wif overview

Author: mletalie

_topic_maps/_topic_map_osd.yml

@@ -123,6 +123,8 @@ Topics:
   File: creating-an-aws-cluster
 - Name: Creating a GCP Private Service Connect enabled private cluster
   File: creating-a-gcp-psc-enabled-private-cluster
+- Name: Creating a cluster on GCP with Workload Identity Federation
+  File: creating-a-gcp-cluster-with-workload-identity-federation
 - Name: Creating a cluster on GCP
   File: creating-a-gcp-cluster
 - Name: Configuring your identity providers

modules/ccs-gcp-customer-procedure-serviceaccount.adoc

@@ -0,0 +1,71 @@
+// Module included in the following assemblies:
+//
+// * osd_planning/gcp-ccs.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="ccs-gcp-customer-procedure-sa_{context}"]
+
+= Service account authentication type procedure
+// TODO: Same as other module - Better procedure heading that tells you what this is doing
+
+Besides the required customer procedures listed in _Required customer procedure_, there are other specific actions that you must take when creating an {product-title} cluster on {GCP} using a service account as the authentication type.
+
+.Procedure
+
+. To ensure that Red Hat can perform necessary actions, you must create an `osd-ccs-admin` IAM link:https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating_a_service_account[service account] user within the GCP project.
+
++
+
+The following roles must be link:https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource[granted to the service account]:
++
+.Required roles
+[cols="2a,3a",options="header"]
+
+|===
+
+|Role|Console role name
+
+|Compute Admin
+|`roles/compute.admin`
+
+|DNS Administrator
+|`roles/dns.admin`
+
+|Organization Policy Viewer
+|`roles/orgpolicy.policyViewer`
+
+|Service Management Administrator
+|`roles/servicemanagement.admin`
+
+|Service Usage Admin
+|`roles/serviceusage.serviceUsageAdmin`
+
+|Storage Admin
+|`roles/storage.admin`
+
+|Compute Load Balancer Admin
+|`roles/compute.loadBalancerAdmin`
+
+|Role Viewer
+|`roles/viewer`
+
+|Role Administrator
+|`roles/iam.roleAdmin`
+
+|Security Admin
+|`roles/iam.securityAdmin`
+
+|Service Account Key Admin
+|`roles/iam.serviceAccountKeyAdmin`
+
+|Service Account Admin
+|`roles/iam.serviceAccountAdmin`
+
+|Service Account User
+|`roles/iam.serviceAccountUser`
+
+|===
+
++
+
+. link:https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys[Create the service account key] for the `osd-ccs-admin` IAM service account. Export the key to a file named `osServiceAccount.json`; this JSON file will be uploaded in {cluster-manager-first} when you create your cluster.
+

modules/ccs-gcp-customer-procedure-wif.adoc

@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * osd_planning/gcp-ccs.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="ccs-gcp-customer-procedure-wif_{context}"]
+
+= Workload Identity Federation authentication type procedure
+// TODO: Same as other module - Better procedure heading that tells you what this is doing
+Besides the required customer procedures listed in _Required customer procedure_, there are other specific actions that you must take when creating an {product-title} cluster on {GCP} using Workload Identity Federation as the authentication type.
+
+.Procedure
+
+. Assign the following roles to the link:https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource[service account] of the user implementing the Workload Identity Federation authentication type:
++
+.Required roles
+[cols="2a,3a,3a",options="header"]
+
+|===
+
+|Role|Console role name|Role purpose
+
+|Role Administrator
+|`roles/iam.roleAdmin`
+|Required by the GCP client in the OCM CLI for creating custom roles.
+
+|Service Account Admin
+|`roles/iam.serviceAccountAdmin`
+|Required to pre-create the services account required by the OSD deployer, support and operators.
+
+|Workload Identity Pool Admin
+|`roles/iam.workloadIdentityPoolAdmin`
+|Required to create and configure the workload identity pool.
+
+|Project IAM Admin
+|`roles/resourcemanager.projectIamAdmin`
+|Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources.
+
+|===
+
+. Install the link:https://console.redhat.com/openshift/downloads[OpenShift Cluster Manager API command-line interface (`ocm`)].
++
+To use the OCM CLI, you must authenticate against your Red Hat {cluster-manager} account. This is accomplished with the {cluster-manager} API token.
++
+You can obtain your token link:https://console.redhat.com/openshift/token/show[here].
+
+. To authenticate against your Red Hat {cluster-manager} account, run the following command:
++
+[source,terminal]
+----
+$ ocm login --token <token> <1>
+----
+<1> Replace `<token>` with your {cluster-manager} API token.
++
+[IMPORTANT]
+====
+[subs="attributes+"]
+OpenShift Cluster Manager API command-line interface (`ocm`) is a Technology Preview feature only.
+For more information about the support scope of Red Hat Technology Preview features, see link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Features Support Scope].
+====
+
+. Install the link:https://cloud.google.com/sdk/docs/install[gcloud CLI].
++
+.  Authenticate the gcloud CLI with the link:https://cloud.google.com/docs/authentication/provide-credentials-adc[Application Default Credentials (ADC)].

modules/ccs-gcp-customer-procedure.adoc

@@ -9,6 +9,10 @@
 
 
 The Customer Cloud Subscription (CCS) model allows Red Hat to deploy and manage {product-title} into a customer's Google Cloud Platform (GCP) project. Red Hat requires several prerequisites to provide these services.
+[NOTE]
+====
+The following requirements in this topic apply to {product-title} on {GCP} clusters created using both the service account and Workload Identity Federation authentication type. For additional requirements that apply to the service account authentication type only, see _Service account authentication type procedure_. For additional requirements that apply to the Workload Identity Federation authentication type only, see _Workload Identity Federation authentication type procedure_.
+====
 
 [WARNING]
 ====
@@ -28,14 +32,14 @@ To use {product-title} in your GCP project, the following GCP organizational pol
 +
 .Required API services
 [cols="2a,3a",options="header"]
+
 |===
-|API service |Console service name
 
+|API service |Console service name
 
 |link:https://console.cloud.google.com/apis/library/deploymentmanager.googleapis.com?pli=1&project=openshift-gce-devel&folder=&organizationId=[Cloud Deployment Manager V2 API]
 |`deploymentmanager.googleapis.com`
 
-
 |link:https://console.cloud.google.com/apis/library/compute.googleapis.com?project=openshift-gce-devel&folder=&organizationId=[Compute Engine API]
 |`compute.googleapis.com`
 
@@ -73,57 +77,3 @@ To use {product-title} in your GCP project, the following GCP organizational pol
 |`orgpolicy.googleapis.com`
 
 |===
-
-. To ensure that Red Hat can perform necessary actions, you must create an `osd-ccs-admin` IAM link:https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating_a_service_account[service account] user within the GCP project.
-+
-The following roles must be link:https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource[granted to the service account]:
-+
-.Required roles
-[cols="2a,3a",options="header"]
-
-|===
-
-|Role|Console role name
-
-|Compute Admin
-|`roles/compute.admin`
-
-|DNS Administrator
-|`roles/dns.admin`
-
-|Organization Policy Viewer
-|`roles/orgpolicy.policyViewer`
-
-|Service Management Administrator
-|`roles/servicemanagement.admin`
-
-|Service Usage Admin
-|`roles/serviceusage.serviceUsageAdmin`
-
-|Storage Admin
-|`roles/storage.admin`
-
-|Compute Load Balancer Admin
-|`roles/compute.loadBalancerAdmin`
-
-|Role Viewer
-|`roles/viewer`
-
-|Role Administrator
-|`roles/iam.roleAdmin`
-
-|Security Admin
-|`roles/iam.securityAdmin`
-
-|Service Account Key Admin
-|`roles/iam.serviceAccountKeyAdmin`
-
-|Service Account Admin
-|`roles/iam.serviceAccountAdmin`
-
-|Service Account User
-|`roles/iam.serviceAccountUser`
-
-|===
-
-. link:https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys[Create the service account key] for the `osd-ccs-admin` IAM service account. Export the key to a file named `osServiceAccount.json`; this JSON file will be uploaded in {cluster-manager-first} when you create your cluster.

modules/ccs-gcp-customer-requirements.adoc

@@ -13,7 +13,7 @@
 
 * The customer ensures that link:https://cloud.google.com/storage/quotas[Google Cloud limits] are sufficient to support {product-title} provisioned within the customer-provided GCP account.
 
-* The customer-provided GCP account should be in the customer's Google Cloud Organization with the applicable Service Account applied.
+* The customer-provided GCP account should be in the customer's Google Cloud Organization.
 
 * The customer-provided GCP account must not be transferable to Red Hat.
 

modules/ccs-gcp-iam.adoc

@@ -8,6 +8,11 @@
 
 Red Hat is responsible for creating and managing the following IAM Google Cloud Platform (GCP) resources.
 
+[IMPORTANT]
+=====
+The _IAM service account and roles_ and _IAM group and roles_ topics are only applicable to clusters created using the service account authentication type.
+=====
+
 [id="ccs-gcp-iam-service-account-roles_{context}"]
 == IAM service account and roles
 
@@ -63,6 +68,11 @@ When applied to an individual *bucket*, control applies only to the specified bu
 
 The `sd-sre-platform-gcp-access` Google group is granted access to the GCP project to allow Red Hat Site Reliability Engineering (SRE) access to the console for emergency troubleshooting purposes.
 
+[NOTE]
+====
+* For information regarding the roles within the `sd-sre-platform-gcp-access`  group that are specific to clusters created when using the Workload Identity Federation (WIF) authentication type, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.17/vanilla.yaml[managed-cluster-config].
+* For information about creating a cluster using the Workload Identity Federation authentication type, see _Additional resources_.
+====
 The following roles are attached to the group:
 
 .IAM roles for sd-sre-platform-gcp-access

modules/ccs-gcp-understand.adoc

@@ -11,4 +11,10 @@ Red Hat {product-title} provides a Customer Cloud Subscription (CCS) model that
 
 Red Hat recommends the usage of GCP project, managed by the customer, to organize all of your GCP resources. A project consists of a set of users and APIs, as well as billing, authentication, and monitoring settings for those APIs.
 
-It is recommended for the {product-title} cluster using a CCS model to be hosted in a GCP project within a GCP organization. The Organization resource is the root node of the GCP resource hierarchy and all resources that belong to an organization are grouped under the organization node. An IAM service account with certain roles granted is created and applied to the GCP project. When you make calls to the API, you typically provide service account keys for authentication. Each service account is owned by a specific project, but service accounts can be provided roles to access resources for other projects.
+It is recommended for the {product-title} cluster using a CCS model to be hosted in a GCP project within a GCP organization. The Organization resource is the root node of the GCP resource hierarchy and all resources that belong to an organization are grouped under the organization node. Customers have the choice of using service account keys or Workload Identity Federation when creating the roles and credentials necessary to  access Google Cloud resources within a GCP project.
+// When you make calls to the API, you typically provide service account keys for authentication. Each service account is owned by a specific project, but service accounts can be provided roles to access resources for other projects.
+
+[IMPORTANT]
+====
+Unless specified, the information provided in this topic is applicable to {product-title} on {GCP} clusters that use service account keys or Workload Identity Federation (WIF) to grant the required necessary credentials.
+====