From 28df38036093e5a51e0babea751d9946068b79ef Mon Sep 17 00:00:00 2001
From: Arnav Chopra <arnav.chopra@scale.com>
Date: Wed, 18 Mar 2026 12:11:56 -0400
Subject: [PATCH 1/2] feat(chart): Add GCP Workload Identity support for
 service accounts

Add GCP Workload Identity annotation support to both main and inference
service accounts, following the same pattern as Azure PR #762.

Changes:
- service_account.yaml: Add iam.gke.io/gcp-service-account annotation
  using gcp.iam_service_account value
- service_account_inference.yaml: Add iam.gke.io/gcp-service-account
  annotation with fallback from gcp.inference_service_account to
  gcp.iam_service_account (allows separate SA for inference pods)

This enables proper GCP Workload Identity binding for model-engine pods
on GKE clusters.

Implements SGPINF-1123
---
 charts/model-engine/templates/service_account.yaml         | 5 +++++
 .../model-engine/templates/service_account_inference.yaml  | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/charts/model-engine/templates/service_account.yaml b/charts/model-engine/templates/service_account.yaml
index c226505f4..63ca6d270 100644
--- a/charts/model-engine/templates/service_account.yaml
+++ b/charts/model-engine/templates/service_account.yaml
@@ -16,6 +16,11 @@ metadata:
     {{- if $.Values.azure }}
     azure.workload.identity/client-id: {{ $.Values.azure.client_id }}
     {{- end }}
+    {{- if $.Values.gcp }}
+    {{- if $.Values.gcp.iam_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.iam_service_account }}
+    {{- end }}
+    {{- end }}
   {{- end }}
 {{- if $.Values.azure }}
 imagePullSecrets:
diff --git a/charts/model-engine/templates/service_account_inference.yaml b/charts/model-engine/templates/service_account_inference.yaml
index 712f9df57..4907a05d5 100644
--- a/charts/model-engine/templates/service_account_inference.yaml
+++ b/charts/model-engine/templates/service_account_inference.yaml
@@ -20,6 +20,13 @@ metadata:
     azure.workload.identity/client-id: {{ $.Values.azure.client_id }}
     {{- end }}
     {{- end }}
+    {{- if $.Values.gcp }}
+    {{- if $.Values.gcp.inference_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.inference_service_account }}
+    {{- else if $.Values.gcp.iam_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.iam_service_account }}
+    {{- end }}
+    {{- end }}
   {{- end }}
 {{- if $.Values.azure }}
 imagePullSecrets:

From 470996739c5d128d429e2859018057a4095945f7 Mon Sep 17 00:00:00 2001
From: Arnav Chopra <arnav.chopra@scale.com>
Date: Tue, 24 Mar 2026 13:02:53 -0400
Subject: [PATCH 2/2] fix

---
 charts/model-engine/templates/service_account.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/charts/model-engine/templates/service_account.yaml b/charts/model-engine/templates/service_account.yaml
index 63ca6d270..dcf931357 100644
--- a/charts/model-engine/templates/service_account.yaml
+++ b/charts/model-engine/templates/service_account.yaml
@@ -10,9 +10,11 @@ metadata:
   namespace: {{- printf " %s" $namespace }}
   labels:
     {{- $labels | nindent 4 }}
-  {{- with $annotations }}
+  {{- if or $annotations .Values.azure .Values.gcp }}
   annotations:
+    {{- with $annotations }}
     {{- toYaml . | nindent 4 }}
+    {{- end }}
     {{- if $.Values.azure }}
     azure.workload.identity/client-id: {{ $.Values.azure.client_id }}
     {{- end }}