[OSDOCS-6828]: AWS STS and GCP WID diagram enhancement

2026-02-05 12:46:18 +01:00 · 2023-07-10 09:43:01 -04:00
parent ed7c238695
commit 5c949edd25
5 changed files with 5 additions and 10 deletions
--- a/authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc
+++ b/authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc
@@ -13,17 +13,15 @@ Manual mode with GCP Workload Identity is supported for Google Cloud Platform (G
 This credentials strategy is supported for only new {product-title} clusters and must be configured during installation. You cannot reconfigure an existing cluster that uses a different credentials strategy to use this feature.
 ====

+[id="gcp-workload-identity-mode-about_{context}"]
+== About manual mode with GCP Workload Identity
+
 In manual mode with GCP Workload Identity, the individual {product-title} cluster components can impersonate IAM service accounts using short-term, limited-privilege credentials.

 Requests for new and refreshed credentials are automated by using an appropriately configured OpenID Connect (OIDC) identity provider, combined with IAM service accounts. {product-title} signs service account tokens that are trusted by GCP, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour by default.

-////
-to-do: GCP diagram from https://github.com/openshift/cloud-credential-operator/blob/master/docs/gcp_workload_identity_flow.png?raw=true
-
 .Workload Identity authentication flow
-image::<new_filename_for_gcp_workload_id.svg[Detailed authentication flow between GCP and the cluster when using GCP Workload Identity]
-//to-do: improve alt-text
-////
+image::347_OpenShift_credentials_with_STS_updates_0623_GCP.png[Detailed authentication flow between GCP and the cluster when using GCP Workload Identity]

 Using manual mode with GCP Workload Identity changes the content of the GCP credentials that are provided to individual {product-title} components.

--- a/authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc
+++ b/authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc
@@ -20,11 +20,8 @@ In manual mode with STS, the individual {product-title} cluster components use A

 Requests for new and refreshed credentials are automated by using an appropriately configured AWS IAM OpenID Connect (OIDC) identity provider, combined with AWS IAM roles. {product-title} signs service account tokens that are trusted by AWS IAM, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour.

-//to-do: more detailed info on this flow
-
 .STS authentication flow
-image::142_OpenShift_credentials_STS_0221.png[Detailed authentication flow between AWS and the cluster when using AWS STS]
-//to-do: improve alt-text
+image::347_OpenShift_credentials_with_STS_updates_0623_AWS.png[Detailed authentication flow between AWS and the cluster when using AWS STS]

 Using manual mode with STS changes the content of the AWS credentials that are provided to individual {product-title} components.

--- a/images/142_OpenShift_credentials_STS_0221.png
+++ b/images/142_OpenShift_credentials_STS_0221.png
--- a/images/347_OpenShift_credentials_with_STS_updates_0623_AWS.png
+++ b/images/347_OpenShift_credentials_with_STS_updates_0623_AWS.png
--- a/images/347_OpenShift_credentials_with_STS_updates_0623_GCP.png
+++ b/images/347_OpenShift_credentials_with_STS_updates_0623_GCP.png