Skip to content

Commit

Permalink
Merge pull request #80721 from jeana-redhat/OSDOCS-11734-GCP-WID-for-…
Browse files Browse the repository at this point in the history 
…OLM-CCO

OSDOCS-11734: GCP Workload ID OLM stub and related updates
  • Loading branch information
@jeana-redhat
jeana-redhat authored Sep 9, 2024
2 parents 4241b05 + b8b5a6e commit 633ad22
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 19 deletions.
3 changes: 3 additions & 0 deletions _attributes/common-attributes.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,9 @@ endif::openshift-origin[]
//Microsoft Entra Workload ID (FKA Azure Active Directory Workload Identities)
:entra-first: Microsoft Entra Workload ID
:entra-short: Workload ID
//Google Cloud Platform Workload Identity
:gcp-wid-first: Google Cloud Platform Workload Identity
:gcp-wid-short: GCP Workload Identity


// Cluster API terminology
Expand Down
40 changes: 24 additions & 16 deletions authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ During installation, you can configure the Cloud Credential Operator (CCO) to op

[NOTE]
====
This credentials strategy is supported for Amazon Web Services (AWS), Google Cloud Platform (GCP), and global Microsoft Azure only. The strategy must be configured during installation of a new {product-title} cluster. You cannot configure an existing cluster that uses a different credentials strategy to use this feature.
This credentials strategy is supported for {aws-first}, {gcp-first}, and global {azure-full} only. The strategy must be configured during installation of a new {product-title} cluster. You cannot configure an existing cluster that uses a different credentials strategy to use this feature.
====

//todo: Should provide some more info about the benefits of this here as well. Note: Azure is not yet limited-priv, but still gets the benefit of not storing root creds on the cluster and some sort of time-based rotation
Expand All @@ -21,25 +21,25 @@ Cloud providers use different terms for their implementation of this authenticat
|====
|Cloud provider |Provider nomenclature

|Amazon Web Services (AWS)
|AWS Security Token Service (STS)
|{aws-first}
|{aws-short} {sts-first}

|Google Cloud Platform (GCP)
|GCP Workload Identity
|{gcp-first}
|{gcp-wid-short}

|Global Microsoft Azure
|{entra-first}

|====

[id="cco-short-term-creds-aws_{context}"]
== AWS Security Token Service
== {aws-short} {sts-full}

In manual mode with STS, the individual {product-title} cluster components use the AWS Security Token Service (STS) to assign components IAM roles that provide short-term, limited-privilege security credentials. These credentials are associated with IAM roles that are specific to each component that makes AWS API calls.
In manual mode with {sts-first}, the individual {product-title} cluster components use the {aws-short} {sts-short} to assign components IAM roles that provide short-term, limited-privilege security credentials. These credentials are associated with IAM roles that are specific to each component that makes {aws-short} API calls.

[role="_additional-resources"]
.Additional resources
* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[Configuring an AWS cluster to use short-term credentials]
* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[Configuring an {aws-short} cluster to use short-term credentials]

//AWS Security Token Service authentication process
include::modules/cco-short-term-creds-auth-flow-aws.adoc[leveloffset=+2]
Expand All @@ -55,16 +55,16 @@ include::modules/cco-short-term-creds-aws-olm.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources
* xref:../../operators/operator_sdk/token_auth/osdk-cco-aws-sts.adoc#osdk-cco-aws-sts[CCO-based workflow for OLM-managed Operators with AWS STS]
* xref:../../operators/operator_sdk/token_auth/osdk-cco-aws-sts.adoc#osdk-cco-aws-sts[CCO-based workflow for OLM-managed Operators with {aws-short} {sts-short}]

[id="cco-short-term-creds-gcp_{context}"]
== GCP Workload Identity
== {gcp-wid-short}

In manual mode with GCP Workload Identity, the individual {product-title} cluster components use the GCP workload identity provider to allow components to impersonate GCP service accounts using short-term, limited-privilege credentials.
In manual mode with {gcp-wid-short}, the individual {product-title} cluster components use the {gcp-short} workload identity provider to allow components to impersonate {gcp-short} service accounts using short-term, limited-privilege credentials.

[role="_additional-resources"]
.Additional resources
* xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-customizations[Configuring a GCP cluster to use short-term credentials]
* xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-customizations[Configuring a {gcp-short} cluster to use short-term credentials]

//GCP Workload Identity authentication process
include::modules/cco-short-term-creds-auth-flow-gcp.adoc[leveloffset=+2]
Expand All @@ -75,14 +75,22 @@ include::modules/cco-short-term-creds-format-gcp.adoc[leveloffset=+2]
//GCP component secret permissions requirements (placeholder)
//include::modules/cco-short-term-creds-component-permissions-gcp.adoc[leveloffset=+2]

//OLM-managed Operator support for authentication with GCP Workload Identity
include::modules/cco-short-term-creds-gcp-olm.adoc[leveloffset=+2]

// Placeholder/guess for OLM link
// [role="_additional-resources"]
// .Additional resources
// * xr3f:../../operators/operator_sdk/token_auth/osdk-cco-gcp.adoc#osdk-cco-gcp[CCO-based workflow for OLM-managed Operators with {gcp-wid-first}]

[id="cco-short-term-creds-azure_{context}"]
== {entra-first}

In manual mode with {entra-first}, the individual {product-title} cluster components use the {entra-short} provider to assign components short-term security credentials.

[role="_additional-resources"]
.Additional resources
* xref:../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global Microsoft Azure cluster to use short-term credentials]
* xref:../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global {azure-first} cluster to use short-term credentials]

//Microsoft Entra Workload ID authentication process
include::modules/cco-short-term-creds-auth-flow-azure.adoc[leveloffset=+2]
Expand All @@ -104,7 +112,7 @@ include::modules/cco-short-term-creds-azure-olm.adoc[leveloffset=+2]
[id="additional-resources_{context}"]
== Additional resources

* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[Configuring an AWS cluster to use short-term credentials]
* xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-customizations[Configuring a GCP cluster to use short-term credentials]
* xref:../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global Microsoft Azure cluster to use short-term credentials]
* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[Configuring an {aws-short} cluster to use short-term credentials]
* xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-customizations[Configuring a {gcp-short} cluster to use short-term credentials]
* xref:../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global {azure-first} cluster to use short-term credentials]
* xref:../../updating/preparing_for_updates/preparing-manual-creds-update.adoc#preparing-manual-creds-update[Preparing to update a cluster with manually maintained credentials]
6 changes: 4 additions & 2 deletions modules/cco-short-term-creds-aws-olm.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

:_mod-docs-content-type: CONCEPT
[id="cco-short-term-creds-aws-olm_{context}"]
= OLM-managed Operator support for authentication with AWS STS
= OLM-managed Operator support for authentication with {aws-short} {sts-short}

In addition to {product-title} cluster components, some Operators managed by the Operator Lifecycle Manager (OLM) on AWS clusters can use manual mode with STS. These Operators authenticate with limited-privilege, short-term credentials that are managed outside the cluster. To determine if an Operator supports authentication with AWS STS, see the Operator description in OperatorHub.
Certain Operators managed by the Operator Lifecycle Manager (OLM) on {aws-short} clusters can use manual mode with {sts-short}.
These Operators authenticate with limited-privilege, short-term credentials that are managed outside the cluster.
To determine if an Operator supports authentication with {aws-short} {sts-short}, see the Operator description in OperatorHub.
4 changes: 3 additions & 1 deletion modules/cco-short-term-creds-azure-olm.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,6 @@
[id="cco-short-term-creds-azure-olm_{context}"]
= OLM-managed Operator support for authentication with {entra-first}

In addition to {product-title} cluster components, some Operators managed by the Operator Lifecycle Manager (OLM) on Azure clusters can use manual mode with {entra-first}. These Operators authenticate with short-term credentials that are managed outside the cluster. To determine if an Operator supports authentication with {entra-short}, see the Operator description in OperatorHub.
Certain Operators managed by the Operator Lifecycle Manager (OLM) on {azure-short} clusters can use manual mode with {entra-first}.
These Operators authenticate with short-term credentials that are managed outside the cluster.
To determine if an Operator supports authentication with {entra-short}, see the Operator description in OperatorHub.
11 changes: 11 additions & 0 deletions modules/cco-short-term-creds-gcp-olm.adoc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
// Module included in the following assemblies:
//
// * authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc

:_mod-docs-content-type: CONCEPT
[id="cco-short-term-creds-gcp-olm_{context}"]
= OLM-managed Operator support for authentication with {gcp-wid-short}

Certain Operators managed by the Operator Lifecycle Manager (OLM) on {gcp-short} clusters can use manual mode with {gcp-wid-short}.
These Operators authenticate with limited-privilege, short-term credentials that are managed outside the cluster.
To determine if an Operator supports authentication with {gcp-wid-short}, see the Operator description in OperatorHub.

0 comments on commit 633ad22

Please sign in to comment.