@@ -1414,16 +1414,18 @@ There are 3 options to provide cloud credentials on GCE:
14141414
14151415Notice that builds will be running in a single availability zone, so you must specify AvailabilityZone parameters.
14161416
1417- Install Runner using GCE Disks:
1418-
1419- ```
1420- codefresh runner init [options] --set-value=Storage.Backend=gcedisk \
1421- --set-value=Storage.AvailabilityZone=us-central1-a \
1422- [--kube-node-selector=failure-domain.beta.kubernetes.io/zone=us-central1-a \]
1423- --build-node-selector=failure-domain.beta.kubernetes.io/zone=us-central1-a \
1424- [--set-file=Storage.GoogleServiceAccount=/path/to/google-service-account.json]
1425- ```
14261417
1418+ ######Runner installation with GCE Disks (Google SA JSON key):
1419+ Using the Wizard:
1420+ ``` shell
1421+ codefresh runner init [options] \
1422+ --set-value=Storage.Backend=gcedisk \
1423+ --set-value=Storage.AvailabilityZone=us-central1-c \
1424+ --kube-node-selector=topology.kubernetes.io/zone=us-central1-c \
1425+ --build-node-selector=topology.kubernetes.io/zone=us-central1-c \
1426+ --set-file=Storage.GoogleServiceAccount=/path/to/google-service-account.json
1427+ ```
1428+ Using the values file:
14271429` values-example.yaml `
14281430{% highlight yaml %}
14291431{% raw %}
@@ -1445,15 +1447,55 @@ codefresh runner init [options] --set-value=Storage.Backend=gcedisk \
14451447 "auth_provider_x509_cert_url": "...",
14461448 "client_x509_cert_url": "..."
14471449 }
1448- NodeSelector:failure-domain.beta .kubernetes.io/zone=us-central1-c
1450+ NodeSelector:topology .kubernetes.io/zone=us-central1-c
14491451...
14501452 Runtime:
14511453 NodeSelector: # dind and engine pods node-selector (--build-node-selector)
1452- failure-domain.beta .kubernetes.io/zone: us-central1-c
1454+ topology .kubernetes.io/zone: us-central1-c
14531455...
14541456{% endraw %}
14551457{% endhighlight %}
14561458
1459+ ``` shell
1460+ codefresh runner init [options] --values values-example.yaml
1461+ ```
1462+
1463+
1464+ ######Runner installation with GCE Disks (Workload Identity with IAM role):
1465+ ` values-example.yaml `
1466+ {% highlight yaml %}
1467+ {% raw %}
1468+ ...
1469+ ###Storage parameter example for GCE disks
1470+ Storage:
1471+ Backend: gcedisk
1472+ AvailabilityZone: us-central1-c
1473+ VolumeProvisioner:
1474+ ServiceAccount:
1475+ Annotations: #annotation to the volume-provisioner service account, using the email address of the Google service account
1476+ iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
1477+ NodeSelector: topology.kubernetes.io/zone=us-central1-c
1478+ ...
1479+ Runtime:
1480+ NodeSelector: # dind and engine pods node-selector (--build-node-selector)
1481+ topology.kubernetes.io/zone: us-central1-c
1482+ ...
1483+ {% endraw %}
1484+ {% endhighlight %}
1485+
1486+ Create the binding between Kubernetes service account and Google service account:
1487+ ``` shell
1488+ export K8S_NAMESPACE=codefresh
1489+ export KSA_NAME=volume-provisioner-runner
1490+ export GSA_NAME=< google_sa_name>
1491+ export PROJECT_ID=< google_project_name>
1492+
1493+ gcloud iam service-accounts add-iam-policy-binding \
1494+ --role roles/iam.workloadIdentityUser \
1495+ --member" serviceAccount:${PROJECT_ID} .svc.id.goog[${K8S_NAMESPACE} /${KSA_NAME} ]"
1496+ ${GSA_NAME} @${PROJECT_ID} .iam.gserviceaccount.com
1497+ ```
1498+
14571499To configure existing Runner with GCE Disks follow this article:
14581500
14591501[ How-to: Configuring an existing Runtime Environment with GCE disks] ( https://support.codefresh.io/hc/en-us/articles/360016652900-How-to-Configuring-an-existing-Runtime-Environment-with-GCE-disks )
