Prepare your environment

1. Create two working directories that we will use to store important configuration:

   mkdir -p ocp/oidc ocp/cluster-install

2. Create (or copy an existing) install-config.yaml file into the ./ocp directory. An example install-config.yaml file is included below:

   apiVersion: v1
   baseDomain: ocp.example.com
   credentialsMode: Manual
   compute:
   - name: worker
     platform:
       gcp:
         serviceAccount: [email protected]
         secureBoot: true
         type: n2-standard-4
         zones:
         - us-central1-a
         - us-central1-b
         - us-central1-c
         osDisk:
           diskType: pd-ssd
           diskSizeGB: 128
     replicas: 3
   controlPlane:
     name: master
     platform:
       gcp:
         serviceAccount: [email protected]
         secureBoot: true
         type: n2-standard-4
         zones:
         - us-central1-a
         - us-central1-b
         - us-central1-c
         osDisk:
           diskType: pd-ssd
           diskSizeGB: 1024
     replicas: 3
   networking:
     machineNetwork:
     - cidr: 10.0.0.0/16
     serviceNetwork:
      - 172.30.0.0/16
     clusterNetwork:
     - cidr: 10.128.0.0/14
       hostPrefix: 23
   metadata:
     name: cluster
   platform:
     gcp:
       projectID: gcp-project-example
       region: us-central1
       controlPlaneSubnet: ocp-control-plane-subnet
       computeSubnet: ocp-worker-subnet
       network: ocp-vpc
   pullSecret: 'redacted'
   sshKey: redacted

3. Change directory to the ocp/oidc directory. This directory will contain the necessary configuration to allow OpenShift to use Workload Identity Federation to interact with Google Cloud APIs:

   cd ocp/oidc

4. Set environment variables that we will be using to complete the remainder of the steps:

   export GCP_PROJECT=gcp-project-example
   export GCP_REGION=us-central1
   export GCP_SERVICE_ACCOUNT_PREFIX=ocp
   export WORKLOAD_IDENTITY_POOL=ocp-wif-pool
   export WORKLOAD_IDENTITY_PROVIDER=ocp-wif-provider
   export RELEASE_IMAGE=quay.io/openshift-release-dev/ocp-release:4.18.17-x86_64

Create the Workload Identity Federation configuration

1. Generate RSA keys for use when setting up the cluster's OIDC provider:

   ccoctl gcp create-key-pair

2. Create the GCP Workload Identity Federation pool:

   ccoctl gcp create-workload-identity-pool --name=${WORKLOAD_IDENTITY_POOL} --project=${GCP_PROJECT}

3. Create the necessary configuration for the Workload Identity Federation provider

   ccoctl gcp create-workload-identity-provider --name=${WORKLOAD_IDENTITY_PROVIDER} --region=${GCP_REGION} --project=${GCP_PROJECT} --public-key-file=serviceaccount-signer.public --workload-identity-pool=${WORKLOAD_IDENTITY_POOL} --dry-run

4. Edit the generated 05-create-workload-identity-provider.sh script with the updated issuer URL that will contain the OIDC provider configuration:

   • Add the JWK JSON path parameter: sed -i.bak '2s/$/ --jwk-json-path="04-keys.json"/' 05-create-workload-identity-provider.sh
   • Update the --issuer-url parameter to point to the updated issuer URL.

5. Run the edited script:

   ./05-create-workload-identity-provider.sh

6. Edit the 03-openid-configuration file:

   • Update the issuer and jwks_uri parameter to point to the updated issuer URL.

7. Rename and move OIDC configuration files to the proper location you wish to host them at:

   • 04-keys.json should be stored at the root of the serving directory as keys.json
   • 03-openid-configuration should be stored in the .well-known directory with the filename openid-configuration.
   • This means that these files should be accessible from https://<your-oidc-provider-url>/keys.json and https://<your-oidc-provider-url>/.well-known/openid-configuration

(Optional) Build a container for Cloud Run to use

1. Copy the keys.json and the openid-configuration files to the container directory

   cp 04-keys.json ../container/keys.json
   cp 03-openid-configuration ../container/openid-configuration

2. Build the container

   podman build -t us-east1-docker.pkg.dev/gcp-project-example/container-registry/oidc ../container --platform=linux/amd64

3. Push the container to Artifact Registry.

   podman push us-east1-docker.pkg.dev/gcp-project-example/container-registry/oidc:latest

4. Create a new Google Cloud Run app and use the above container as a runtime.

Create the Google Cloud service accounts for the cluster to use

1. Extract the credential requests from the OpenShift release image:

   oc adm release extract --cloud=gcp --credentials-requests ${RELEASE_IMAGE} --to=./credreqs

2. Create the Google Cloud service accounts:

   ccoctl gcp create-service-accounts --name=${GCP_SERVICE_ACCOUNT_PREFIX} --project=${GCP_PROJECT} --credentials-requests-dir=credreqs --workload-identity-pool=${WORKLOAD_IDENTITY_POOL} --workload-identity-provider=${WORKLOAD_IDENTITY_PROVIDER}

3. Edit the manifests/cluster-authentication-02-config.yaml file with the updated issuer URL.

   • Change serviceAccountIssuer: to the updated issuer URL that will contain the OIDC provider configuration.

Create the OpenShift installation configuration files

1. Change to the cluster-install directory we created earlier:

   cd ../cluster-install

2. Copy the install-configl.yaml into this directory.

   cp ../install-config.yaml .

3. Create the necessary OpenShift installer manifests

   openshift-install create manifests

4. Copy the service account configuration manifests and tls directories to our cluster-install directory.

   mkdir tls
   cp ../oidc/manifests/* manifests
   cp ../oidc/tls/* tls

Install the cluster

openshift-install create cluster --log-level=debug