Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4542

Operator - Add support for GCP Workload Identity Federation config

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Major Major
    • Logging 5.9.0
    • None
    • Log Storage
    • None
    • Log Storage - Sprint 249, Log Storage - Sprint 250

      Description

      As a LokiStack administrator I want to configure LokiStack object storage secret to using GCP's Workload Identity Federation service to control access to object storage.

      Acceptance Criteria

      1. The LokiStack administrator can use an external_account in serviceaccount.json that supports working with GCP WIF.
      2. The LokiStack adminitrator is required to provide a value for audience.

      Developer Notes

      1. Expand the LokiStack GCS Object Storage Secret Docs to explain how to use WIF.
      2. Consider adding extra evaluations for type external_account for the GCP object storage secret content:
        1. A serviceaccount.json of type external_account is required to have an non-empty field audience.
        2. A serviceaccount.json of type external_account is required to have an non-empty field service_account_impersonation_url.
        3. A serviceaccount.json of type external_account is required to have an non-empty field credential_source
      3. The value of credential_source.file is required to be mounted as projected volume from the object storage secret.

              ptsiraki@redhat.com Periklis Tsirakidis
              ptsiraki@redhat.com Periklis Tsirakidis
              Kabir Bharti Kabir Bharti
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: