OSDOCS-17318:Docs update for Cross-Project Federated Identity Auth for OSD-GCP #102892
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@AedinC: This pull request references OSDOCS-17318 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/M
|
@AedinC: This pull request references OSDOCS-17318 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@AedinC: This pull request references OSDOCS-17318 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
…ication for OSD-GCP.
| ** The `osd-deployer` service account no longer uses the `iam.serviceAccounts.actAs` permission. This has been replaced with the `iam.serviceAccountUser` role, which is now specifically assigned to the service accounts that require it. | ||
|
|
||
| If you have existing `wif-config` instances, you can get these new, less permissive permissions by running the `ocm gcp update wif-config` command. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a WIF configuration]. | ||
| If you have existing `wif-config` instances, you can get these new, less permissive permissions by running the `ocm gcp update wif-config` command. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a Workforce Identity Federation configuration]. |
There was a problem hiding this comment.
🤖 [error] OpenShiftAsciiDoc.XrefContainsAnchorID: The xref is missing an anchor ID.
|
@AedinC: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@AedinC: This pull request references OSDOCS-17318 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| ** The `osd-deployer` service account no longer uses the `iam.serviceAccounts.actAs` permission. This has been replaced with the `iam.serviceAccountUser` role, which is now specifically assigned to the service accounts that require it. | ||
|
|
||
| If you have existing `wif-config` instances, you can get these new, less permissive permissions by running the `ocm gcp update wif-config` command. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a WIF configuration]. | ||
| If you have existing `wif-config` instances, you can get these new, less permissive permissions by running the `ocm gcp update wif-config` command. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a Workforce Identity Federation configuration]. |
There was a problem hiding this comment.
| If you have existing `wif-config` instances, you can get these new, less permissive permissions by running the `ocm gcp update wif-config` command. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a Workforce Identity Federation configuration]. | |
| If you have existing `wif-config` instances, you can get these new, less permissive permissions by running the `ocm gcp update wif-config` command. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a Workload Identity Federation configuration]. |
|
|
||
| * **Support for managing workload identity pools and providers in a dedicated {GCP} project.** | ||
| {product-title} on {GCP} now lets you update an existing Workforce Identity Federation (WIF) configuration to use a dedicated project for managing workload identity pools and providers. | ||
| For more information, see link:http://docs.redhat.com/en/documentation/openshift_dedicated/4/html-single/openshift_dedicated_clusters_on_google_cloud/index#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a Workforce Identity Federation configuration]. |
There was a problem hiding this comment.
| For more information, see link:http://docs.redhat.com/en/documentation/openshift_dedicated/4/html-single/openshift_dedicated_clusters_on_google_cloud/index#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a Workforce Identity Federation configuration]. | |
| For more information, see link:http://docs.redhat.com/en/documentation/openshift_dedicated/4/html-single/openshift_dedicated_clusters_on_google_cloud/index#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a Workload Identity Federation configuration]. |
| = Q4 2025 | ||
|
|
||
| * **Support for managing workload identity pools and providers in a dedicated {GCP} project.** | ||
| {product-title} on {GCP} now lets you update an existing Workforce Identity Federation (WIF) configuration to use a dedicated project for managing workload identity pools and providers. |
There was a problem hiding this comment.
| {product-title} on {GCP} now lets you update an existing Workforce Identity Federation (WIF) configuration to use a dedicated project for managing workload identity pools and providers. | |
| {product-title} on {GCP} now lets you update an existing Workload Identity Federation (WIF) configuration to use a dedicated project for managing workload identity pools and providers. |
|
|
||
| You can also update an existing {product-title} cluster that is already using WIF by adding a dedicated project to manage workload identity pools and providers using the `--federated-project` flag. This best-practice model separates the workload identity pools and providers into a dedicated, centralized {GCP} project. | ||
|
|
||
| When you update the configuration using the `--federated-project` flag, the federated identity pool moves to the new federated project you specify, while the existing IAM service accounts and custom roles remain in the original cluster-associated project. |
There was a problem hiding this comment.
@shreyansvm @AedinC I believe a section should be included to inform the users that they may manually remove the identity pool from the original project once they have moved the pool to the federated project.
rcampos2029
left a comment
rcampos2029
left a comment
There was a problem hiding this comment.
WIF in this context stands for Workload Identity Federation, not Workforce Identity Federation.
5 participants
Version(s):
4.20+
Issue:
https://issues.redhat.com/browse/OSDOCS-17318
Link to docs preview:
Note to reviewers:
The main focus of this PR is to update the existing Updating a WIF configuration content. It also removes a duplicate module (Wif requirements), and tidies up some older links.
Peer review:
SME review:
QE review: