Details
-
Story
-
Resolution: Unresolved
-
Major
-
None
-
Logging 5.8.0
-
5
-
False
-
None
-
False
-
NEW
-
OBSDA-57 - Enable Cloud Operations (GCP StackDriver) forwarding
-
NEW
-
Log Collection - Sprint 231, Log Collection - Sprint 244, Log Collection - Sprint 245, Log Collection - Sprint 246
Description
Story
As a user of OpenShift, running in 'manual' credentials mode (sts), on GCP
I want to be able to configure my vector googleCloudLogging logforwarder
So that I can authenticate using a GCP role
Acceptance Criteria
- Can successfully forward logs to gcloud logging using a secret containing a gcp 'external_account', rather than a long-lived 'service_account' credentials key.
- CLO repo documentation describing how to utilize this feature
Notes
- Current long-lived key authentication (create google service_account key) – https://docs.openshift.com/container-platform/4.11//logging/cluster-logging-external.html#cluster-logging-collector-log-forward-gcp_cluster-logging-external
- Short lived credentials with GCP Workload Identity Federation (external_account token) - https://github.com/openshift/cloud-credential-operator/blob/master/docs/gcp_workload_identity.md
- created via:
apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: my-gcl-secret-credrequest namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: GCPProviderSpec predefinedRoles: - roles/logging.admin skipServiceCheck: true secretRef: name: my-gcl-secret namespace: openshift-logging serviceAccountNames: - logcollector
- Initially opened the following discussion with vector upstream, to inquire on any plans of implementing GCP WIF authentication. https://github.com/vectordotdev/vector/discussions/16278
- Now feature request has been created: https://github.com/vectordotdev/vector/issues/16387
