Type: Epic
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Installer Core
Labels:
- 4.20-candidate
- gcp

Epic Name:
OpenShift Installer to support Private Google Access to GCP endpoints
Work Type:
BU Product Work
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Yellow
Epic Status:
In Progress
Feature Link:
OCPSTRAT-561 - Support Private Google Access to GCP endpoints
Parent Link:
OCPSTRAT-561Support Private Google Access to GCP endpoints
Hierarchy Progress Bar:

17% To Do, 13% In Progress, 71% Done
Status Summary:

Hide

4/15/2025

Yellow/Red - Currently testing is not working. We set all of the endpoint overrides in the code (several projects) using option.WithEndpoint() (this is Google's suggested way of doing this operation). When we got to the GCP Cloud Provider we noticed that they were directly setting the endpoint override with service.BasePath. So now there were inconsistencies between these. To make matters worse the testing showed that option.WithEndpoint() appears to want a string or can only be used with a string like "compute-example.p.googleapis.com" (so there is no scheme attached). The BasePath direct setting appears to want a string like "https://compute-example.p.googleapis.com/compute/v1". These are quite different and these two methods have been proven to work in a small scale example. There are openshift API changes that would be required to remove the https scheme and ensure that it does not exist for us to continue to use these. This is a simple fix. However testing is showing some other interesting results:

If we override the IAM service endpoint then it was able to install correctly. However using services like compute or DNS where other projects (something outside of the installer) needs the information and it sets it there, then the install fails. It is failing during the bootkube process during the control plane tear down process.

Yellow - Everything is currently on track, but a new spike was opened in regards to the cluster gcp provider. Currently there is no way of getting the custom endpoints to the module. We will need to figure this out. It will be worked on in parallel to the other modules, but this one may take some time to get in upstream.

3/26/2025

Coming into Green - There are open PRs for several projects. All of the main code has been accounted for. The yellow-ish part of this epic is the testing. There was some progress made on the testing front, but it is not enough to call this good. We need that and documentation. The biggest open PR is the one where the installer uses the endpoints for all services with GCP (CORS-3916).

Show
4/15/2025 Yellow/Red - Currently testing is not working. We set all of the endpoint overrides in the code (several projects) using option.WithEndpoint() (this is Google's suggested way of doing this operation). When we got to the GCP Cloud Provider we noticed that they were directly setting the endpoint override with service.BasePath. So now there were inconsistencies between these. To make matters worse the testing showed that option.WithEndpoint() appears to want a string or can only be used with a string like "compute-example.p.googleapis.com" (so there is no scheme attached). The BasePath direct setting appears to want a string like "https://compute-example.p.googleapis.com/compute/v1". These are quite different and these two methods have been proven to work in a small scale example. There are openshift API changes that would be required to remove the https scheme and ensure that it does not exist for us to continue to use these. This is a simple fix. However testing is showing some other interesting results: If we override the IAM service endpoint then it was able to install correctly. However using services like compute or DNS where other projects (something outside of the installer) needs the information and it sets it there, then the install fails. It is failing during the bootkube process during the control plane tear down process. Yellow - Everything is currently on track, but a new spike was opened in regards to the cluster gcp provider. Currently there is no way of getting the custom endpoints to the module. We will need to figure this out. It will be worked on in parallel to the other modules, but this one may take some time to get in upstream. 3/26/2025 Coming into Green - There are open PRs for several projects. All of the main code has been accounted for. The yellow-ish part of this epic is the testing. There was some progress made on the testing front, but it is not enough to call this good. We need that and documentation. The biggest open PR is the one where the installer uses the endpoints for all services with GCP ( CORS-3916 ).
Target Version:

openshift-4.19

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Intelligence Requested:
Market:

Feature Overview

Add support to custom GCP API endpoints (private and restricted) while deploying OpenShift on GCP

Goals

Enable OpenShift to support private and restricted GCP API endpoints while deploying the platform on GCP as we do for AWS already

Requirements

This Section:* A list of specific needs or objectives that a Feature must deliver to satisfy the Feature.. Some requirements will be flagged as MVP. If an MVP gets shifted, the feature shifts. If a non MVP requirement slips, it does not shift the feature.

Requirement	Notes	isMvp?
CI - MUST be running successfully with test automation	This is a requirement for ALL features.	YES
Release Technical Enablement	Provide necessary release enablement details and documents.	YES

Use Cases

This Section:

As a user I want to be able to use GCP Private API endpoints while deploying OpenShift so I can be complaint with my company security policies
As a user I want to be able to use GCP Restricted API endpoints while deploying OpenShift so I can be complaint with my company security policies

Background, and strategic fit

For users with strict regulatory policies, Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. Supporting OpenShift to consume these private endpoints is key for these customers to be able to deploy the platform on GCP and be complaint with their regulatory policies.

Documentation Considerations

Questions to be addressed:

What educational or reference material (docs) is required to support this product feature? For users/admins? Other functions (security officers, etc)?
Does this feature have doc impact?
New Content, Updates to existing content, Release Note, or No Doc Impact
If unsure and no Technical Writer is available, please contact Content Strategy.
What concepts do customers need to understand to be successful in [action]?
How do we expect customers will use the feature? For what purpose(s)?
What reference material might a customer want/need to complete [action]?
Is there source material that can be used as reference for the Technical Writer in writing the content? If yes, please link if available.
What is the doc impact (New Content, Updates to existing content, or Release Note)?