Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6158

Operator - Add CCO support for GCP WIF for openshift-related tenant modes.

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • Logging 6.2.0
    • None
    • Log Storage
    • None
    • Log Storage - Sprint 262, Log Storage - Sprint 263, Log Storage - Sprint 265

      As a LokiStack administrator I want to off-load GCP WIF configuration to the CloudCredentialOperator when running on a cluster that supports this operator so that I do not need to manually manage WIF credentials configuration on GCP and in turn a custom LokiStack GCP object storage secret.

      Acceptance Criteria

      • The Loki Operator offloads all Azure GCP credential generation work to the CloudCredentialOperator on OpenShift platforms with this operator available.
      • The LokiStack administrator is required to provide only a very minimum S3 object storage config secret, i.e. bucketname
      • The Loki Operator needs to declare in the ClusterServiceVersion provided for OpenShift the following annotation: features.operators.openshift.io/token-auth-gcp

      Developer Notes

      1. Consider reading and understanding the recommended approach from this documentation: Google Cloud Workload Identity Foundation
      2. The Loki Operator needs to check (periodically) if the present APIServer supports the custom resource CredentialsRequest from cloudcredential.openshift.io/v1.
      3. For tenant modes openshift-logging and openshift-network the operator will create a CredentialsRequest:
        1. In the CloudCredentialOperator namespace.
        2. Provide a list of required GCP rights as listed here https://loki-operator.dev/docs/short_lived_tokens_authentication.md/#gcp-workload-identity-federation{}
        3. Reference a secret in the openshift-logging/netobserv namespace for the CloudCredentialOperator.
      4. Upon the CloudCredentialOperator providind the secret (that includes the project_number and pool_id, provider_id, service_account_email) the Loki Operator resumes operations as in LOG-4546 to connect configure Loki's GCP config for WIF.

              ptsiraki@redhat.com Periklis Tsirakidis
              ptsiraki@redhat.com Periklis Tsirakidis
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: