OSDOCS-14662:CQA on Creating a cluster on GC with WIF auth guide #102371
+435
−364
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc | ||
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="create-wif-configuration_{context}"] | ||
| = Creating a Workforce Identity Federation configuration | ||
|
|
||
| [role="_abstract"] | ||
|
|
||
| You can create a WIF configuration using the `auto` mode or the `manual` mode in the `ocm` CLI. | ||
|
|
||
| The `auto` mode enables you to automatically create the service accounts for {product-title} components as well as other IAM resources. | ||
|
|
||
| Alternatively, you can use the `manual` mode. In `manual` mode, you are provided with commands within a `script.sh` file which you use to manually create the service accounts for {product-title} components as well as other IAM resources. | ||
|
Collaborator
There was a problem hiding this comment. 🤖 [error] AsciiDocDITA.TaskStep: Content other than a single list cannot be mapped to DITA tasks. |
||
|
|
||
| .Procedure | ||
|
|
||
| * Based on your mode preference, run one of the following commands to create a WIF configuration: | ||
|
|
||
| ** Create a WIF configuration in auto mode by running the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ ocm gcp create wif-config --name <wif_name> \ <1> | ||
| --project <gcp_project_id> \ <2> | ||
| --version <osd_version> <3> | ||
| --federated-project <gcp_project_id> <4> | ||
| ---- | ||
| <1> Replace `<wif_name>` with the name of your WIF configuration. | ||
|
Collaborator
There was a problem hiding this comment. 🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA. |
||
| <2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented. | ||
| <3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17). | ||
| <4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If the `--federated-project` flag is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project` flag. | ||
| + | ||
| [IMPORTANT] | ||
| ===== | ||
| Using a dedicated project to create and manage workload identity pools and providers is recommended by {GCP}. | ||
| Using a dedicated project helps you to establish centralized governance over the configuration of workload identity pools and providers, enforce uniform attribute mappings and conditions throughout all projects and applications, and ensure that only authorized identity providers can authenticate with WIF. | ||
|
|
||
| Creating and managing workload identity pools and providers in a dedicated project is only allowed during initial WIF configuration creation. The `--federated-project` flag cannot be applied to existing `wif-configs`. | ||
|
|
||
| For more information, see link:https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project[Use a dedicated project to manage workload identity pools and providers]. | ||
| ===== | ||
| + | ||
| -- | ||
| **Example output** | ||
| [source,terminal] | ||
| ---- | ||
| 2024/09/26 13:05:41 Creating workload identity configuration... | ||
| 2024/09/26 13:05:47 Workload identity pool created with name 2e1kcps6jtgla8818vqs8tbjjls4oeub | ||
| 2024/09/26 13:05:47 workload identity provider created with name oidc | ||
| 2024/09/26 13:05:48 IAM service account osd-worker-oeub created | ||
| 2024/09/26 13:05:49 IAM service account osd-control-plane-oeub created | ||
| 2024/09/26 13:05:49 IAM service account openshift-gcp-ccm-oeub created | ||
| 2024/09/26 13:05:50 IAM service account openshift-gcp-pd-csi-driv-oeub created | ||
| 2024/09/26 13:05:50 IAM service account openshift-image-registry-oeub created | ||
| 2024/09/26 13:05:51 IAM service account openshift-machine-api-gcp-oeub created | ||
| 2024/09/26 13:05:51 IAM service account osd-deployer-oeub created | ||
| 2024/09/26 13:05:52 IAM service account cloud-credential-operator-oeub created | ||
| 2024/09/26 13:05:52 IAM service account openshift-cloud-network-c-oeub created | ||
| 2024/09/26 13:05:53 IAM service account openshift-ingress-gcp-oeub created | ||
| 2024/09/26 13:05:55 Role "osd_deployer_v4.19" updated | ||
| ---- | ||
| -- | ||
| + | ||
| ** Create a WIF configuration in manual mode by running the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ ocm gcp create wif-config --name <wif_name> \ <1> | ||
| --project <gcp_project_id> \ <2> | ||
| --mode=manual | ||
| ---- | ||
| <1> Replace `<wif_name>` with the name of your WIF configuration. | ||
|
Collaborator
There was a problem hiding this comment. 🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA. |
||
| <2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented. | ||
| + | ||
| Once the WIF is configured, the following service accounts, roles, and groups are created. | ||
| + | ||
| [NOTE] | ||
| ==== | ||
| Red{nbsp}Hat custom roles are versioned with every OpenShift y-stream release, for example 4.19. | ||
| ==== | ||
| + | ||
| .WIF configuration service accounts, group and roles | ||
| [cols="2a,3a",options="header"] | ||
| |=== | ||
|
|
||
| |Service Account/Group | ||
| |{gcp-short} pre-defined roles and Red Hat custom roles | ||
|
|
||
|
|
||
| |osd-deployer | ||
| |osd_deployer_v<y-stream-version> | ||
|
|
||
| |osd-control-plane | ||
| |- compute.instanceAdmin | ||
| - compute.networkAdmin | ||
| - compute.securityAdmin | ||
| - compute.storageAdmin | ||
|
|
||
| |osd-worker | ||
| |- compute.storageAdmin | ||
| - compute.viewer | ||
|
|
||
| |cloud-credential-operator-gcp-ro-creds | ||
| |cloud_credential_operator_gcp_ro_creds_v<y-stream-version> | ||
|
|
||
| |openshift-cloud-network-config-controller-gcp | ||
| |openshift_cloud_network_config_controller_gcp_v<y-stream-version> | ||
|
|
||
| |openshift-gcp-ccm | ||
| |openshift_gcp_ccm_v<y-stream-version> | ||
|
|
||
| |openshift-gcp-pd-csi-driver-operator | ||
| |- compute.storageAdmin | ||
| - iam.serviceAccountUser | ||
| - resourcemanager.tagUser | ||
| - openshift_gcp_pd_csi_driver_operator_v<y-stream-version> | ||
|
|
||
| |openshift-image-registry-gcp | ||
| |openshift_image_registry_gcs_v<y-stream-version> | ||
|
|
||
| |openshift-ingress-gcp | ||
| |openshift_ingress_gcp_v<y-stream-version> | ||
|
|
||
| |openshift-machine-api-gcp | ||
| |openshift_machine_api_gcp_v<y-stream-version> | ||
|
|
||
| |Access via SRE group:sd-sre-platform-gcp-access | ||
| |sre_managed_support | ||
| |=== | ||
| + | ||
| For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config]. | ||
|
Collaborator
There was a problem hiding this comment. 🤖 [error] AsciiDocDITA.TaskStep: Content other than a single list cannot be mapped to DITA tasks. |
||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc | ||
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="ocm-cli-list-wif-commands_{context}"] | ||
| = Listing Workforce Identity Federation clusters | ||
|
|
||
| [role="_abstract"] | ||
| You can list {product-title} clusters that have been deployed using Workload Identity Federation (WIF) authentication by using the {cluster-manager} CLI (`ocm`). | ||
|
|
||
| .Procedure | ||
|
|
||
| * To list all of your {product-title} clusters that have been deployed using the WIF authentication type, run one of the following commands: | ||
| + | ||
| ** Using the `--parameter` flag with the `search` option: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ ocm list clusters --parameter search="gcp.authentication.wif_config_id != ''" | ||
| ---- | ||
| + | ||
| ** Using a specific wif-config ID to filter the clusters associated with that configuration: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ ocm list clusters --parameter search="gcp.authentication.wif_config_id = '<wif_config_id>'" <1> | ||
| ---- | ||
| <1> Replace `<wif_config_id>` with the ID of the WIF configuration. | ||
|
Collaborator
There was a problem hiding this comment. 🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA. |
||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc | ||
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
|
|
||
| [id="ocm-cli-verify-wif-commands_{context}"] | ||
| = Verifying a Workforce Identity Federation configuration | ||
|
|
||
| [role="_abstract"] | ||
| You can verify that the configuration of resources associated with a WIF configuration are correct by running the `ocm gcp verify wif-config` command. If a misconfiguration is found, the output provides details about the misconfiguration and recommends that you update the WIF configuration. | ||
|
|
||
| You need the name and ID of the WIF configuration you want to verify before verification. | ||
| To obtain the name and ID of your active WIF configurations, run the following command: | ||
|
|
||
| [source,terminal] | ||
| ---- | ||
| $ ocm gcp list wif-configs | ||
| ---- | ||
|
|
||
| To determine if the WIF configuration you want to verify is configured correctly, run the following command: | ||
|
|
||
| [source,terminal] | ||
| ---- | ||
| $ ocm gcp verify wif-config <wif_config_name>|<wif_config_id> <1> | ||
| ---- | ||
| <1> Replace `<wif_config_name>` and `<wif_config_id>` with the name and ID of your WIF configuration, respectively. | ||
|
Collaborator
There was a problem hiding this comment. 🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA. |
||
|
|
||
| -- | ||
| **Example output** | ||
| [source,terminal] | ||
| ---- | ||
| Error: verification failed with error: missing role 'compute.storageAdmin'. | ||
| Running 'ocm gcp update wif-config' may fix errors related to cloud resource misconfiguration. | ||
| exit status 1. | ||
| ---- | ||
| -- | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc | ||
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
|
|
||
| [id="wif-configuration-update_{context}"] | ||
| = Updating a Workforce Identity Federation configuration | ||
|
|
||
| [role="_abstract"] | ||
| You can update an existing Workload Identity Federation (WIF) configuration to support newer {product-title} y-stream versions and to align with the latest security best practices. | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| Updating a WIF configuration is only applicable for y-stream updates. For an overview of the update process, including details regarding version semantics, see link:https://www.redhat.com/en/blog/the-ultimate-guide-to-openshift-release-and-upgrade-process-for-cluster-administrators#:~:text=Ongoing%20security%20patches%20and%20bug,is%20the%20dark%20green%20bar.[The Ultimate Guide to OpenShift Release and Upgrade Process for Cluster Administrators]. | ||
| ==== | ||
| Before upgrading a WIF-enabled {product-title} cluster to a newer version, you must update the wif-config to that version as well. If you do not update the wif-config version before attempting to upgrade the cluster version, the cluster version upgrade will fail. | ||
|
|
||
| As part of Red{nbsp}Hat's ongoing commitment to the principle of least privilege, certain permissions previously assigned to the `osd-deployer` service account in WIF configurations have been removed. These changes help enhance the security of your clusters by ensuring that service accounts have only the permissions they need to perform their functions. | ||
|
|
||
| For the complete list of WIF configuration roles and their assigned permissions, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config]. | ||
|
|
||
| To align your existing WIF configurations with these updated permissions, you can run the `ocm gcp update wif-config` command. This command updates the WIF configuration to include the latest permissions and roles required for optimal operation. | ||
|
|
||
| When you update a wif-config or create a new one, ensure your {cluster-manager} CLI (`ocm`) is up to date. Not updating to the latest version of the `ocm` can result in error messages and service disruptions. | ||
|
|
||
| **Example output** | ||
| [source,text] | ||
| ---- | ||
| Error: failed to create wif-config: failed to create wif-config: status is 400, identifier is '400', code is 'CLUSTERS-MGMT-400', at '2025-10-06T15:18:37Z' and operation identifier is 'f9551d63-a58a-4e3c-b847-5f99ba1b0b74': Client version is out of date for WIF operations. Please update from vOCM-CLI/1.0.7 to v1.0.8 and try again. | ||
| ---- | ||
|
|
||
| .Procedure | ||
| . To check the version of your `ocm`, run the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ ocm version | ||
| ---- | ||
| + | ||
| . Optional: If your `ocm` version is not the latest available, download and install the latest version from the link:https://console.redhat.com/openshift/downloads[Downloads] page on {cluster-manager}. | ||
| + | ||
| . Update a wif-config to a specific {product-title} version by running the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| ocm gcp update wif-config <wif_name> \ <1> | ||
| --version <version> <2> | ||
| ---- | ||
| <1> Replace `<wif_name>` with the name of the WIF configuration you want to update. | ||
|
Collaborator
There was a problem hiding this comment. 🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA. |
||
| <2> Optional: Replace `<version>` with the {product-title} y-stream version you plan to update the cluster to. If you do not specify a version, the wif-config will be updated to support the latest {product-title} y-stream version as well as the last three {product-title} supported y-stream versions (beginning with version 4.17). | ||
|
|
||
| .Next steps | ||
|
|
||
| The stale set of permissions previously assigned to the `osd-deployer` service account will remain on the account after updating the wif-config. You need to manually access the roles and remove these stale permissions from them. | ||
|
Collaborator
There was a problem hiding this comment. 🤖 [error] AsciiDocDITA.TaskStep: Content other than a single list cannot be mapped to DITA tasks. |
||
|
|
||
| Follow the instructions in the "Removing stale deployer permissions from service accounts managed by a WIF configuration" and "Removing stale support permissions from service accounts managed by a WIF configuration" guides to remove these stale permissions. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * osd_gcp_clusters/osd-creating-a-cluster-on-gcp-with-workload-identity-federation.adoc | ||
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
|
|
||
| [id="wif-removing-stale-deployer-permissions_{context}"] | ||
| = Removing stale deployer permissions from service accounts managed by a WIF configuration | ||
|
|
||
| [role="_abstract"] | ||
| To remove the stale deployer permissions from service accounts managed by a WIF configuration, run the following commands on a terminal with access to the {gcp-full} project hosting the service accounts. | ||
|
|
||
| .Procedure | ||
|
|
||
| . Retrieve the existing role definition, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ gcloud iam roles describe \ | ||
| osd_deployer_v4.18 \ | ||
| --project $PROJECT_ID \ | ||
| --format=yaml > /tmp/role.yaml | ||
| ---- | ||
| + | ||
| . Remove the unwanted permissions. You can do this by filtering out the unwanted permissions from the role definition file and saving the updated definition to a new file: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ cat /tmp/role.yaml | \ | ||
| grep -v "resourcemanager.projects.setIamPolicy" | \ | ||
| grep -v "iam.serviceAccounts.signBlob" | \ | ||
| grep -v "iam.serviceAccounts.actAs" > /tmp/updated_role.yaml | ||
| ---- | ||
| + | ||
| . Review the changes in the output between the original and updated role definitions to ensure only the unwanted permissions have been removed: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ diff /tmp/role.yaml /tmp/updated_role.yaml | ||
| ---- | ||
| + | ||
| . Update the role in {gcp-full} with the updated role definition file, ensuring the `PROJECT_ID` environment variable points to your {gcp-full} project: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ gcloud iam roles update \ | ||
| osd_deployer_v4.18 \ | ||
| --project=$PROJECT_ID \ | ||
| --file=/tmp/updated_role.yaml | ||
| ---- |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤖 [error] AsciiDocDITA.TaskStep: Content other than a single list cannot be mapped to DITA tasks.