-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
BU Product Work
-
False
-
False
-
OCPSTRAT-469 - Install and upgrade OpenShift with GCP Workload Identity
-
Undefined
-
We need to ensure following things in the openshift operators
1) Make sure to operator uses v0.0.0-20210218202405-ba52d332ba99 or later version of the golang.org/x/oauth2 module
2) Mount the oidc token in the operator pod, this needs to go in the deployment. We have done it for cluster-image-registry-operator here
3) For workload identity to work, gco credentials that the operator pod uses should be of external_account type (not service_account). The external_account credentials type have path to oidc token along, url of the service account to impersonate along with other details. These type of credentials can be generated from gcp console or programmatically (supported by ccoctl). The operator pod can then consume it from a kube secret. Make appropriate code changes to the operators so that can consume these new credentials
Following repos need one or more of above changes
- https://github.com/openshift/cloud-credential-operator
- https://github.com/openshift/cluster-image-registry-operator
- https://github.com/openshift/cluster-ingress-operator
- https://github.com/openshift/cluster-storage-operator
- https://github.com/openshift/cluster-api-provider-gcp
- https://github.com/openshift/gcp-pd-csi-driver
- https://github.com/openshift/machine-api-operator
- https://github.com/openshift/gcp-pd-csi-driver-operator
- https://github.com/openshift/image-registry
- https://github.com/openshift/docker-distribution
- relates to
-
CCO-260 invalid_grant error in the image-registry operator on GCP using WIF
-
- Closed
-
- links to
