GCP-431: feat: Add CNCC support for GCP WIF in HyperShift

[apahim]

What this PR does / why we need it:

Adds CNCC (Cloud Network Config Controller) support for GCP Workload Identity Federation in HyperShift HCP mode. Currently HyperShift does not provision WIF credentials
for CNCC on GCP, so CNCC cannot authenticate to GCP APIs to manage egress IPs and subnets.

This PR:

• Adds a Network field to GCPServiceAccountsEmails API for the CNCC service account
• Adds a cloud-network service account entry to iam-bindings.json with fine-grained CNCC permissions (compute.instances.get, compute.subnetworks.use, etc.)
• Provisions a cloud-network-config-controller-creds secret in ReconcileCredentials when the Network GSA email is configured
• Sets GCP_CNCC_CREDENTIALS_FILE env var on the CNO deployment for GCP platform, so CNO can wire GOOGLE_APPLICATION_CREDENTIALS on the CNCC container

Which issue(s) this PR fixes:

Fixes GCP-431

Special notes for your reviewer:

This PR is part of a cross-repo effort:

• CNO (https://issues.redhat.com/browse/GCP-430): Reads GCP_CNCC_CREDENTIALS_FILE and sets GOOGLE_APPLICATION_CREDENTIALS on the CNCC container, plus adds
  --token-audience=openshift to the cloud-token minter
• CNCC (GCP-429: feat: Add GCP Workload Identity Federation (WIF) credential support cloud-network-config-controller#206): Adds WIF auto-detection via readGCPCredentialsConfig()
• This PR: Provisions the credential secret and env var that connect the other two

The Network field is +optional (unlike the other GSA fields which are +required) since existing clusters won't have it set. The iam-bindings.json entry uses permissions
instead of roles because CNCC needs fine-grained permissions that don't map to a single predefined GCP role.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features
  • Added network configuration field for GCP hosted clusters with validation enforcement
  • Enabled Cloud Network Config Controller support for GCP platforms with automatic credential provisioning
  • Introduced new service account with granular permissions for cloud network configuration, including subnet and network interface management capabilities

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@apahim: This pull request references GCP-431 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Adds CNCC (Cloud Network Config Controller) support for GCP Workload Identity Federation in HyperShift HCP mode. Currently HyperShift does not provision WIF credentials
for CNCC on GCP, so CNCC cannot authenticate to GCP APIs to manage egress IPs and subnets.

This PR:

• Adds a Network field to GCPServiceAccountsEmails API for the CNCC service account
• Adds a cloud-network service account entry to iam-bindings.json with fine-grained CNCC permissions (compute.instances.get, compute.subnetworks.use, etc.)
• Provisions a cloud-network-config-controller-creds secret in ReconcileCredentials when the Network GSA email is configured
• Sets GCP_CNCC_CREDENTIALS_FILE env var on the CNO deployment for GCP platform, so CNO can wire GOOGLE_APPLICATION_CREDENTIALS on the CNCC container

Which issue(s) this PR fixes:

Fixes GCP-431

Special notes for your reviewer:

This PR is part of a cross-repo effort:

• CNO (https://issues.redhat.com/browse/GCP-430): Reads GCP_CNCC_CREDENTIALS_FILE and sets GOOGLE_APPLICATION_CREDENTIALS on the CNCC container, plus adds
  --token-audience=openshift to the cloud-token minter
• CNCC (GCP-429: feat: Add GCP Workload Identity Federation (WIF) credential support cloud-network-config-controller#206): Adds WIF auto-detection via readGCPCredentialsConfig()
• This PR: Provisions the credential secret and env var that connect the other two

The Network field is +optional (unlike the other GSA fields which are +required) since existing clusters won't have it set. The iam-bindings.json entry uses permissions
instead of roles because CNCC needs fine-grained permissions that don't map to a single predefined GCP role.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

These changes add Cloud Network Config Controller (CNCC) credential support to HyperShift's GCP platform integration. A new Network service account field with validations is introduced to the GCP configuration, corresponding IAM permissions are configured, CNO deployment environment setup is updated, and credential management logic is extended to handle CNCC credentials.

Changes

Cohort / File(s)	Summary
GCP Platform Configuration api/hypershift/v1beta1/gcp.go	Added Network field to GCPServiceAccountsEmails struct with kubebuilder pattern and length validations. Added validation rule to GCPPlatformSpec ensuring network service account belongs to same project.
GCP IAM Bindings cmd/infra/gcp/iam-bindings.json	Added cloud-network service account entry with permissions for network interface, subnet, and zone operations management. Maps to cloud-network-config-controller Kubernetes service account.
CNO Deployment Configuration control-plane-operator/controllers/hostedcontrolplane/v2/cno/deployment.go	Added GCP-specific environment variable GCP_CNCC_CREDENTIALS_FILE pointing to application_default_credentials.json when GCP platform is configured.
GCP Credential Management hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go	Introduced CNCCCredsSecret function to create Kubernetes Secret for CNCC credentials. Updated ReconcileCredentials to conditionally manage CNCC credentials when Network service account is configured.

Sequence Diagram

sequenceDiagram
    participant HCP as GCP Controller
    participant Spec as Platform Spec
    participant Creds as Credential Manager
    participant Secret as Kubernetes Secret
    participant CNO as CNO Deployment

    HCP->>Spec: Read Network service account email
    alt Network service account configured
        HCP->>Creds: Call ReconcileCredentials()
        Creds->>Creds: Detect Network service account
        Creds->>Secret: Create CNCCCredsSecret<br/>(cloud-network-config-controller-creds)
        Secret-->>Creds: Secret created/reconciled
        Creds-->>HCP: Credentials ready
        HCP->>CNO: Set GCP_CNCC_CREDENTIALS_FILE<br/>environment variable
        CNO->>Secret: Mount credentials
    else No Network service account
        HCP->>CNO: Standard CNO deployment
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	No unit test files were found for the new CNCC credentials and Network field changes despite PR checklist claiming tests included.	Verify test files exist for CNCCCredsSecret function, Network field validation, and ReconcileCredentials changes; provide test file locations if tests were added separately.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'GCP-431: feat: Add CNCC support for GCP WIF in HyperShift' accurately describes the main feature addition—implementing Cloud Network Config Controller support for GCP Workload Identity Federation, which is the core purpose of the changeset.
Stable And Deterministic Test Names	✅ Passed	All test names in affected files use static descriptive names without dynamic values like timestamps or UUIDs.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@apahim: This pull request references GCP-431 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Adds CNCC (Cloud Network Config Controller) support for GCP Workload Identity Federation in HyperShift HCP mode. Currently HyperShift does not provision WIF credentials
for CNCC on GCP, so CNCC cannot authenticate to GCP APIs to manage egress IPs and subnets.

This PR:

• Adds a Network field to GCPServiceAccountsEmails API for the CNCC service account
• Adds a cloud-network service account entry to iam-bindings.json with fine-grained CNCC permissions (compute.instances.get, compute.subnetworks.use, etc.)
• Provisions a cloud-network-config-controller-creds secret in ReconcileCredentials when the Network GSA email is configured
• Sets GCP_CNCC_CREDENTIALS_FILE env var on the CNO deployment for GCP platform, so CNO can wire GOOGLE_APPLICATION_CREDENTIALS on the CNCC container

Which issue(s) this PR fixes:

Fixes GCP-431

Special notes for your reviewer:

This PR is part of a cross-repo effort:

• CNO (https://issues.redhat.com/browse/GCP-430): Reads GCP_CNCC_CREDENTIALS_FILE and sets GOOGLE_APPLICATION_CREDENTIALS on the CNCC container, plus adds
  --token-audience=openshift to the cloud-token minter
• CNCC (GCP-429: feat: Add GCP Workload Identity Federation (WIF) credential support cloud-network-config-controller#206): Adds WIF auto-detection via readGCPCredentialsConfig()
• This PR: Provisions the credential secret and env var that connect the other two

The Network field is +optional (unlike the other GSA fields which are +required) since existing clusters won't have it set. The iam-bindings.json entry uses permissions
instead of roles because CNCC needs fine-grained permissions that don't map to a single predefined GCP role.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[apahim]

/hold

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: apahim
Once this PR has been reviewed and has the lgtm label, please assign devguyio for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@apahim: This pull request references GCP-431 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Adds CNCC (Cloud Network Config Controller) support for GCP Workload Identity Federation in HyperShift HCP mode. Currently HyperShift does not provision WIF credentials
for CNCC on GCP, so CNCC cannot authenticate to GCP APIs to manage egress IPs and subnets.

This PR:

• Adds a Network field to GCPServiceAccountsEmails API for the CNCC service account
• Adds a cloud-network service account entry to iam-bindings.json with fine-grained CNCC permissions (compute.instances.get, compute.subnetworks.use, etc.)
• Provisions a cloud-network-config-controller-creds secret in ReconcileCredentials when the Network GSA email is configured
• Sets GCP_CNCC_CREDENTIALS_FILE env var on the CNO deployment for GCP platform, so CNO can wire GOOGLE_APPLICATION_CREDENTIALS on the CNCC container

Which issue(s) this PR fixes:

Fixes GCP-431

Special notes for your reviewer:

This PR is part of a cross-repo effort:

• CNO (https://issues.redhat.com/browse/GCP-430): Reads GCP_CNCC_CREDENTIALS_FILE and sets GOOGLE_APPLICATION_CREDENTIALS on the CNCC container, plus adds
  --token-audience=openshift to the cloud-token minter
• CNCC (GCP-429: feat: Add GCP Workload Identity Federation (WIF) credential support cloud-network-config-controller#206): Adds WIF auto-detection via readGCPCredentialsConfig()
• This PR: Provisions the credential secret and env var that connect the other two

The Network field is +optional (unlike the other GSA fields which are +required) since existing clusters won't have it set. The iam-bindings.json entry uses permissions
instead of roles because CNCC needs fine-grained permissions that don't map to a single predefined GCP role.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features
• Added network configuration field for GCP hosted clusters with validation enforcement
• Enabled Cloud Network Config Controller support for GCP platforms with automatic credential provisioning
• Introduced new service account with granular permissions for cloud network configuration, including subnet and network interface management capabilities

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@apahim: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-self-managed	58f6456	link	false	/test e2e-azure-self-managed
ci/prow/images	58f6456	link	true	/test images
ci/prow/unit	58f6456	link	true	/test unit
ci/prow/verify-deps	58f6456	link	true	/test verify-deps
ci/prow/e2e-gke	58f6456	link	false	/test e2e-gke

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.