Using manual mode with GCP Workload Identity
Manual mode with GCP Workload Identity is supported for Google Cloud Platform (GCP).
In manual mode with GCP Workload Identity, the individual OKD cluster components can impersonate IAM service accounts using short-term, limited-privilege credentials.
Requests for new and refreshed credentials are automated by using an appropriately configured OpenID Connect (OIDC) identity provider, combined with IAM service accounts. OKD signs service account tokens that are trusted by GCP, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour by default.
Using manual mode with GCP Workload Identity changes the content of the GCP credentials that are provided to individual OKD components.
GCP secret format
apiVersion: v1
kind: Secret
metadata:
namespace: <target_namespace> (1)
name: <target_secret_name> (2)
data:
service_account.json: <service_account> (3)
1 | The namespace for the component. |
2 | The name of the component secret. |
3 | The Base64 encoded service account. |
Content of the Base64 encoded service_account.json
file using long-lived credentials
{
"type": "service_account", (1)
"project_id": "<project_id>",
"private_key_id": "<private_key_id>",
"private_key": "<private_key>", (2)
"client_email": "<client_email_address>",
"client_id": "<client_id>",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<client_email_address>"
}
1 | The credential type is service_account . |
2 | The private RSA key that is used to authenticate to GCP. This key must be kept secure and is not rotated. |
Content of the Base64 encoded service_account.json
file using GCP Workload Identity
{
"type": "external_account", (1)
"audience": "//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/test-pool/providers/test-provider", (2)
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<client_email_address>:generateAccessToken", (3)
"credential_source": {
"file": "<path_to_token>", (4)
"format": {
"type": "text"
}
}
}
1 | The credential type is external_account . |
2 | The target audience is the GCP Workload Identity provider. |
3 | The resource URL of the service account that can be impersonated with these credentials. |
4 | The path to the service account token inside the pod. By convention, this is /var/run/secrets/openshift/serviceaccount/token for OKD components. |
In OKD 4.10.8, image registry support for using GCP Workload Identity was removed due to the discovery of an adverse impact to the image registry. To use the image registry on an OKD 4.10.8 cluster that uses Workload Identity, you must configure the image registry to use long-lived credentials instead. This mitigation is planned to last until Workload Identity support for the image registry is restored in a later release. |
Installing an OKD cluster configured for manual mode with GCP Workload Identity
To install a cluster that is configured to use the Cloud Credential Operator (CCO) in manual mode with GCP Workload Identity:
Configuring the Cloud Credential Operator utility
To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode with GCP Workload Identity, extract and prepare the CCO utility (ccoctl
) binary.
The |
Procedure
Obtain the OKD release image:
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
Get the CCO container image from the OKD release image:
$ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE)
Ensure that the architecture of the
$RELEASE_IMAGE
matches the architecture of the environment in which you will use theccoctl
tool.Extract the
ccoctl
binary from the CCO container image within the OKD release image:$ oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret
Change the permissions to make
ccoctl
executable:$ chmod 775 ccoctl
Verification
To verify that
ccoctl
is ready to use, display the help file:$ ccoctl --help
Output of
ccoctl --help
:OpenShift credentials provisioning tool
Usage:
ccoctl [command]
Available Commands:
alibabacloud Manage credentials objects for alibaba cloud
aws Manage credentials objects for AWS cloud
gcp Manage credentials objects for Google cloud
help Help about any command
ibmcloud Manage credentials objects for IBM Cloud
Flags:
-h, --help help for ccoctl
Use "ccoctl [command] --help" for more information about a command.
Creating GCP resources with the Cloud Credential Operator utility
You can use the ccoctl gcp create-all
command to automate the creation of GCP resources.
By default, |
Prerequisites
You must have:
- Extracted and prepared the
ccoctl
binary.
Procedure
Extract the list of
CredentialsRequest
objects from the OKD release image:$ oc adm release extract --credentials-requests --cloud=gcp --to=<path_to_directory_with_list_of_credentials_requests>/credrequests quay.io/<path_to>/ocp-release:<version>
This command can take a few moments to run.
Use the
ccoctl
tool to process allCredentialsRequest
objects in thecredrequests
directory:$ ccoctl gcp create-all --name=<name> --region=<gcp_region> --project=<gcp_project_id> --credentials-requests-dir=<path_to_directory_with_list_of_credentials_requests>/credrequests
where:
<name>
is the user-defined name for all created GCP resources used for tracking.<gcp_region>
is the GCP region in which cloud resources will be created.<gcp_project_id>
is the GCP project ID in which cloud resources will be created.<path_to_directory_with_list_of_credentials_requests>/credrequests
is the directory containing the files ofCredentialsRequest
manifests to create GCP service accounts.
Verification
To verify that the OKD secrets are created, list the files in the
<path_to_ccoctl_output_dir>/manifests
directory:$ ls <path_to_ccoctl_output_dir>/manifests
You can verify that the IAM service accounts are created by querying GCP. For more information, refer to GCP documentation on listing IAM service accounts.
Configuring the image registry to use long-lived credentials
In OKD 4.10.8, image registry support for using GCP Workload Identity was removed due to the discovery of an adverse impact to the image registry. To use the image registry on an OKD 4.10.8 cluster that uses Workload Identity, you must configure the image registry to use long-lived credentials instead. This mitigation is planned to last until Workload Identity support for the image registry is restored in a later release.
Prerequisites
You have created GCP resources with the Cloud Credential Operator utility (
ccoctl
).You have obtained and initialized the gcloud CLI.
Procedure
Obtain the email address of the IAM service account that the
ccoctl
created for the OKD image registry by running the following command:$ gcloud iam service-accounts list --filter="displayName=<name>-openshift-image-registry-gcs"
where
<name>
is the user-defined name for allccoctl
-created GCP resources used for tracking.Create a long-lived credentials key file for the OKD image registry by running the following command:
$ gcloud iam service-accounts keys create <path_to_image_registry_service_account_keyfile> --iam-account=<image_registry_service_account_email>
where:
<path_to_image_registry_service_account_keyfile>
is the path to a location you choose in which to store the key file for the image registry’s IAM service account.<image_registry_service_account_email>
is the email address of the IAM service account that theccoctl
created for the OKD image registry.
Generate a Base64-encoded string for the image registry key file by running the following command:
$ cat <path_to_image_registry_service_account_keyfile> | base64 -w 0
In the
<path_to_ccoctl_output_dir>/manifests
directory, locate the OKD image registry secret manifest YAML file,openshift-image-registry-installer-cloud-credentials-credentials.yaml
. In this file, replace the contents of thedata.service_account.json
field with the Base64-encoded key file.
Running the installer
Prerequisites
- Obtain the OKD release image.
Procedure
Change to the directory that contains the installation program and create the
install-config.yaml
file:$ openshift-install create install-config --dir <installation_directory>
where
<installation_directory>
is the directory in which the installation program creates files.Edit the
install-config.yaml
configuration file so that it contains thecredentialsMode
parameter set toManual
.Example
install-config.yaml
configuration fileapiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual (1)
compute:
- architecture: amd64
hyperthreading: Enabled
1 This line is added to set the credentialsMode
parameter toManual
.Create the required OKD installation manifests:
$ openshift-install create manifests
Copy the manifests that
ccoctl
generated to the manifests directory that the installation program created:$ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/
Copy the private key that the
ccoctl
generated in thetls
directory to the installation directory:$ cp -a /<path_to_ccoctl_output_dir>/tls .
Run the OKD installer:
$ ./openshift-install create cluster
Verifying the installation
Connect to the OKD cluster.
Verify that the cluster does not have
root
credentials:$ oc get secrets -n kube-system gcp-credentials
The output should look similar to:
Error from server (NotFound): secrets "gcp-credentials" not found
Verify that the components are assuming the service accounts that are specified in the secret manifests, instead of using credentials that are created by the CCO:
Example command with the Image Registry Operator
$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o json | jq -r '.data."service_account.json"' | base64 -d
The output should show the role and web identity token that are used by the component and look similar to:
Example output with the Image Registry Operator
{
"type": "external_account", (1)
"audience": "//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<client-email-address>:generateAccessToken", (2)
"credential_source": {
"file": "/var/run/secrets/openshift/serviceaccount/token",
"format": {
"type": "text"
}
}
}
1 The credential type is external_account
.2 The resource URL of the service account used by the Image Registry Operator.