Skip to content

feat(osd): Add enable-wif parameter for OSD GCP clusters#1837

Open
davdhacs wants to merge 3 commits into
masterfrom
add-osd-wif-parameter
Open

feat(osd): Add enable-wif parameter for OSD GCP clusters#1837
davdhacs wants to merge 3 commits into
masterfrom
add-osd-wif-parameter

Conversation

@davdhacs
Copy link
Copy Markdown
Contributor

@davdhacs davdhacs commented May 19, 2026
edited
Loading

Summary

Add optional enable-wif parameter to the OSD on GCP flavor, allowing users to create clusters using Workload Identity Federation instead of long-lived service account keys.

  • Adds enable-wif parameter (default: false) to flavor definition
  • Passes ENABLE_WIF env var to both create and destroy workflow containers
  • Uses released automation-flavors-osd-0.13.0 image with WIF support

Tested

Created a WIF-enabled OSD GCP cluster (dh-05-19-3) via the dev infra server with enable-wif=true. Cluster provisioned successfully with WIF (federated credentials, no static SA keys). RHACS was deployed and GCP integrations (GCR, GAR, GCS) verified working with WIF.

Prerequisites

The osd-ccs-admin service account in acs-team-temp-dev required additional IAM roles for WIF config creation: roles/iam.roleAdmin, roles/browser. These have been added manually; TODO: codify in automation-iac.

Depends on: https://github.com/stackrox/automation-flavors/pull/341 (merged as 0.13.0)

🤖 Generated with Claude Code

@davdhacs @claude
feat(osd): Add enable-wif parameter for OSD GCP clusters
64263be 
Add optional enable-wif parameter to OSD on GCP flavor, defaulting
to false. Passes ENABLE_WIF env var to both create and destroy
containers.

Temporarily pins automation-flavors image to WIP build for testing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@davdhacs davdhacs requested review from a team and rhacs-bot as code owners May 19, 2026 17:51
@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented May 19, 2026

A single node development cluster (infra-pr-1837) was allocated in production infra for this PR.

CI will attempt to deploy quay.io/rhacs-eng/infra-server: to it.

🔌 You can connect to this cluster with:

gcloud container clusters get-credentials infra-pr-1837 --zone us-central1-a --project acs-team-temp-dev

🛠️ And pull infractl from the deployed dev infra-server with:

nohup kubectl -n infra port-forward svc/infra-server-service 8443:8443 &
make pull-infractl-from-dev-server

🚲 You can then use the dev infra instance e.g.:

bin/infractl -k -e localhost:8443 whoami

⚠️ Any clusters that you start using your dev infra instance should have a lifespan shorter then the development cluster instance. Otherwise they will not be destroyed when the dev infra instance ceases to exist when the development cluster is deleted. ⚠️

Further Development

☕ If you make changes, you can commit and push and CI will take care of updating the development cluster.

🚀 If you only modify configuration (chart/infra-server/configuration) or templates (chart/infra-server/{static,templates}), you can get a faster update with:

make helm-deploy

Logs

Logs for the development infra depending on your @redhat.com authuser:

Or:

kubectl -n infra logs -l app=infra-server --tail=1 -f

davdhacs and others added 2 commits May 19, 2026 13:27
@davdhacs @claude
feat(osd): Use released automation-flavors 0.13.0 with WIF support
040c538 
Update from WIP snapshot to the merged and released version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@davdhacs @claude
chore: Revert image tag to Helm template
abf9c4a 
Restore automationFlavorsVersion template reference now that
testing is complete. Depends on PR #1838 to bump the version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@davdhacs davdhacs requested a review from tommartensen May 19, 2026 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhacs-bot rhacs-bot Awaiting requested review from rhacs-bot rhacs-bot is a code owner

@tommartensen tommartensen Awaiting requested review from tommartensen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davdhacs @rhacs-bot