Customize stack runners
Configure runner pods to enable workload identity or EKS IRSA
All stacks are run in a dedicated pod to support seamless scalability and enhance security. That said, you'll likely need to customize the definitions of those pods for a few usecases:
- Needing to add wiring to meet your existing OPA policy constraints around things like custom labels or
securityContext - Needing to configure the pod with service accounts preconfigured for IRSA, GKE workload identity or similar secure cloud credential issuance systems
- Needing to use your own base image
The process is simple and can be done per-stack or globally
Configure the base image of your stack
All the stack runner images we provide are open source and available at https://github.com/pluralsh/deployment-operator. You're free to extend them and add any additional tools you want in the environment. Once that extended image is baked and published, you can reconfigure your stack CRD with:
apiVersion: deployments.plural.sh/v1alpha1
kind: InfrastructureStack
metadata:
name: gke-demo
namespace: stacks
spec:
name: gke-demo
type: TERRAFORM
...
configuration:
image: your.registry/stack-harness
tag: your-tagConfigure Runner for a single stack
The jobSpec field with a stack spec can configure that stacks runner, like so:
apiVersion: deployments.plural.sh/v1alpha1
kind: InfrastructureStack
metadata:
name: gke-demo
namespace: stacks
spec:
name: gke-demo
type: TERRAFORM
approval: true
detach: false
manageState: true
actor: console@plural.sh
configuration:
version: 1.8.2
repositoryRef:
name: fleet
namespace: fleets
clusterRef:
name: mgmt
namespace: infra
workdir: gke-cluster
git:
ref: main
folder: terraform
# add a service account and label
jobSpec:
serviceAccount: stacks
labels:
deployment.plural.sh/needed-label: "finally-set"The expectation being that the service account was preconfigured for IRSA like so: