OSDOCS-14662:Updated Creating a cluster on GC with WIF auth for DITA compliance.

Author: AedinC

.vale.ini

@@ -1,5 +1,4 @@
 StylesPath = .vale/styles
-
 MinAlertLevel = suggestion
 
 Packages = RedHat, AsciiDoc, OpenShiftAsciiDoc, https://github.com/jhradilek/asciidoctor-dita-vale/releases/latest/download/AsciiDocDITA.zip

modules/create-wif-cluster-cli.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc
+// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
 
 
 :_mod-docs-content-type: PROCEDURE
@@ -27,140 +27,6 @@ Before creating the cluster, you must first create a WIF configuration.
 Migrating an existing non-WIF cluster to a WIF configuration is not supported. This feature can only be enabled during new cluster creation.
 ====
 
-[id="create-wif-configuration_{context}"]
-== Creating a WIF configuration
-
-.Procedure
-You can create a WIF configuration using the `auto` mode or the `manual` mode.
-
-The `auto` mode enables you to automatically create the service accounts for {product-title} components as well as other IAM resources.
-
-Alternatively, you can use the `manual` mode. In `manual` mode, you are provided with commands within a `script.sh` file which you use to manually create the service accounts for {product-title} components as well as other IAM resources.
-
-* Based on your mode preference, run one of the following commands to create a WIF configuration:
-
-** Create a WIF configuration in auto mode by running the following command:
-+
-[source,terminal]
-----
-$ ocm gcp create wif-config --name <wif_name> \ <1>
-  --project <gcp_project_id> \ <2>
-  --version <osd_version> <3>
-  --federated-project <gcp_project_id> <4>
-----
-<1> Replace `<wif_name>` with the name of your WIF configuration.
-<2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
-<3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17).
-<4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If the `--federated-project` flag is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project` flag.
-
-+
-
-[NOTE]
-=====
-Using a dedicated project to create and manage workload identity pools and providers is recommended by {GCP}.
-Using a dedicated project helps you to establish centralized governance over the configuration of workload identity pools and providers, enforce uniform attribute mappings and conditions throughout all projects and applications, and ensure that only authorized identity providers can authenticate with WIF.
-
-For more information, see link:https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project[Use a dedicated project to manage workload identity pools and providers].
-=====
-+
-[IMPORTANT]
-====
-Creating and managing workload identity pools and providers in a dedicated project is only allowed during initial WIF configuration creation. The `--federated-project` flag cannot be applied to existing `wif-configs`.
-====
-+
---
-.Example output
-[source,terminal]
-----
-2024/09/26 13:05:41 Creating workload identity configuration...
-2024/09/26 13:05:47 Workload identity pool created with name 2e1kcps6jtgla8818vqs8tbjjls4oeub
-2024/09/26 13:05:47 workload identity provider created with name oidc
-2024/09/26 13:05:48 IAM service account osd-worker-oeub created
-2024/09/26 13:05:49 IAM service account osd-control-plane-oeub created
-2024/09/26 13:05:49 IAM service account openshift-gcp-ccm-oeub created
-2024/09/26 13:05:50 IAM service account openshift-gcp-pd-csi-driv-oeub created
-2024/09/26 13:05:50 IAM service account openshift-image-registry-oeub created
-2024/09/26 13:05:51 IAM service account openshift-machine-api-gcp-oeub created
-2024/09/26 13:05:51 IAM service account osd-deployer-oeub created
-2024/09/26 13:05:52 IAM service account cloud-credential-operator-oeub created
-2024/09/26 13:05:52 IAM service account openshift-cloud-network-c-oeub created
-2024/09/26 13:05:53 IAM service account openshift-ingress-gcp-oeub created
-2024/09/26 13:05:55 Role "osd_deployer_v4.19" updated
-----
---
-+
-** Create a WIF configuration in manual mode by running the following command:
-+
-[source,terminal]
-----
-$ ocm gcp create wif-config --name <wif_name> \ <1>
-  --project <gcp_project_id> \ <2>
-  --mode=manual
-----
-<1> Replace `<wif_name>` with the name of your WIF configuration.
-<2> Replace `<gcp_project_id>` with the ID  of the {GCP} project where the WIF configuration will be implemented.
-+
-Once the WIF is configured, the following service accounts, roles, and groups are created.
-+
-[NOTE]
-====
-Red{nbsp}Hat custom roles are versioned with every OpenShift y-stream release, for example 4.19.
-====
-+
-.WIF configuration service accounts, group and roles
-[cols="2a,3a",options="header"]
-|===
-
-|Service Account/Group
-|{gcp-short} pre-defined roles and Red Hat custom roles
-
-
-|osd-deployer
-|osd_deployer_v<y-stream-version>
-
-|osd-control-plane
-|- compute.instanceAdmin
-- compute.networkAdmin
-- compute.securityAdmin
-- compute.storageAdmin
-
-|osd-worker
-|- compute.storageAdmin
-- compute.viewer
-
-|cloud-credential-operator-gcp-ro-creds
-|cloud_credential_operator_gcp_ro_creds_v<y-stream-version>
-
-|openshift-cloud-network-config-controller-gcp
-|openshift_cloud_network_config_controller_gcp_v<y-stream-version>
-
-|openshift-gcp-ccm
-|openshift_gcp_ccm_v<y-stream-version>
-
-|openshift-gcp-pd-csi-driver-operator
-|- compute.storageAdmin
-- iam.serviceAccountUser
-- resourcemanager.tagUser
-- openshift_gcp_pd_csi_driver_operator_v<y-stream-version>
-
-|openshift-image-registry-gcp
-|openshift_image_registry_gcs_v<y-stream-version>
-
-|openshift-ingress-gcp
-|openshift_ingress_gcp_v<y-stream-version>
-
-|openshift-machine-api-gcp
-|openshift_machine_api_gcp_v<y-stream-version>
-
-|Access via SRE group:sd-sre-platform-gcp-access
-|sre_managed_support
-|===
-
-For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
-
-[id="create-wif-cluster_{context}"]
-== Creating a WIF cluster
-
 .Procedure
 You can create a WIF cluster using the `interactive` mode or the `non-interactive` mode.
 
@@ -227,176 +93,4 @@ If an {product-title} version is specified, the version must also be supported b
 ====
 If your cluster deployment fails during installation, certain resources created during the installation process are not automatically removed from your {GCP} account. To remove these resources from your {gcp-short} account, you must delete the failed cluster.
 ====
-
-[id="ocm-cli-list-wif-commands_{context}"]
-== Listing WIF clusters
-
-To list all of your {product-title} clusters that have been deployed using the WIF authentication type, run the following command:
-
-[source,terminal]
-----
-$ ocm list clusters --parameter search="gcp.authentication.wif_config_id != ''"
-----
-To list all of your {product-title} clusters that have been deployed using a specific wif-config, run the following command:
-[source,terminal]
-----
-$ ocm list clusters --parameter search="gcp.authentication.wif_config_id = '<wif_config_id>'" <1>
-----
-<1> Replace `<wif_config_id>` with the ID of the WIF configuration.
-
-[id="wif-configuration-update_{context}"]
-== Updating a WIF configuration
-
-[NOTE]
-====
-Updating a WIF configuration is only applicable for y-stream updates. For an overview of the update process, including details regarding version semantics, see link:https://www.redhat.com/en/blog/the-ultimate-guide-to-openshift-release-and-upgrade-process-for-cluster-administrators#:~:text=Ongoing%20security%20patches%20and%20bug,is%20the%20dark%20green%20bar.[The Ultimate Guide to OpenShift Release and Upgrade Process for Cluster Administrators].
-====
-Before upgrading a WIF-enabled {product-title} cluster to a newer version, you must update the wif-config to that version as well. If you do not update the wif-config version before attempting to upgrade the cluster version, the cluster version upgrade will fail.
-
-As part of Red{nbsp}Hat's ongoing commitment to the principle of least privilege, certain permissions previously assigned to the `osd-deployer` service account in WIF configurations have been removed. These changes help enhance the security of your clusters by ensuring that service accounts have only the permissions they need to perform their functions.
-
-For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
-
-To align your existing WIF configurations with these updated permissions, you can run the `ocm gcp update wif-config` command. This command updates the WIF configuration to include the latest permissions and roles required for optimal operation.
-
-When you update a wif-config or create a new one, ensure your {cluster-manager} CLI (`ocm`) is up to date. Not updating to the latest version of the `ocm` can result in error messages and service disruptions.
-
-.Example output
-[source,text]
-----
-Error: failed to create wif-config: failed to create wif-config: status is 400, identifier is '400', code is 'CLUSTERS-MGMT-400', at '2025-10-06T15:18:37Z' and operation identifier is 'f9551d63-a58a-4e3c-b847-5f99ba1b0b74': Client version is out of date for WIF operations. Please update from vOCM-CLI/1.0.7 to v1.0.8 and try again.
-----
-
-.Procedure
-. To check the version of your `ocm`, run the following command:
-+
-[source,terminal]
-----
-$ ocm version
-----
-+
-. Optional: If your `ocm` version is not the latest available, download and install the latest version from the link:https://console.redhat.com/openshift/downloads[Downloads] page on {cluster-manager}.
-+
-. Update a wif-config to a specific {product-title} version by running the following command:
-+
-[source,terminal]
-----
-ocm gcp update wif-config <wif_name> \ <1>
---version <version> <2>
-----
-<1> Replace `<wif_name>` with the name of the WIF configuration you want to update.
-<2> Optional: Replace `<version>` with the {product-title} y-stream version you plan to update the cluster to. If you do not specify a version, the wif-config will be updated to support the latest {product-title} y-stream version as well as the last three {product-title} supported y-stream versions (beginning with version 4.17).
-
-[id="wif-removing-stale-permissions_{context}"]
-== Removing stale permissions from service accounts managed by a WIF configuration
-
-The stale set of permissions previously assigned to the `osd-deployer` service account will remain on the account after updating the wif-config. You need to manually access the roles and remove these stale permissions from them.
-
-[id="wif-removing-stale-deployer-permissions_{context}"]
-=== Removing stale deployer permissions from service accounts managed by a WIF configuration
-
-To remove the stale deployer permissions, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts.
-
-.Procedure
-
-. Retrieve the existing role definition, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
-+
-[source,terminal]
-----
-$ gcloud iam roles describe \
-  osd_deployer_v4.18 \
-  --project $PROJECT_ID \
-  --format=yaml > /tmp/role.yaml
-----
-+
-. Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file:
-+
-[source,terminal]
-----
-$ cat /tmp/role.yaml | \
-grep -v "resourcemanager.projects.setIamPolicy" | \
-grep -v "iam.serviceAccounts.signBlob" | \
-grep -v "iam.serviceAccounts.actAs" > /tmp/updated_role.yaml
-----
-+
-. Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed:
-+
-[source,terminal]
-----
-$ diff /tmp/role.yaml /tmp/updated_role.yaml
-----
-+
-. Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
-+
-[source,terminal]
-----
-$ gcloud iam roles update \
-  osd_deployer_v4.18 \
-  --project=$PROJECT_ID \
-  --file=/tmp/updated_role.yaml
-----
-
-[id="wif-removing-stale-support-permissions_{context}"]
-=== Removing stale support permissions from service accounts managed by a WIF configuration
-
-To remove stale support permissions, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts.
-
-.Procedure
-
-. Retrieve the existing role defintion, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
-+
-[source,terminal]
-----
-$ gcloud iam roles describe sre_managed_support --project $PROJECT_ID --format=yaml > /tmp/role.yaml
-----
-+
-. Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file:
-+
-[source,terminal]
-----
-$ cat /tmp/role.yaml | grep -v "compute.firewalls.create"  > /tmp/updated_role.yaml
-----
-+
-. Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed:
-+
-[source,terminal]
-----
-$ diff /tmp/role.yaml /tmp/updated_role.yaml
-----
-+
-. Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
-+
-[source,terminal]
-----
-$ gcloud iam roles update sre_managed_support --project $PROJECT_ID --file=/tmp/updated_role.yaml
-----
-
-[id="ocm-cli-verify-wif-commands_{context}"]
-== Verifying a WIF configuration
-You can verify that the configuration of resources associated with a WIF configuration are correct by running the `ocm gcp verify wif-config` command. If a misconfiguration is found, the output provides details about the misconfiguration and recommends that you update the WIF configuration.
-
-You need the name and ID of the WIF configuration you want to verify before verification.
-To obtain the name and ID of your active WIF configurations, run the following command:
-
-[source,terminal]
-----
-$ ocm gcp list wif-configs
-----
-
-To determine if the WIF configuration you want to verify is configured correctly, run the following command:
-
-[source,terminal]
-----
-$ ocm gcp verify wif-config <wif_config_name>|<wif_config_id> <1>
-----
-<1> Replace `<wif_config_name>` and `<wif_config_id>` with the name and ID of your WIF configuration, respectively.
-
---
-.Example output
-[source,terminal]
-----
-Error: verification failed with error: missing role 'compute.storageAdmin'.
-Running 'ocm gcp update wif-config' may fix errors related to cloud resource misconfiguration.
-exit status 1.
-----
---
+ 

modules/create-wif-cluster-ocm.adoc

@@ -1,12 +1,15 @@
 // Module included in the following assemblies:
 //
-// * osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc
+// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
 
 
 :_mod-docs-content-type: PROCEDURE
 [id="create-wif-cluster-ocm_{context}"]
 = Creating a Workload Identity Federation cluster using {cluster-manager}
 
+[role="_abstract"]
+Follow the steps in this procedure to create an {product-title} cluster on {gcp-full} using Workload Identity Federation (WIF) for authentication through the {cluster-manager} web console
+
 .Procedure
 
 . Log in to {cluster-manager-url} and click *Create cluster* on the {product-title} card.