Included user-defined labels and tags for GCP.

Author: subhtk

installing/installing_gcp/installing-gcp-customizations.adoc

@@ -40,6 +40,15 @@ include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2]
 //Task part 2: Creating the required GCP resources
 include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2]
 
+include::modules/installing-gcp-user-defined-labels-and-tags.adoc[leveloffset=+1]
+
+//Configuring user-defined labels and tags for GCP
+include::modules/installing-gcp-cluster-creation.adoc[leveloffset=+2]
+
+//Querying user-defined labels and tags for GCP
+include::modules/installing-gcp-querying-labels-tags-gcp.adoc[leveloffset=+2]
+
+
 include::modules/installation-initializing.adoc[leveloffset=+1]
 
 [role="_additional-resources"]

modules/installing-gcp-cluster-creation.adoc

@@ -0,0 +1,62 @@
+// Module included in the following assemblies:
+// * installing/installing_gcp/installing-gcp-customizations.adoc
+
+:_content-type: PROCEDURE
+[id="installing-gcp-cluster-creation_{context}"]
+= Configuring user-defined labels and tags for GCP
+
+.Prerequisites
+
+* The installation program requires that a service account includes a `TagUser` role, so that the program can create the {product-title} cluster with defined tags at both organization and project levels.
+
+.Procedure
+
+* Update the `install-config.yaml` file to define the list of desired labels and tags.
++
+[NOTE]
+====
+Labels and tags are defined during the `install-config.yaml` creation phase, and cannot be modified or updated with new labels and tags after cluster creation.
+====
++
+.Sample `install-config.yaml` file
++
+[source,yaml]
+----
+apiVersion: v1
+featureSet: TechPreviewNoUpgrade
+platform:
+ gcp:
+   userLabels: <1>
+   - key: <label_key><2>
+     value: <label_value><3>
+   userTags: <4>
+   - parentID: <OrganizationID/ProjectID><5>
+     key: <tag_key_short_name>
+     value: <tag_value_short_name>
+----
+<1> Adds keys and values as labels to the resources created on GCP.
+<2> Defines the label name.
+<3> Defines the label content.
+<4> Adds keys and values as tags to the resources created on GCP.
+<5> The ID of the hierarchical resource where the tags are defined, at the organization or the project level.
+
+The following are the requirements for user-defined labels:
+
+* A label key and value must have a minimum of 1 character and can have a maximum of 63 characters.
+* A label key and value must contain only lowercase letters, numeric characters, underscore (`_`), and dash (`-`).
+* A label key must start with a lowercase letter.
+* You can configure a maximum of 32 labels per resource. Each resource can have a maximum of 64 labels, and 32 labels are reserved for internal use by {product-title}.
+
+The following are the requirements for user-defined tags:
+
+* Tag key and tag value must already exist. {product-title} does not create the key and the value.
+* A tag `parentID` can be either `OrganizationID` or `ProjectID`:
+** `OrganizationID` must consist of decimal numbers without leading zeros.
+** `ProjectID` must be 6 to 30 characters in length, that includes only lowercase letters, numbers, and hyphens.
+** `ProjectID` must start with a letter, and cannot end with a hyphen.
+* A tag key must contain only uppercase and lowercase alphanumeric characters, hyphen (`-`), underscore (`_`), and period (`.`).
+* A tag value must contain only uppercase and lowercase alphanumeric characters, hyphen (`-`), underscore (`_`), period (`.`), at sign (`@`), percent sign (`%`), equals sign (`=`), plus (`+`), colon (`:`), comma (`,`), asterisk (`*`), pound sign (`$`), ampersand (`&`), parentheses (`()`), square braces (`[]`), curly braces (`{}`), and space.
+* A tag key and value must begin and end with an alphanumeric character.
+* Tag value must be one of the pre-defined values for the key.
+* You can configure a maximum of 50 tags.
+* There should be no tag key defined with the same value as any of the existing tag keys that will be inherited from the parent resource.

modules/installing-gcp-querying-labels-tags-gcp.adoc

@@ -0,0 +1,36 @@
+// Module included in the following assemblies:
+// * installing/installing_gcp/installing-gcp-customizations.adoc
+
+:_content-type: REFERENCE
+[id="installing-gcp-querying-labels-tags-gcp_{context}"]
+= Querying user-defined labels and tags for GCP
+
+After creating the {product-title} cluster, you can access the list of the labels and tags defined for the GCP resources  in the `infrastructures.config.openshift.io/cluster` object as shown in the following sample `infrastructure.yaml` file.
+
+.Sample `infrastructure.yaml` file
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1
+kind: Infrastructure
+metadata:
+ name: cluster
+spec:
+ platformSpec:
+   type: GCP
+status:
+ infrastructureName: <cluster_id><1>
+ platform: GCP
+ platformStatus:
+   gcp:
+     resourceLabels:
+     - key: <label_key>
+       value: <label_value>
+     resourceTags:
+     - key: <tag_key_short_name>
+       parentID: <OrganizationID/ProjectID>
+       value: <tag_value_short_name>
+   type: GCP
+----
+<1> The cluster ID that is generated during cluster installation.
+
+Along with the user-defined labels, resources have a label defined by the {product-title}. The format of the {product-title} labels is `kubernetes-io-cluster-<cluster_id>:owned`.

modules/installing-gcp-user-defined-labels-and-tags.adoc

@@ -0,0 +1,74 @@
+// Module included in the following assemblies:
+// * installing/installing_gcp/installing-gcp-customizations.adoc
+
+:_content-type: CONCEPT
+[id="installing-gcp-user-defined-labels-and-tags_{context}"]
+= Managing user-defined labels and tags for GCP
+
+:FeatureName: Support for user-defined labels and tags for GCP
+include::snippets/technology-preview.adoc[]
+
+Google Cloud Platform (GCP) provides labels and tags that help to identify and organize the resources created for a specific {product-title} cluster, making them easier to manage. 
+
+You can define labels and tags for each GCP resource only during {product-title} cluster installation. 
+
+[IMPORTANT]
+====
+User-defined labels and tags are not supported for {product-title} clusters upgraded to {product-title} 4.14 version.
+====
+
+.User-defined labels
+
+User-defined labels and {product-title} specific labels are applied only to resources created by {product-title} installation program and its core components such as: 
+
+* GCP filestore CSI Driver Operator
+* GCP PD CSI Driver Operator
+* Image Registry Operator
+* Machine API provider for GCP
+
+User-defined labels and {product-title} specific labels are not applied on the resources created by any other operators or the Kubernetes in-tree components that create resources, for example, the Ingress load balancers.
+
+User-defined labels and {product-title} labels are available on the following GCP resources:
+
+* Compute disk
+* Compute instance
+* Compute image
+* Compute forwarding rule
+* DNS managed zone
+* Filestore instance
+* Storage bucket
+
+.Limitations to user-defined labels
+
+* Labels for `ComputeAddress` are supported in the GCP beta version. {product-title} does not add labels to the resource.
+
+.User-defined tags
+
+User-defined tags are attached to resources created by the {product-title} Image Registry Operator and not on the resources created by any other Operators or the Kubernetes in-tree components.
+
+User-defined tags are available on on the following GCP resources:
+* Storage bucket
+
+.Limitations to the user-defined tags
+
+* Tags will not be attached to the following items:
+** Control plane instances and storage buckets created by the installation program
+** Compute instances created by the Machine API provider for GCP
+** Filestore instance resources created by the GCP filestore CSI driver Operator
+** Compute disk and compute image resources created by the GCP PD CSI driver Operator
+* Tags are not supported for buckets located in the following regions:
+** `us-east2` 
+** `us-east3`
+* Image Registry Operator does not throw any error but skips processing tags when the buckets are created in the tags unsupported region.
+* Tags must not be restricted to particular service accounts, because Operators create and use service accounts with minimal roles.
+* {product-title} does not create any key and value resources of the tag.
+* {product-title} specific tags are not added to any resource.
+
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information about identifying the `OrganizationID`, see: link:https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id[OrganizationID]
+* For more information about identifying the `ProjectID`, see: link:https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects[ProjectID]
+* For more information about labels, see link:https://cloud.google.com/resource-manager/docs/labels-overview[Labels Overview].
+* For more information about tags, see link:https://cloud.google.com/resource-manager/docs/tags/tags-overview[Tags Overview].

modules/minimum-required-permissions-ipi-gcp.adoc

@@ -95,6 +95,7 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.disks.create`
 * `compute.disks.get`
 * `compute.disks.list`
+* `compute.disks.setLabels`
 * `compute.instanceGroups.create`
 * `compute.instanceGroups.delete`
 * `compute.instanceGroups.get`