Merge pull request #96854 from mletalie/OSDOCS-14567

[OSDOCS-14567] Doc Story for Cross-Project Federated Identity Authentication for OSD-GCP
2026-02-05 21:46:22 +01:00 · 2025-09-09 14:07:53 -04:00
parent 3414017688 c8a1bd2172
commit daabbfd2fd
3 changed files with 27 additions and 0 deletions
--- a/modules/create-wif-cluster-cli.adoc
+++ b/modules/create-wif-cluster-cli.adoc
@@ -46,10 +46,26 @@ Alternatively, you can use the `manual` mode. In `manual` mode, you are provided
 $ ocm gcp create wif-config --name <wif_name> \ <1>
  --project <gcp_project_id> \ <2>
  --version <osd_version> <3>
+  --federated-project <gcp_project_id> <4>
 ----
 <1> Replace `<wif_name>` with the name of your WIF configuration.
 <2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
 <3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17).
+<4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If the `--federated-project` flag is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project` flag.
+
+
+[NOTE]
+=====
+Using a dedicated project to create and manage workload identity pools and providers is recommended by {GCP}.
+Using a dedicated project helps you to establish centralized governance over the configuration of workload identity pools and providers, enforce uniform attribute mappings and conditions throughout all projects and applications, and ensure that only authorized identity providers can authenticate with WIF.
+
+For more information, see link:https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project[Use a dedicated project to manage workload identity pools and providers].
+=====
+
+[IMPORTANT]
+====
+Creating and managing workload identity pools and providers in a dedicated project is only allowed during initial WIF configuration creation. The `--federated-project` flag cannot be applied to existing `wif-configs`.
+====
 +
 --
 .Example output
--- a/modules/create-wif-cluster-ocm.adoc
+++ b/modules/create-wif-cluster-ocm.adoc
@@ -39,9 +39,13 @@ Workload Identity Federation (WIF), Google Cloud's recommended method of authent
 ----
 $ ocm gcp create wif-config --name <wif_name> \ <1>
  --project <gcp_project_id> \ <2>
+  --version <osd_version> <3>
+  --federated-project <gcp_project_id> <4>
 ----
 <1> Replace `<wif_name>` with the name of your WIF configuration.
 <2> Replace `<gcp_project_id>` with the ID of the {GCP} project where the WIF configuration will be implemented.
+<3> Optional: Replace `<osd_version>` with the desired {product-title} version the wif-config will need to support. If you do not specify a version, the wif-config will support the latest {product-title} y-stream version as well as the last three supported {product-title} y-stream versions (beginning with version 4.17).
+<4> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If `--federated-project` is not specified, the workload identity pools and providers will be created and managed in the project specified by the `--project flag`.
 +
 . Select a configured WIF configuration from the *WIF configuration* drop-down list. If you want to select the WIF configuration you created in the last step, click *Refresh* first.
 +
--- a/osd_whats_new/osd-whats-new.adoc
+++ b/osd_whats_new/osd-whats-new.adoc
@@ -21,6 +21,13 @@ With its foundation in Kubernetes, {product-title} is a complete {OCP} cluster p
 In alignment with the principle of least privilege as well as Google Cloud's preferred method of credential authentication, WIF is now the default authentication type when creating an {product-title} cluster on {GCP}. WIF greatly improves an {product-title} cluster's resilience against unauthorized access by using short-lived, least-privilege credentials and eliminating the need for static service account keys. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc[Creating a cluster on GCP with Workload Identity Federation authentication].

 [id="osd-q2-2025_{context}"]
+
+=== Q3 2025
+* ** Support for managing workload identity pools and providers in a dedicated {GCP} project.**
+{product-title} on {GCP} now supports the option of creating and managing workload identity pools and providers in a specified dedicated project during the creation of a WIF configuration. Red{nbsp}Hat plans on offering this option for existing WIF configurations in an upcoming release. For more information, see  xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-configuration_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a WIF configuration].
+
+
+
 === Q2 2025

 // * **{product-title} SDN network plugin blocks future major upgrades**