Merge pull request #87736 from lpettyjo/OSDOCS-12321

lpettyjo · web-flow · commit b7685698314a · 2025-02-20T08:41:20.000-05:00
OSDOCS-12321# GCP Filestore WIF support
diff --git a/modules/persistent-storage-csi-gcp-file-install.adoc b/modules/persistent-storage-csi-gcp-file-install.adoc
@@ -4,16 +4,17 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="persistent-storage-csi-olm-operator-install_{context}"]
-= Installing the GCP Filestore CSI Driver Operator
+= Installing the {gcp-short} Filestore CSI Driver Operator
 
-The Google Compute Platform (GCP) Filestore Container Storage Interface (CSI) Driver Operator is not installed in {product-title} by default.
-Use the following procedure to install the GCP Filestore CSI Driver Operator in your cluster.
+The Google Compute Platform ({gcp-short}) Filestore Container Storage Interface (CSI) Driver Operator is not installed in {product-title} by default.
+Use the following procedure to install the {gcp-short} Filestore CSI Driver Operator in your cluster.
 
 .Prerequisites
 * Access to the {product-title} web console.
+* If using {gcp-wid-short}, certain {gcp-wid-short} parameters are needed. See the preceding Section _Preparing to install the {gcp-short} Filestore CSI Driver Operator with Workload Identity_.
 
 .Procedure
-To install the GCP Filestore CSI Driver Operator from the web console:
+To install the {gcp-short} Filestore CSI Driver Operator from the web console:
 
 ifdef::openshift-dedicated[]
 
@@ -40,26 +41,33 @@ $ gcloud services enable file.googleapis.com  --project <my_gce_project> <1>
 +
 You can also do this using Google Cloud web console.
 
-. Install the GCP Filestore CSI Operator:
+. Install the {gcp-short} Filestore CSI Operator:
 
 .. Click *Operators* -> *OperatorHub*.
 
-.. Locate the GCP Filestore CSI Operator by typing *GCP Filestore* in the filter box.
+.. Locate the {gcp-short} Filestore CSI Operator by typing *{gcp-short} Filestore* in the filter box.
 
-.. Click the *GCP Filestore CSI Driver Operator* button.
+.. Click the *{gcp-short} Filestore CSI Driver Operator* button.
 
-.. On the *GCP Filestore CSI Driver Operator* page, click *Install*.
+.. On the *{gcp-short} Filestore CSI Driver Operator* page, click *Install*.
 
 .. On the *Install Operator* page, ensure that:
 +
 * *All namespaces on the cluster (default)* is selected.
 * *Installed Namespace* is set to *openshift-cluster-csi-drivers*.
++
+If using {gcp-wid-short}, enter values for the following fields obtained from the procedure in Section _Preparing to install the {gcp-short} Filestore CSI Driver Operator with Workload Identity_:
++
+* *{gcp-short} Project Number*
+* *{gcp-short} Pool ID* 
+* *{gcp-short} Provider ID* 
+* *{gcp-short} Service Account Email* 
 
 .. Click *Install*.
 +
-After the installation finishes, the GCP Filestore CSI Operator is listed in the *Installed Operators* section of the web console.
+After the installation finishes, the {gcp-short} Filestore CSI Operator is listed in the *Installed Operators* section of the web console.
 
-. Install the GCP Filestore CSI Driver:
+. Install the {gcp-short} Filestore CSI Driver:
 
 .. Click *administration* → *CustomResourceDefinitions* → *ClusterCSIDriver*.
 
diff --git a/modules/persistent-storage-csi-gcp-filestore-wif.adoc b/modules/persistent-storage-csi-gcp-filestore-wif.adoc
@@ -0,0 +1,126 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_csi-google_cloud_file.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-gcp-filestore-wif_{context}"]
+= Preparing to install the {gcp-short} Filestore CSI Driver Operator with Workload Identity
+
+If you are planning to use {gcp-wid-short} with Google Compute Platform Filestore, you must obtain certain parameters that you will use during the installation of the {gcp-short} Filestore Container Storage Interface (CSI) Driver Operator.
+
+.Prerequisites
+* Access to the cluster as a user with the cluster-admin role.
+
+// Put note in install area of docs to remind users to take note of the identity pool ID and the provider ID
+
+.Procedure
+
+To prepare to install the {gcp-short} Filestore CSI Driver Operator with Workload Identity:
+
+. Obtain the project number:
+
+.. Obtain the project ID by running the following command:
++
+[source, terminal]
+----
+$ export PROJECT_ID=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.gcp.projectID}')
+----
+
+.. Obtain the project number, using the project ID, by running the following command:
++
+[source, terminal]
+----
+$ gcloud projects describe $PROJECT_ID --format="value(projectNumber)"
+----
+
+. Find the identity pool ID and the provider ID:
++
+During cluster installation, the names of these resources are provided to the Cloud Credential Operator utility (`ccoctl`) with the `--name parameter`. See "Creating {gcp-short} resources with the Cloud Credential Operator utility".
+
+. Create Workload Identity resources for the {gcp-short} Filestore Operator:
+
+.. Create a `CredentialsRequest` file using the following example file:
++
+.Example Credentials Request YAML file
+[source, YAML]
+----
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  name: openshift-gcp-filestore-csi-driver-operator
+  namespace: openshift-cloud-credential-operator
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  serviceAccountNames:
+  - gcp-filestore-csi-driver-operator
+  - gcp-filestore-csi-driver-controller-sa
+  secretRef:
+    name: gcp-filestore-cloud-credentials
+    namespace: openshift-cluster-csi-drivers
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+	kind: GCPProviderSpec
+    predefinedRoles:
+    - roles/file.editor
+    - roles/resourcemanager.tagUser
+    skipServiceCheck: true
+----
+
+.. Use the `CredentialsRequest` file to create a {gcp-short} service account by running the following command:
++
+[source, terminal]
+----
+$ ./ccoctl gcp create-service-accounts --name=<filestore-service-account> \// <1>
+  --workload-identity-pool=<workload-identity-pool> \// <2> 
+  --workload-identity-provider=<workload-identity-provider> \// <3> 
+  --project=<project-id> \// <4> 
+  --credentials-requests-dir=/tmp/credreq <5>
+----
+<1> <filestore-service-account> is a user-chosen name. 
+<2> <workload-identity-pool> comes from Step 2 above.
+<3> <workload-identity-provider> comes from Step 2 above.
+<4> <project-id> comes from Step 1.a above.
+<5> The name of directory where the `CredentialsRequest` file resides.
++
+.Example output
+[source, terminal]
+----
+2025/02/10 17:47:39 Credentials loaded from gcloud CLI defaults
+2025/02/10 17:47:42 IAM service account filestore-service-account-openshift-gcp-filestore-csi-driver-operator created
+2025/02/10 17:47:44 Unable to add predefined roles to IAM service account, retrying...
+2025/02/10 17:47:59 Updated policy bindings for IAM service account filestore-service-account-openshift-gcp-filestore-csi-driver-operator
+2025/02/10 17:47:59 Saved credentials configuration to: /tmp/install-dir/ <1>
+openshift-cluster-csi-drivers-gcp-filestore-cloud-credentials-credentials.yaml
+----
+<1> The current directory.
+
+.. Find the service account email of the newly created service account by running the following command:
++
+[source, terminal]
+----
+$ cat /tmp/install-dir/manifests/openshift-cluster-csi-drivers-gcp-filestore-cloud-credentials-credentials.yaml | yq '.data["service_account.json"]' | base64 -d | jq '.service_account_impersonation_url'
+----
++
+.Example output
+[source, terminal]
+----
+https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/filestore-se-openshift-g-ch8cm@openshift-gce-devel.iam.gserviceaccount.com:generateAccessToken
+----
++
+In this example output, the service account email is `filestore-se-openshift-g-ch8cm@openshift-gce-devel.iam.gserviceaccount.com`.
+
+.Results
+
+You now have the following parameters that you need to install the {gcp-short} Filestore CSI Driver Operator:
+
+* Project number - from Step 1.b
+
+* Pool ID - from Step 2
+
+* Provider ID - from Step 2
+
+* Service account email - from Step 3.c
+
+
diff --git a/storage/container_storage_interface/persistent-storage-csi-google-cloud-file.adoc b/storage/container_storage_interface/persistent-storage-csi-google-cloud-file.adoc
@@ -14,15 +14,27 @@ toc::[]
 
 Familiarity with xref:../../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[persistent storage] and xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[configuring CSI volumes] is recommended when working with a CSI Operator and driver.
 
-To create CSI-provisioned PVs that mount to GCP Filestore Storage assets, you install the GCP Filestore CSI Driver Operator and the GCP Filestore CSI driver in the `openshift-cluster-csi-drivers` namespace.
+To create CSI-provisioned PVs that mount to {gcp-short} Filestore Storage assets, you install the {gcp-short} Filestore CSI Driver Operator and the {gcp-short} Filestore CSI driver in the `openshift-cluster-csi-drivers` namespace.
 
-* The _GCP Filestore CSI Driver Operator_ does not provide a storage class by default, but xref:../../storage/container_storage_interface/persistent-storage-csi-google-cloud-file.adoc#persistent-storage-csi-google-cloud-file-create-sc_persistent-storage-csi-google-cloud-file[you can create one if needed]. The GCP Filestore CSI Driver Operator supports dynamic volume provisioning by allowing storage volumes to be created on demand, eliminating the need for cluster administrators to pre-provision storage.
+* The _{gcp-short} Filestore CSI Driver Operator_ does not provide a storage class by default, but xref:../../storage/container_storage_interface/persistent-storage-csi-google-cloud-file.adoc#persistent-storage-csi-google-cloud-file-create-sc_persistent-storage-csi-google-cloud-file[you can create one if needed]. The {gcp-short} Filestore CSI Driver Operator supports dynamic volume provisioning by allowing storage volumes to be created on demand, eliminating the need for cluster administrators to pre-provision storage.
 
-* The _GCP Filestore CSI driver_ enables you to create and mount GCP Filestore PVs.
+* The _{gcp-short} Filestore CSI driver_ enables you to create and mount {gcp-short} Filestore PVs.
+
+{product-title} {gcp-short} Filestore supports Workload Identity. This allows users to access Google Cloud resources using federated identities instead of a service account key. {gcp-wid-short} must be enabled globally during installation, and then configured for the {gcp-short} Filestore CSI Driver Operator. For more information, see xref:../../storage/container_storage_interface/persistent-storage-csi-google-cloud-file.adoc#installing-the-gcp-filestore-csi-driver-operator[Installing the {gcp-short} Filestore CSI Driver Operator].
 
 include::modules/persistent-storage-csi-about.adoc[leveloffset=+1]
 
-include::modules/persistent-storage-csi-gcp-file-install.adoc[leveloffset=+1]
+== Installing the {gcp-short} Filestore CSI Driver Operator
+
+include::modules/persistent-storage-csi-gcp-filestore-wif.adoc[leveloffset=+2]
+
+ifndef::openshift-dedicated[]
+[role="_additional-resources"]
+.Additional resources
+* xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#cco-ccoctl-creating-at-once_installing-gcp-customizations[Creating {gcp-short} resources with the Cloud Credential Operator utility]
+endif::[]
+
+include::modules/persistent-storage-csi-gcp-file-install.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
@@ -36,3 +48,7 @@ include::modules/persistent-storage-csi-google-cloud-file-delete-instances.adoc[
 [role="_additional-resources"]
 == Additional resources
 * xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]
+ifndef::openshift-dedicated[]
+[id="osdk-cco-gpc_{context}"]
+* xref:../../operators/operator_sdk/token_auth/osdk-cco-gcp.adoc[CCO-based workflow for OLM-managed Operators with {gcp-short} Workload Identity].
+endif::openshift-dedicated[]
