feat(gcp): add oidc-storage-method flag for workload identity providers

jstuever · jstuever · commit aaf8f0d99431 · 2026-03-30T15:13:14.000-07:00
Introduce a new --oidc-storage-method flag that allows users to choose
how OIDC JWK files are stored when provisioning GCP workload identity
providers. Two methods are now supported:

- "public-bucket" (default): Creates a public GCS bucket to host OIDC
  configuration and JWK files
- "pool-jwk-file": Attaches the JWK directly to the workload identity
  pool provider without creating a bucket

The pool-jwk-file method is useful for environments with strict bucket
policies or when a bucketless configuration is preferred. The
implementation includes create and update operations for identity
providers with embedded JWKs.

Assisted-by: Claude Sonnet 4.6, gemini-3.1-pro-preview
diff --git a/pkg/cmd/provisioning/gcp/create_all.go b/pkg/cmd/provisioning/gcp/create_all.go
@@ -2,6 +2,7 @@ package gcp
 
 import (
 	"context"
+	"fmt"
 	"log"
 	"os"
 	"path"
@@ -46,7 +47,7 @@ func createAllCmd(cmd *cobra.Command, args []string) {
 		log.Fatalf("Failed to create workload identity pool: %s", err)
 	}
 
-	if err = createWorkloadIdentityProvider(ctx, gcpClient, CreateAllOpts.Name, CreateAllOpts.Region, CreateAllOpts.Project, CreateAllOpts.Name, publicKeyPath, CreateAllOpts.TargetDir, false); err != nil {
+	if err = createWorkloadIdentityProvider(ctx, gcpClient, CreateAllOpts.Name, CreateAllOpts.Region, CreateAllOpts.Project, CreateAllOpts.Name, publicKeyPath, CreateAllOpts.TargetDir, CreateAllOpts.OidcStorageMethod, false); err != nil {
 		log.Fatalf("Failed to create workload identity provider: %s", err)
 	}
 
@@ -63,6 +64,8 @@ func validationForCreateAllCmd(cmd *cobra.Command, args []string) {
 		log.Fatalf("Name can be at most 32 characters long")
 	}
 
+	validateOidcStorageMethod(CreateAllOpts.OidcStorageMethod)
+
 	if CreateAllOpts.TargetDir == "" {
 		pwd, err := os.Getwd()
 		if err != nil {
@@ -117,6 +120,7 @@ func NewCreateAllCmd() *cobra.Command {
 	createAllCmd.PersistentFlags().StringVar(&CreateAllOpts.TargetDir, "output-dir", "", "Directory to place generated files (defaults to current directory)")
 	createAllCmd.PersistentFlags().BoolVar(&CreateAllOpts.EnableTechPreview, "enable-tech-preview", false, "Opt into processing CredentialsRequests marked as tech-preview")
 	createAllCmd.PersistentFlags().StringVar(&CreateAllOpts.PublicKeyPath, "public-key-file", "", "Path to public ServiceAccount signing key")
+	createAllCmd.PersistentFlags().StringVar(&CreateAllOpts.OidcStorageMethod, "oidc-storage-method", OidcStorageMethodPublicBucket, fmt.Sprintf("Method for storing OIDC JWK files. %q (default) creates a public GCS bucket; %q attaches the JWK directly to the workload identity pool provider without creating a bucket", OidcStorageMethodPublicBucket, OidcStorageMethodPoolJwkFile))
 
 	return createAllCmd
 }
diff --git a/pkg/cmd/provisioning/gcp/create_workload_identity_provider.go b/pkg/cmd/provisioning/gcp/create_workload_identity_provider.go
@@ -48,11 +48,30 @@ const (
 	createIdentityProviderScriptName = "05-create-workload-identity-provider.sh"
 	// createIdentityProviderCmd is gcloud cli command to create workload identity provider
 	createIdentityProviderCmd = "gcloud iam workload-identity-pools providers create-oidc %s --location=global --workload-identity-pool=%s --display-name=%s --description=\"%s\" --issuer-uri=%s --allowed-audiences=%s --attribute-mapping=\"google.subject=assertion.sub\""
+	// createIdentityProviderWithJwkFileCmd is gcloud cli command to create workload identity provider with attached JWK file
+	createIdentityProviderWithJwkFileCmd = "gcloud iam workload-identity-pools providers create-oidc %s --location=global --workload-identity-pool=%s --display-name=%s --description=\"%s\" --issuer-uri=%s --allowed-audiences=%s --attribute-mapping=\"google.subject=assertion.sub\" --jwk-json-path=%s"
 	// openShiftAudience is the only acceptable value for the `aud` field (audience) in the OIDC token shared by
 	// OpenShift components
 	openShiftAudience = "openshift"
+
+	// OidcStorageMethodPublicBucket is the default storage method that creates a public GCS bucket to host OIDC config
+	OidcStorageMethodPublicBucket = "public-bucket"
+	// OidcStorageMethodPoolJwkFile is the storage method that attaches the JWK directly to the workload identity pool provider
+	OidcStorageMethodPoolJwkFile = "pool-jwk-file"
+
+	// oidcJwksUpdateMask is the field mask used when patching the JWKS on a workload identity pool provider
+	oidcJwksUpdateMask = "oidc.jwks_json"
 )
 
+func validateOidcStorageMethod(method string) {
+	switch method {
+	case OidcStorageMethodPublicBucket, OidcStorageMethodPoolJwkFile:
+		// valid
+	default:
+		log.Fatalf("Invalid --oidc-storage-method %q, must be one of: %s, %s", method, OidcStorageMethodPublicBucket, OidcStorageMethodPoolJwkFile)
+	}
+}
+
 func createWorkloadIdentityProviderCmd(cmd *cobra.Command, args []string) {
 	ctx := context.Background()
 
@@ -71,39 +90,116 @@ func createWorkloadIdentityProviderCmd(cmd *cobra.Command, args []string) {
 		publicKeyPath = filepath.Join(CreateWorkloadIdentityProviderOpts.TargetDir, provisioning.PublicKeyFile)
 	}
 
-	err = createWorkloadIdentityProvider(ctx, gcpClient, CreateWorkloadIdentityProviderOpts.Name, CreateWorkloadIdentityProviderOpts.Region, CreateWorkloadIdentityProviderOpts.Project, CreateWorkloadIdentityProviderOpts.WorkloadIdentityPool, publicKeyPath, CreateWorkloadIdentityProviderOpts.TargetDir, CreateWorkloadIdentityProviderOpts.DryRun)
+	err = createWorkloadIdentityProvider(ctx, gcpClient, CreateWorkloadIdentityProviderOpts.Name, CreateWorkloadIdentityProviderOpts.Region, CreateWorkloadIdentityProviderOpts.Project, CreateWorkloadIdentityProviderOpts.WorkloadIdentityPool, publicKeyPath, CreateWorkloadIdentityProviderOpts.TargetDir, CreateWorkloadIdentityProviderOpts.OidcStorageMethod, CreateWorkloadIdentityProviderOpts.DryRun)
 	if err != nil {
 		log.Fatal(err)
 	}
 }
 
-func createWorkloadIdentityProvider(ctx context.Context, client gcp.Client, name, region, project, workloadIdentityPool string, publicKeyPath, targetDir string, generateOnly bool) error {
-	// Create a storage bucket
+func createWorkloadIdentityProvider(ctx context.Context, client gcp.Client, name, region, project, workloadIdentityPool string, publicKeyPath, targetDir, oidcStorageMethod string, generateOnly bool) error {
 	bucketName := fmt.Sprintf("%s-oidc", name)
-	if err := createOIDCBucket(ctx, client, bucketName, region, project, targetDir, generateOnly); err != nil {
-		return err
-	}
 	issuerURL := fmt.Sprintf("https://storage.googleapis.com/%s", bucketName)
 
-	// Create the OIDC config file
-	if err := createOIDCConfiguration(ctx, client, bucketName, issuerURL, targetDir, generateOnly); err != nil {
-		return err
+	switch oidcStorageMethod {
+	case OidcStorageMethodPoolJwkFile:
+		// Build the JWKS and attach it directly to the identity pool provider
+		if err := createIdentityProviderWithJwkFile(ctx, client, name, project, issuerURL, workloadIdentityPool, publicKeyPath, targetDir, generateOnly); err != nil {
+			return err
+		}
+	case OidcStorageMethodPublicBucket:
+		if err := createOIDCBucket(ctx, client, bucketName, region, project, targetDir, generateOnly); err != nil {
+			return err
+		}
+
+		// Create the OIDC config file
+		if err := createOIDCConfiguration(ctx, client, bucketName, issuerURL, targetDir, generateOnly); err != nil {
+			return err
+		}
+
+		// Create the OIDC key list
+		if err := createJSONWebKeySet(ctx, client, publicKeyPath, bucketName, targetDir, generateOnly); err != nil {
+			return err
+		}
+
+		// Create the workload identity provider
+		if err := createIdentityProvider(ctx, client, name, project, issuerURL, workloadIdentityPool, targetDir, generateOnly); err != nil {
+			return err
+		}
+	default:
+		return fmt.Errorf("unsupported oidc-storage-method %q", oidcStorageMethod)
 	}
 
-	// Create the OIDC key list
-	if err := createJSONWebKeySet(ctx, client, publicKeyPath, bucketName, targetDir, generateOnly); err != nil {
+	// Create the installer manifest file
+	if err := provisioning.CreateClusterAuthentication(issuerURL, targetDir); err != nil {
 		return err
 	}
 
-	// Create the workload identity provider
-	err := createIdentityProvider(ctx, client, name, project, issuerURL, workloadIdentityPool, targetDir, generateOnly)
+	return nil
+}
+
+func createIdentityProviderWithJwkFile(ctx context.Context, client gcp.Client, name, project, issuerURL, workloadIdentityPool, publicKeyPath, targetDir string, generateOnly bool) error {
+	jwks, err := provisioning.BuildJsonWebKeySet(publicKeyPath)
 	if err != nil {
-		return err
+		return errors.Wrap(err, "failed to build JSON web key set from the public key")
 	}
 
-	// Create the installer manifest file
-	if err := provisioning.CreateClusterAuthentication(issuerURL, targetDir); err != nil {
-		return err
+	if generateOnly {
+		jwksFilePath := filepath.Join(targetDir, gcpOidcKeysFilename)
+		log.Printf("Saving JSON web key set (JWKS) locally at %s", jwksFilePath)
+		if err := os.WriteFile(jwksFilePath, jwks, fileModeCcoctlDryRun); err != nil {
+			return errors.Wrapf(err, "failed to save JSON web key set (JWKS) locally at %s", jwksFilePath)
+		}
+
+		createIdentityProviderScript := provisioning.CreateShellScript([]string{createIdentityProviderWithJwkFileCmd})
+		createIdentityProviderScriptFilepath := filepath.Join(targetDir, createIdentityProviderScriptName)
+		script := fmt.Sprintf(createIdentityProviderScript, name, workloadIdentityPool, name, createdByCcoctl, issuerURL, openShiftAudience, gcpOidcKeysFilename)
+		log.Printf("Saving shell script to create workload identity provider locally at %s", createIdentityProviderScriptFilepath)
+		if err := os.WriteFile(createIdentityProviderScriptFilepath, []byte(script), fileModeCcoctlDryRun); err != nil {
+			return errors.Wrapf(err, "failed to save shell script to create workload identity provider locally at %s", createIdentityProviderScriptFilepath)
+		}
+		return nil
+	}
+
+	providerResource := fmt.Sprintf("projects/%s/locations/global/workloadIdentityPools/%s/providers/%s", project, workloadIdentityPool, name)
+	existingProvider, err := client.GetWorkloadIdentityProvider(ctx, providerResource)
+	if err != nil {
+		if gerr, ok := err.(*googleapi.Error); ok && gerr.Code == 404 {
+			provider := &iam.WorkloadIdentityPoolProvider{
+				Name:        name,
+				DisplayName: name,
+				Description: createdByCcoctl,
+				Disabled:    false,
+				State:       "ACTIVE",
+				Oidc: &iam.Oidc{
+					AllowedAudiences: []string{openShiftAudience},
+					IssuerUri:        issuerURL,
+					JwksJson:         string(jwks),
+				},
+				AttributeMapping: map[string]string{
+					"google.subject": "assertion.sub",
+				},
+			}
+
+			_, err := client.CreateWorkloadIdentityProvider(ctx, fmt.Sprintf("projects/%s/locations/global/workloadIdentityPools/%s", project, workloadIdentityPool), name, provider)
+			if err != nil {
+				return errors.Wrapf(err, "failed to create workload identity provider %s", name)
+			}
+			log.Printf("workload identity provider created with name %s", name)
+		} else {
+			return errors.Wrapf(err, "failed to check if there is existing workload identity provider %s in pool %s", name, workloadIdentityPool)
+		}
+	} else {
+		log.Printf("Workload identity provider %s already exists in pool %s, updating JWK set", existingProvider.Name, workloadIdentityPool)
+		updatedProvider := &iam.WorkloadIdentityPoolProvider{
+			Oidc: &iam.Oidc{
+				JwksJson: string(jwks),
+			},
+		}
+		_, err := client.UpdateWorkloadIdentityProvider(ctx, providerResource, updatedProvider, oidcJwksUpdateMask)
+		if err != nil {
+			return errors.Wrapf(err, "failed to update workload identity provider %s", name)
+		}
+		log.Printf("workload identity provider %s updated with new JWK set", name)
 	}
 
 	return nil
@@ -271,6 +367,8 @@ func validationForCreateWorkloadIdentityProviderCmd(cmd *cobra.Command, args []s
 		log.Fatalf("Name can be at most 32 characters long")
 	}
 
+	validateOidcStorageMethod(CreateWorkloadIdentityProviderOpts.OidcStorageMethod)
+
 	if CreateWorkloadIdentityProviderOpts.TargetDir == "" {
 		pwd, err := os.Getwd()
 		if err != nil {
@@ -318,6 +416,7 @@ func NewCreateWorkloadIdentityProviderCmd() *cobra.Command {
 	createWorkloadIdentityProviderCmd.PersistentFlags().StringVar(&CreateWorkloadIdentityProviderOpts.PublicKeyPath, "public-key-file", "", "Path to public ServiceAccount signing key")
 	createWorkloadIdentityProviderCmd.PersistentFlags().BoolVar(&CreateWorkloadIdentityProviderOpts.DryRun, "dry-run", false, "Skip creating objects, and just save what would have been created into files")
 	createWorkloadIdentityProviderCmd.PersistentFlags().StringVar(&CreateWorkloadIdentityProviderOpts.TargetDir, "output-dir", "", "Directory to place generated files (defaults to current directory)")
+	createWorkloadIdentityProviderCmd.PersistentFlags().StringVar(&CreateWorkloadIdentityProviderOpts.OidcStorageMethod, "oidc-storage-method", OidcStorageMethodPublicBucket, fmt.Sprintf("Method for storing OIDC JWK files. %q (default) creates a public GCS bucket; %q attaches the JWK directly to the workload identity pool provider without creating a bucket", OidcStorageMethodPublicBucket, OidcStorageMethodPoolJwkFile))
 
 	return createWorkloadIdentityProviderCmd
 }
diff --git a/pkg/cmd/provisioning/gcp/create_workload_identity_provider_test.go b/pkg/cmd/provisioning/gcp/create_workload_identity_provider_test.go
@@ -51,7 +51,6 @@ func TestCreateWorkloadIdentityProvider(t *testing.T) {
 		mockGCPClient func(mockCtrl *gomock.Controller) *mockgcp.MockClient
 		setup         func(*testing.T) string
 		verify        func(t *testing.T, tempDirName string)
-		cleanup       func(*testing.T)
 		generateOnly  bool
 		expectError   bool
 	}{
@@ -188,7 +187,7 @@ func TestCreateWorkloadIdentityProvider(t *testing.T) {
 			defer os.RemoveAll(tempDirName)
 
 			testPublicKeyPath := filepath.Join(tempDirName, testPublicKeyFile)
-			err := createWorkloadIdentityProvider(context.TODO(), mockGCPClient, testInfraName, testRegionName, testProject, testName, testPublicKeyPath, tempDirName, test.generateOnly)
+			err := createWorkloadIdentityProvider(context.TODO(), mockGCPClient, testInfraName, testRegionName, testProject, testName, testPublicKeyPath, tempDirName, OidcStorageMethodPublicBucket, test.generateOnly)
 
 			if test.expectError {
 				require.Error(t, err, "expected error returned")
@@ -252,3 +251,121 @@ func mockCreateWorkloadIdentityProviderSuccess(mockGCPClient *mockgcp.MockClient
 		Done: true,
 	}, nil).Times(1)
 }
+
+func mockUpdateWorkloadIdentityProviderSuccess(mockGCPClient *mockgcp.MockClient) {
+	mockGCPClient.EXPECT().UpdateWorkloadIdentityProvider(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(&iam.Operation{
+		Done: true,
+	}, nil).Times(1)
+}
+
+func setupTempDirWithKeyAndManifests(t *testing.T) string {
+	t.Helper()
+	tempDirName, err := os.MkdirTemp(os.TempDir(), testDirPrefix)
+	require.NoError(t, err, "Failed to create temp directory")
+	err = os.MkdirAll(filepath.Join(tempDirName, provisioning.ManifestsDirName), 0755)
+	require.NoError(t, err, "Failed to create manifests directory")
+	err = os.WriteFile(filepath.Join(tempDirName, testPublicKeyFile), []byte(testPublicKeyData), 0600)
+	require.NoError(t, err, "errored while setting up environment for test")
+	return tempDirName
+}
+
+func TestCreateWorkloadIdentityProviderWithPoolJwkFile(t *testing.T) {
+	tests := []struct {
+		name          string
+		mockGCPClient func(mockCtrl *gomock.Controller) *mockgcp.MockClient
+		setup         func(*testing.T) string
+		verify        func(t *testing.T, tempDirName string)
+		generateOnly  bool
+		expectError   bool
+	}{
+		{
+			name: "pool-jwk-file: public key not found",
+			mockGCPClient: func(mockCtrl *gomock.Controller) *mockgcp.MockClient {
+				mockGCPClient := mockgcp.NewMockClient(mockCtrl)
+				return mockGCPClient
+			},
+			setup: func(t *testing.T) string {
+				tempDirName, err := os.MkdirTemp(os.TempDir(), testDirPrefix)
+				require.NoError(t, err, "Failed to create temp directory")
+				return tempDirName
+			},
+			expectError: true,
+		},
+		{
+			name: "pool-jwk-file: identity provider created with embedded JWK",
+			mockGCPClient: func(mockCtrl *gomock.Controller) *mockgcp.MockClient {
+				mockGCPClient := mockgcp.NewMockClient(mockCtrl)
+				mockGetWorkloadIdentityProviderFailure(mockGCPClient)
+				mockCreateWorkloadIdentityProviderSuccess(mockGCPClient)
+				return mockGCPClient
+			},
+			setup:       setupTempDirWithKeyAndManifests,
+			verify:      func(t *testing.T, tempDirName string) {},
+			expectError: false,
+		},
+		{
+			name: "pool-jwk-file: existing identity provider updated with new JWK",
+			mockGCPClient: func(mockCtrl *gomock.Controller) *mockgcp.MockClient {
+				mockGCPClient := mockgcp.NewMockClient(mockCtrl)
+				mockGetWorkloadIdentityProviderSuccess(mockGCPClient)
+				mockUpdateWorkloadIdentityProviderSuccess(mockGCPClient)
+				return mockGCPClient
+			},
+			setup:       setupTempDirWithKeyAndManifests,
+			verify:      func(t *testing.T, tempDirName string) {},
+			expectError: false,
+		},
+		{
+			name: "pool-jwk-file: generate files only",
+			mockGCPClient: func(mockCtrl *gomock.Controller) *mockgcp.MockClient {
+				mockGCPClient := mockgcp.NewMockClient(mockCtrl)
+				return mockGCPClient
+			},
+			setup: setupTempDirWithKeyAndManifests,
+			verify: func(t *testing.T, tempDirName string) {
+				// Verify JWKS file was saved locally
+				jwks, err := os.ReadFile(filepath.Join(tempDirName, gcpOidcKeysFilename))
+				require.NoError(t, err, "error reading JWKS file")
+
+				var jwksJSON map[string]interface{}
+				err = json.Unmarshal(jwks, &jwksJSON)
+				require.NoError(t, err, "JWKS is not valid JSON")
+
+				keys, ok := jwksJSON["keys"].([]interface{})
+				require.True(t, ok, "no keys in JSON web key set")
+				assert.Len(t, keys, 1, "expected exactly one key in JWKS")
+
+				// Verify identity provider script was saved (not bucket script)
+				_, err = os.Stat(filepath.Join(tempDirName, createIdentityProviderScriptName))
+				assert.NoError(t, err, "identity provider script should exist")
+
+				_, err = os.Stat(filepath.Join(tempDirName, createOidcBucketScriptName))
+				assert.True(t, os.IsNotExist(err), "bucket creation script should NOT exist for pool-jwk-file")
+			},
+			generateOnly: true,
+			expectError:  false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			mockCtrl := gomock.NewController(t)
+			defer mockCtrl.Finish()
+
+			mockGCPClient := test.mockGCPClient(mockCtrl)
+
+			tempDirName := test.setup(t)
+			defer os.RemoveAll(tempDirName)
+
+			testPublicKeyPath := filepath.Join(tempDirName, testPublicKeyFile)
+			err := createWorkloadIdentityProvider(context.TODO(), mockGCPClient, testInfraName, testRegionName, testProject, testName, testPublicKeyPath, tempDirName, OidcStorageMethodPoolJwkFile, test.generateOnly)
+
+			if test.expectError {
+				require.Error(t, err, "expected error returned")
+			} else {
+				require.NoError(t, err)
+				test.verify(t, tempDirName)
+			}
+		})
+	}
+}
diff --git a/pkg/cmd/provisioning/gcp/gcp.go b/pkg/cmd/provisioning/gcp/gcp.go
@@ -15,6 +15,7 @@ type options struct {
 	WorkloadIdentityPool     string
 	WorkloadIdentityProvider string
 	CredRequestDir           string
+	OidcStorageMethod        string
 	DryRun                   bool
 	EnableTechPreview        bool
 }
diff --git a/pkg/gcp/client.go b/pkg/gcp/client.go
@@ -60,6 +60,7 @@ type Client interface {
 	UndeleteWorkloadIdentityPool(context.Context, string, *iam.UndeleteWorkloadIdentityPoolRequest) (*iam.Operation, error)
 	CreateWorkloadIdentityProvider(context.Context, string, string, *iam.WorkloadIdentityPoolProvider) (*iam.Operation, error)
 	GetWorkloadIdentityProvider(context.Context, string) (*iam.WorkloadIdentityPoolProvider, error)
+	UpdateWorkloadIdentityProvider(context.Context, string, *iam.WorkloadIdentityPoolProvider, string) (*iam.Operation, error)
 
 	//CloudResourceManager
 	GetProjectName() string
@@ -279,6 +280,12 @@ func (c *gcpClient) GetWorkloadIdentityProvider(ctx context.Context, resource st
 	return c.iamService.Projects.Locations.WorkloadIdentityPools.Providers.Get(resource).Context(ctx).Do()
 }
 
+func (c *gcpClient) UpdateWorkloadIdentityProvider(ctx context.Context, resource string, provider *iam.WorkloadIdentityPoolProvider, updateMask string) (*iam.Operation, error) {
+	ctx, cancel := contextWithTimeout(ctx)
+	defer cancel()
+	return c.iamService.Projects.Locations.WorkloadIdentityPools.Providers.Patch(resource, provider).UpdateMask(updateMask).Context(ctx).Do()
+}
+
 func (c *gcpClient) ListServicesEnabled() (map[string]bool, error) {
 	serviceMap := map[string]bool{}
 
diff --git a/pkg/gcp/mock/client_generated.go b/pkg/gcp/mock/client_generated.go

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ type options struct {`
`15`	`15`	`WorkloadIdentityPool string`
`16`	`16`	`WorkloadIdentityProvider string`
`17`	`17`	`CredRequestDir string`
	`18`	`+ OidcStorageMethod string`
`18`	`19`	`DryRun bool`
`19`	`20`	`EnableTechPreview bool`
`20`	`21`	`}`