Merge pull request #102371 from AedinC/OSDOCS-14662

OSDOCS-14662:CQA on Creating a cluster on GC with WIF auth guide

Author: AedinC

modules/create-wif-cluster-cli.adoc

@@ -1,12 +1,20 @@
 // Module included in the following assemblies:
 //
-// * osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc
+// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
 
 
 :_mod-docs-content-type: PROCEDURE
 [id="create-wif-cluster-ocm_{context}"]
 = Creating a Workload Identity Federation cluster using {cluster-manager}
 
+[role="_abstract"]
+Follow the steps in this procedure to create an {product-title} cluster on {gcp-full} using Workload Identity Federation (WIF) for authentication through the {cluster-manager} web console
+
+.Prerequisites
+
+* You have created a WIF configuration. For more information, see "Creating a Workload Identity Federation configuration".
+* You have access to the {cluster-manager} web console. For more information, see _Accessing {cluster-manager}_ in the _Additional resources_ section.
+
 .Procedure
 
 . Log in to {cluster-manager-url} and click *Create cluster* on the {product-title} card.
@@ -30,26 +38,7 @@ Workload Identity Federation (WIF), {gcp-full}'s recommended method of authentic
 .. Read and complete all the required prerequisites.
 
 .. Click the checkbox indicating that you have read and completed all the required prerequisites.
-
-+
-. To create a new WIF configuration, open a terminal window and run the following OCM CLI command.
-+
-
-[source,terminal]
-----
-$ ocm gcp create wif-config --name <wif_name> \ <1>
-  --project <gcp_project_id> \ <2>
-  --version <osd_version> <3>
-  --federated-project <gcp_project_id> <4>
-----
-<1> Replace `<wif_name>` with the name of your WIF configuration.
-<2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
-<3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17).
-<4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If `--federated-project` is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project flag`.
-+
-. Select a configured WIF configuration from the *WIF configuration* drop-down list. If you want to select the WIF configuration you created in the last step, click *Refresh* first.
-+
-
+. Select a configured WIF configuration from the *WIF configuration* drop-down list.
 . Click *Next*.
 . On the *Details* page, provide a name for your cluster and specify the cluster details:
 .. In the *Cluster name* field, enter a name for your cluster.
@@ -212,7 +201,7 @@ If the cluster privacy is set to *Private*, you cannot access your cluster until
 +
 [NOTE]
 ====
-You can review the end-of-life dates in the update lifecycle documentation for {product-title}. For more information, see link:https://access.redhat.com/documentation/en-us/openshift_dedicated/4/html/introduction_to_openshift_dedicated/policies-and-service-definition#osd-life-cycle[OpenShift Dedicated update life cycle].
+You can review the end-of-life dates in the update lifecycle documentation for {product-title}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_dedicated/4/html/introduction_to_openshift_dedicated/policies-and-service-definition#osd-life-cycle[OpenShift Dedicated update life cycle].
 ====
 +
 .. Provide administrator approval based on your cluster update method:

modules/create-wif-cluster-ocm.adoc

@@ -0,0 +1,135 @@
+// Module included in the following assemblies:
+//
+// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="create-wif-configuration_{context}"]
+= Creating a Workforce Identity Federation configuration
+
+[role="_abstract"]
+
+You can create a WIF configuration using the `auto` mode or the `manual` mode in the `ocm` CLI.
+
+The `auto` mode enables you to automatically create the service accounts for {product-title} components as well as other IAM resources.
+
+Alternatively, you can use the `manual` mode. In `manual` mode, you are provided with commands within a `script.sh` file which you use to manually create the service accounts for {product-title} components as well as other IAM resources.
+
+.Procedure
+
+* Based on your mode preference, run one of the following commands to create a WIF configuration:
+
+** Create a WIF configuration in auto mode by running the following command:
++
+[source,terminal]
+----
+$ ocm gcp create wif-config --name <wif_name> \ <1>
+  --project <gcp_project_id> \ <2>
+  --version <osd_version> <3>
+  --federated-project <gcp_project_id> <4>
+----
+<1> Replace `<wif_name>` with the name of your WIF configuration.
+<2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
+<3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17).
+<4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If the `--federated-project` flag is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project` flag.
++
+[IMPORTANT]
+=====
+Using a dedicated project to create and manage workload identity pools and providers is recommended by {GCP}.
+Using a dedicated project helps you to establish centralized governance over the configuration of workload identity pools and providers, enforce uniform attribute mappings and conditions throughout all projects and applications, and ensure that only authorized identity providers can authenticate with WIF.
+
+Creating and managing workload identity pools and providers in a dedicated project is only allowed during initial WIF configuration creation. The `--federated-project` flag cannot be applied to existing `wif-configs`.
+
+For more information, see link:https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project[Use a dedicated project to manage workload identity pools and providers].
+=====
++
+--
+**Example output**
+[source,terminal]
+----
+2024/09/26 13:05:41 Creating workload identity configuration...
+2024/09/26 13:05:47 Workload identity pool created with name 2e1kcps6jtgla8818vqs8tbjjls4oeub
+2024/09/26 13:05:47 workload identity provider created with name oidc
+2024/09/26 13:05:48 IAM service account osd-worker-oeub created
+2024/09/26 13:05:49 IAM service account osd-control-plane-oeub created
+2024/09/26 13:05:49 IAM service account openshift-gcp-ccm-oeub created
+2024/09/26 13:05:50 IAM service account openshift-gcp-pd-csi-driv-oeub created
+2024/09/26 13:05:50 IAM service account openshift-image-registry-oeub created
+2024/09/26 13:05:51 IAM service account openshift-machine-api-gcp-oeub created
+2024/09/26 13:05:51 IAM service account osd-deployer-oeub created
+2024/09/26 13:05:52 IAM service account cloud-credential-operator-oeub created
+2024/09/26 13:05:52 IAM service account openshift-cloud-network-c-oeub created
+2024/09/26 13:05:53 IAM service account openshift-ingress-gcp-oeub created
+2024/09/26 13:05:55 Role "osd_deployer_v4.19" updated
+----
+--
++
+** Create a WIF configuration in manual mode by running the following command:
++
+[source,terminal]
+----
+$ ocm gcp create wif-config --name <wif_name> \ <1>
+  --project <gcp_project_id> \ <2>
+  --mode=manual
+----
+<1> Replace `<wif_name>` with the name of your WIF configuration.
+<2> Replace `<gcp_project_id>` with the ID  of the {GCP} project where the WIF configuration will be implemented.
++
+Once the WIF is configured, the following service accounts, roles, and groups are created.
++
+[NOTE]
+====
+Red{nbsp}Hat custom roles are versioned with every OpenShift y-stream release, for example 4.19.
+====
++
+.WIF configuration service accounts, group and roles
+[cols="2a,3a",options="header"]
+|===
+
+|Service Account/Group
+|{gcp-short} pre-defined roles and Red Hat custom roles
+
+
+|osd-deployer
+|osd_deployer_v<y-stream-version>
+
+|osd-control-plane
+|- compute.instanceAdmin
+- compute.networkAdmin
+- compute.securityAdmin
+- compute.storageAdmin
+
+|osd-worker
+|- compute.storageAdmin
+- compute.viewer
+
+|cloud-credential-operator-gcp-ro-creds
+|cloud_credential_operator_gcp_ro_creds_v<y-stream-version>
+
+|openshift-cloud-network-config-controller-gcp
+|openshift_cloud_network_config_controller_gcp_v<y-stream-version>
+
+|openshift-gcp-ccm
+|openshift_gcp_ccm_v<y-stream-version>
+
+|openshift-gcp-pd-csi-driver-operator
+|- compute.storageAdmin
+- iam.serviceAccountUser
+- resourcemanager.tagUser
+- openshift_gcp_pd_csi_driver_operator_v<y-stream-version>
+
+|openshift-image-registry-gcp
+|openshift_image_registry_gcs_v<y-stream-version>
+
+|openshift-ingress-gcp
+|openshift_ingress_gcp_v<y-stream-version>
+
+|openshift-machine-api-gcp
+|openshift_machine_api_gcp_v<y-stream-version>
+
+|Access via SRE group:sd-sre-platform-gcp-access
+|sre_managed_support
+|===
++
+For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
+
+

modules/create-wif-configuration.adoc

@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ocm-cli-list-wif-commands_{context}"]
+= Listing Workforce Identity Federation clusters
+
+[role="_abstract"]
+You can list {product-title} clusters that have been deployed using Workload Identity Federation (WIF) authentication by using the {cluster-manager} CLI (`ocm`).
+
+.Procedure
+
+* To list all of your {product-title} clusters that have been deployed using the WIF authentication type, run one of the following commands:
++
+** Using the `--parameter` flag with the `search` option:
++
+[source,terminal]
+----
+$ ocm list clusters --parameter search="gcp.authentication.wif_config_id != ''"
+----
++
+** Using a specific wif-config ID to filter the clusters associated with that configuration:
++
+[source,terminal]
+----
+$ ocm list clusters --parameter search="gcp.authentication.wif_config_id = '<wif_config_id>'" <1>
+----
+<1> Replace `<wif_config_id>` with the ID of the WIF configuration.
+
+

modules/ocm-cli-list-wif-commands.adoc

@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+//
+// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+
+[id="ocm-cli-verify-wif-commands_{context}"]
+= Verifying a Workforce Identity Federation configuration
+
+[role="_abstract"]
+You can verify that the configuration of resources associated with a WIF configuration are correct by running the `ocm gcp verify wif-config` command. If a misconfiguration is found, the output provides details about the misconfiguration and recommends that you update the WIF configuration.
+
+You need the name and ID of the WIF configuration you want to verify before verification.
+To obtain the name and ID of your active WIF configurations, run the following command:
+
+[source,terminal]
+----
+$ ocm gcp list wif-configs
+----
+
+To determine if the WIF configuration you want to verify is configured correctly, run the following command:
+
+[source,terminal]
+----
+$ ocm gcp verify wif-config <wif_config_name>|<wif_config_id> <1>
+----
+<1> Replace `<wif_config_name>` and `<wif_config_id>` with the name and ID of your WIF configuration, respectively.
+
+--
+**Example output**
+[source,terminal]
+----
+Error: verification failed with error: missing role 'compute.storageAdmin'.
+Running 'ocm gcp update wif-config' may fix errors related to cloud resource misconfiguration.
+exit status 1.
+----
+--

modules/ocm-cli-verify-wif-commands.adoc

@@ -0,0 +1,57 @@
+// Module included in the following assemblies:
+//
+// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+
+[id="wif-configuration-update_{context}"]
+= Updating a Workforce Identity Federation configuration
+
+[role="_abstract"]
+You can update an existing Workload Identity Federation (WIF) configuration to support newer {product-title} y-stream versions and to align with the latest security best practices.
+
+[NOTE]
+====
+Updating a WIF configuration is only applicable for y-stream updates. For an overview of the update process, including details regarding version semantics, see link:https://www.redhat.com/en/blog/the-ultimate-guide-to-openshift-release-and-upgrade-process-for-cluster-administrators#:~:text=Ongoing%20security%20patches%20and%20bug,is%20the%20dark%20green%20bar.[The Ultimate Guide to OpenShift Release and Upgrade Process for Cluster Administrators].
+====
+Before upgrading a WIF-enabled {product-title} cluster to a newer version, you must update the wif-config to that version as well. If you do not update the wif-config version before attempting to upgrade the cluster version, the cluster version upgrade will fail.
+
+As part of Red{nbsp}Hat's ongoing commitment to the principle of least privilege, certain permissions previously assigned to the `osd-deployer` service account in WIF configurations have been removed. These changes help enhance the security of your clusters by ensuring that service accounts have only the permissions they need to perform their functions.
+
+For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
+
+To align your existing WIF configurations with these updated permissions, you can run the `ocm gcp update wif-config` command. This command updates the WIF configuration to include the latest permissions and roles required for optimal operation.
+
+When you update a wif-config or create a new one, ensure your {cluster-manager} CLI (`ocm`) is up to date. Not updating to the latest version of the `ocm` can result in error messages and service disruptions.
+
+**Example output**
+[source,text]
+----
+Error: failed to create wif-config: failed to create wif-config: status is 400, identifier is '400', code is 'CLUSTERS-MGMT-400', at '2025-10-06T15:18:37Z' and operation identifier is 'f9551d63-a58a-4e3c-b847-5f99ba1b0b74': Client version is out of date for WIF operations. Please update from vOCM-CLI/1.0.7 to v1.0.8 and try again.
+----
+
+.Procedure
+. To check the version of your `ocm`, run the following command:
++
+[source,terminal]
+----
+$ ocm version
+----
++
+. Optional: If your `ocm` version is not the latest available, download and install the latest version from the link:https://console.redhat.com/openshift/downloads[Downloads] page on {cluster-manager}.
++
+. Update a wif-config to a specific {product-title} version by running the following command:
++
+[source,terminal]
+----
+ocm gcp update wif-config <wif_name> \ <1>
+--version <version> <2>
+----
+<1> Replace `<wif_name>` with the name of the WIF configuration you want to update.
+<2> Optional: Replace `<version>` with the {product-title} y-stream version you plan to update the cluster to. If you do not specify a version, the wif-config will be updated to support the latest {product-title} y-stream version as well as the last three {product-title} supported y-stream versions (beginning with version 4.17).
+
+.Next steps
+
+The stale set of permissions previously assigned to the `osd-deployer` service account will remain on the account after updating the wif-config. You need to manually access the roles and remove these stale permissions from them.
+
+Follow the instructions in the "Removing stale deployer permissions from service accounts managed by a WIF configuration" and "Removing stale support permissions from service accounts managed by a WIF configuration" guides to remove these stale permissions.

modules/wif-configuration-update.adoc

@@ -1,15 +1,16 @@
 // Module included in the following assemblies:
 //
-// * osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc
+// *osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
 
 
 :_mod-docs-content-type: CONCEPT
 [id="workload-identity-federation-overview_{context}"]
 = Workload Identity Federation overview
 
+[role="_abstract"]
 Workload Identity Federation (WIF) is a {GCP} Identity and Access Management (IAM) feature that provides third parties a secure method to access resources on a customer's cloud account. WIF eliminates the need for service account keys, and is {gcp-full}'s preferred method of credential authentication.
 
-While service account keys can provide powerful access to your {gcp-full} resources, they must be maintained by the user and can be a security risk if they are not managed properly. WIF does not use service keys as an access method for your Google cloud resources. Instead, WIF grants access by using credentials from external identity providers to generate short-lived credentials for workloads. The workloads can then use these credentials to temporarily impersonate service accounts and access {gcp-full} resources. This removes the burden of having to properly maintain service account keys, and removes the risk of unauthorized users gaining access to service account keys.
+While service account keys can provide powerful access to your {gcp-full} resources, they must be maintained by the user and can be a security risk if they are not managed properly. WIF does not use service keys as an access method for your {gcp-full} resources. Instead, WIF grants access by using credentials from external identity providers to generate short-lived credentials for workloads. The workloads can then use these credentials to temporarily impersonate service accounts and access {gcp-full} resources. This removes the burden of having to properly maintain service account keys, and removes the risk of unauthorized users gaining access to service account keys.
 
 The following bulleted items provides a basic overview of the Workload Identity Federation process:
 

modules/wif-overview.adoc

@@ -0,0 +1,50 @@
+// Module included in the following assemblies:
+//
+// * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+
+[id="wif-removing-stale-deployer-permissions_{context}"]
+= Removing stale deployer permissions from service accounts managed by a WIF configuration
+
+[role="_abstract"]
+To remove the stale deployer permissions from service accounts managed by a WIF configuration, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts.
+
+.Procedure
+
+. Retrieve the existing role definition, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
++
+[source,terminal]
+----
+$ gcloud iam roles describe \
+  osd_deployer_v4.18 \
+  --project $PROJECT_ID \
+  --format=yaml > /tmp/role.yaml
+----
++
+. Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file:
++
+[source,terminal]
+----
+$ cat /tmp/role.yaml | \
+grep -v "resourcemanager.projects.setIamPolicy" | \
+grep -v "iam.serviceAccounts.signBlob" | \
+grep -v "iam.serviceAccounts.actAs" > /tmp/updated_role.yaml
+----
++
+. Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed:
++
+[source,terminal]
+----
+$ diff /tmp/role.yaml /tmp/updated_role.yaml
+----
++
+. Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project:
++
+[source,terminal]
+----
+$ gcloud iam roles update \
+  osd_deployer_v4.18 \
+  --project=$PROJECT_ID \
+  --file=/tmp/updated_role.yaml
+----