Describe the feature
Add support in ocpctl to provision and manage OpenShift clusters on Google Cloud Platform (GCP) using Workload Identity Federation (WIF) for authentication, instead of requiring a static service account JSON key. This should enable keyless, short-lived credential flows compatible with modern best practices and align with cluster creation workflows on AWS (STS) and GCP GKE (Workload Identity).
Current behavior
Currently, OpenShift on GCP via ocpctl requires a service account JSON key and relies on GOOGLE_APPLICATION_CREDENTIALS, with no mechanism for automatic WIF setup or Keyless authentication for installer or CCO. Only GKE clusters appear to support Workload Identity integration natively.
Desired behavior
- Ability to provision OpenShift clusters using GCP Workload Identity Federation (WIF) via installer/ccoctl integration, eliminating the need for static IAM key files.
- Profile and cluster creation workflow support for
credentialsMode: Manual, with fields for workload identity pool/provider and required roles.
- Automation for generating and applying WIF manifests for the cluster's Cloud Credential Operator during install.
- Documentation and example configuration for setting up WIF with OpenShift clusters via ocpctl.
References
Describe the feature
Add support in ocpctl to provision and manage OpenShift clusters on Google Cloud Platform (GCP) using Workload Identity Federation (WIF) for authentication, instead of requiring a static service account JSON key. This should enable keyless, short-lived credential flows compatible with modern best practices and align with cluster creation workflows on AWS (STS) and GCP GKE (Workload Identity).
Current behavior
Currently, OpenShift on GCP via ocpctl requires a service account JSON key and relies on
GOOGLE_APPLICATION_CREDENTIALS, with no mechanism for automatic WIF setup or Keyless authentication for installer or CCO. Only GKE clusters appear to support Workload Identity integration natively.Desired behavior
credentialsMode: Manual, with fields for workload identity pool/provider and required roles.References