-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
[REVIEW] GCP Workload Identity Federation support for Cloud Network Config Controller
-
To Do
-
Product / Portfolio Work
-
-
100% To Do, 0% In Progress, 0% Done
-
False
-
-
False
-
Not Selected
-
None
-
None
-
None
Feature Overview (aka. Goal Summary)
Today, cloud-network-config-controller lacks WIF support, which is a blocker for Hypershift managing NodePools deployed in GCP. WIF is Workload Identity Federation, which is Google Cloud's scheme for short-lived token-based authentication to cloud APIs. WIF is analogous to AWS' STS system.
The goal of this work is to add WIF support to cloud-network-config-controller.
Note: The bulk of the work here is going to be picked up by the HCM team focused on OSD GCP HCP. However, we need support from the networking team to review, provide feedback, and merge the changes.
Timeline: We need to target this for 4.22 to stick to the delivery timelines for OSD GCP HCP.
Goals (aka. expected user outcomes)
The goal of this work is to add WIF support to cloud-network-config-controller.
Requirements (aka. Acceptance Criteria):
A list of specific needs or objectives that a feature must deliver in order to be considered complete. Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc. Initial completion during Refinement status.
<enter general Feature acceptance here>
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | |
| Classic (standalone cluster) | |
| Hosted control planes | |
| Multi node, Compact (three node), or Single node (SNO), or all | |
| Connected / Restricted Network | |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | |
| Operator compatibility | |
| Backport needed (list applicable versions) | |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | |
| Other (please specify) |
Use Cases (Optional):
Include use case diagrams, main success scenarios, alternative flow scenarios. Initial completion during Refinement status.
<your text here>
Questions to Answer (Optional):
Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.
<your text here>
Out of Scope
High-level list of items that are out of scope. Initial completion during Refinement status.
<your text here>
Background
Current GCP Authentication Implementation
The GCP cloud provider in pkg/cloudprovider/gcp.go:39-79 only supports traditional service account JSON keys:
1. Hardcoded credential source: It reads credentials exclusively from a Kubernetes secret file named service_account.json (line 40)
2. Direct JSON credentials: Uses option.WithCredentialsJSON(secretData) to pass the service account key directly (line 67)
3. No ADC support: Does not use Application Default Credentials (ADC) chain
4. No environment variable support: Does not check GOOGLE_APPLICATION_CREDENTIALS
5. No WIF detection: No code to detect or use Workload Identity Federation configurations
How GCP WIF Would Work
The Google Cloud SDK (golang.org/x/oauth2/google) provides FindDefaultCredentials() which supports WIF through:
- GOOGLE_APPLICATION_CREDENTIALS env var pointing to a WIF configuration JSON
- ADC credential chain (checks multiple sources)
- External account credentials (for workload identity federation)
Azure Has WIF Support (for comparison)
Looking at pkg/cloudprovider/azure.go:602-639, Azure does support Workload Identity Federation:
- Feature gate: azureWorkloadIdentityEnabled
- Falls back to environment variables if secrets aren't present
- Uses azidentity.NewWorkloadIdentityCredential() when enabled
What Would Need to Change
To add GCP WIF support, the code would need to:
1. Replace hardcoded service_account.json reading with google.FindDefaultCredentials() or similar
2. Support environment variable fallbacks (like Azure does)
3. Potentially add a feature gate
4. Use option.WithCredentials() or default credentials instead of option.WithCredentialsJSON()
Customer Considerations
Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.
<your text here>
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.
<your text here>
Interoperability Considerations
Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.
<your text here>
- clones
-
OCPSTRAT-2840 GCP Workload Identity Federation support for Cloud Network Config Controller
-
- New
-