509_cert_url": "..."
14471448 }
1448- NodeSelector: failure-domain.beta.kubernetes.io/zone=us-central1-c
1449+ NodeSelector: topology.kubernetes.io/zone=us-central1-c
1450+ ...
1451+ Runtime:
1452+ NodeSelector: # dind and engine pods node-selector (--build-node-selector)
1453+ topology.kubernetes.io/zone: us-central1-c
1454+ ...
1455+ {% endraw %}
1456+ {% endhighlight %}
1457+
1458+ ``` shell
1459+ codefresh runner init [options] --values values-example.yaml
1460+ ```
1461+
1462+
1463+ ######Runner installation with GCE Disks (Workload Identity with IAM role):
1464+ ` values-example.yaml `
1465+ {% highlight yaml %}
1466+ {% raw %}
1467+ ...
1468+ ###Storage parameter example for GCE disks
1469+ Storage:
1470+ Backend: gcedisk
1471+ AvailabilityZone: us-central1-c
1472+ VolumeProvisioner:
1473+ ServiceAccount:
1474+ Annotations: #annotation to the volume-provisioner service account, using the email address of the Google service account
1475+ iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
1476+ NodeSelector: topology.kubernetes.io/zone=us-central1-c
14491477...
14501478 Runtime:
14511479 NodeSelector: # dind and engine pods node-selector (--build-node-selector)
1452- failure-domain.beta .kubernetes.io/zone: us-central1-c
1480+ topology .kubernetes.io/zone: us-central1-c
14531481...
14541482{% endraw %}
14551483{% endhighlight %}
14561484
1485+ Create the binding between Kubernetes service account and Google service account:
1486+ ``` shell
1487+ export K8S_NAMESPACE=codefresh
1488+ export KSA_NAME=volume-provisioner-runner
1489+ export GSA_NAME=< google_sa_name>
1490+ export PROJECT_ID=< google_project_name>
1491+
1492+ gcloud iam service-accounts add-iam-policy-binding \
1493+ --role roles/iam.workloadIdentityUser \
1494+ --member" serviceAccount:${PROJECT_ID} .svc.id.goog[${K8S_NAMESPACE} /${KSA_NAME} ]"
1495+ ${GSA_NAME} @${PROJECT_ID} .iam.gserviceaccount.com
1496+ ```
1497+
14571498To configure existing Runner with GCE Disks follow this article:
14581499
14591500[ How-to: Configuring an existing Runtime Environment with GCE disks] ( https://support.codefresh.io/hc/en-us/articles/360016652900-How-to-Configuring-an-existing-Runtime-Environment-with-GCE-disks )