Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-7745

Enhance ccoctl to Support Self-Managed OIDC JWKs for GCP Workload Identity Federation

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.18
    • Cloud Credentials Operator
    • None
    • None
    • Future Sustainability
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      1. Proposed title of this feature request

      Add support in ccoctl for an alternative mode that:

      • Skips the creation of a public GCS bucket.
      • Generates and uploads a JWK file directly to GCP using the --jwk-json-path option.
      • Optionally allows users to provide their own JWK file or RSA key pair.

      This would align ccoctl with GCP’s native capabilities and improve security posture for OpenShift clusters deployed on GCP.

      2. What is the nature and description of the request?

      When deploying OpenShift 4.18 on GCP using Workload Identity Federation, the ccoctl gcp create-workload-identity-provider command currently creates a public Google Cloud Storage (GCS) bucket to host the OIDC discovery document and JWKs.

      This includes setting the bucket's IAM policy to allow allUsers:objectViewer, which is a security concern and is often blocked by default GCP organization policies.

      However, GCP now supports self-managed OIDC JWKs via the --jwk-json-path flag in the gcloud iam workload-identity-pools providers create-oidc command.

      This allows users to upload their own JWKs directly to GCP without needing to expose a public endpoint or bucket.

      3. Why does the customer need this? (List the business requirements here)

      • The current ccoctl behavior is incompatible with GCP environments that enforce strict security policies (e.g., blocking public access to GCS buckets).
      • The public bucket is unnecessary when GCP supports direct JWK upload.
      • This limits the ability to use Workload Identity Federation in secure or regulated environments.

       4.  Benefits of this enhancement:

      • Improved security by avoiding public buckets.
      • Compliance with GCP organization policies that restrict public access.
      • Simplified setup for Workload Identity Federation using native GCP features.
      • Better alignment with GCP documentation and best practices:

      GCP Docs: Manage OIDC keys

      https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers

      NOTE: Red Hat KCS 7083112 covers a similar topic, but this request goes further — we suggest removing the need for a GCS bucket completely by using GCP’s support for directly uploading a JWK file.

              julim Ju Lim
              rhn-support-sakkulka Sakshi Kulkarni
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                None
                None