Skip to content

GCP-391: Add ImageRegistry GSA field and IAM binding for Image Registry Operator #7828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 6 commits into from
Mar 5, 2026
Merged

GCP-391: Add ImageRegistry GSA field and IAM binding for Image Registry Operator #7828

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4d150a8
feat(gcp): add ImageRegistry GSA field and IAM binding for Image Regi…
cblecker Mar 3, 2026
b06d5fe
chore(gcp): regenerate CRDs with imageRegistry field
cblecker Mar 3, 2026
2c7f273
fix(gcp): correct GSA email MinLength from 38 to 37
cblecker Mar 3, 2026
5429a26
fix(gcp): add ImageRegistry to e2e test helper validGCPPlatformSpec
cblecker Mar 3, 2026
3d996af
feat(gcp): add --image-registry-service-account CLI flag and e2e vali…
cblecker Mar 3, 2026
dff17e8
feat(gcp): add --e2e.gcp-imageregistry-sa flag for E2E test support
cblecker Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 24 additions & 4 deletions api/hypershift/v1beta1/gcp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ type GCPNetworkConfig struct {
// +kubebuilder:validation:XValidation:rule="self.workloadIdentity.serviceAccountsEmails.nodePool.contains('@') && self.workloadIdentity.serviceAccountsEmails.nodePool.endsWith('@' + self.project + '.iam.gserviceaccount.com')",message="nodePool service account must belong to the same project"
// +kubebuilder:validation:XValidation:rule="self.workloadIdentity.serviceAccountsEmails.cloudController.contains('@') && self.workloadIdentity.serviceAccountsEmails.cloudController.endsWith('@' + self.project + '.iam.gserviceaccount.com')",message="cloudController service account must belong to the same project"
// +kubebuilder:validation:XValidation:rule="self.workloadIdentity.serviceAccountsEmails.storage.contains('@') && self.workloadIdentity.serviceAccountsEmails.storage.endsWith('@' + self.project + '.iam.gserviceaccount.com')",message="storage service account must belong to the same project"
// +kubebuilder:validation:XValidation:rule="self.workloadIdentity.serviceAccountsEmails.imageRegistry.contains('@') && self.workloadIdentity.serviceAccountsEmails.imageRegistry.endsWith('@' + self.project + '.iam.gserviceaccount.com')",message="imageRegistry service account must belong to the same project"
type GCPPlatformSpec struct {
// project is the GCP project ID.
// A valid project ID must satisfy the following rules:
Expand Down Expand Up @@ -267,7 +268,7 @@ type GCPServiceAccountsEmails struct {
// +required
// +immutable
// +kubebuilder:validation:Pattern=`^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$`
// +kubebuilder:validation:MinLength=38
// +kubebuilder:validation:MinLength=37
// +kubebuilder:validation:MaxLength=100
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="NodePool is immutable"
NodePool string `json:"nodePool,omitempty"`
Expand All @@ -288,7 +289,7 @@ type GCPServiceAccountsEmails struct {
// +required
// +immutable
// +kubebuilder:validation:Pattern=`^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$`
// +kubebuilder:validation:MinLength=38
// +kubebuilder:validation:MinLength=37
// +kubebuilder:validation:MaxLength=100
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ControlPlane is immutable"
ControlPlane string `json:"controlPlane,omitempty"`
Expand All @@ -309,7 +310,7 @@ type GCPServiceAccountsEmails struct {
// +required
// +immutable
// +kubebuilder:validation:Pattern=`^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$`
// +kubebuilder:validation:MinLength=38
// +kubebuilder:validation:MinLength=37
// +kubebuilder:validation:MaxLength=100
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="CloudController is immutable"
CloudController string `json:"cloudController,omitempty"`
Expand All @@ -331,10 +332,29 @@ type GCPServiceAccountsEmails struct {
// +required
// +immutable
// +kubebuilder:validation:Pattern=`^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$`
// +kubebuilder:validation:MinLength=38
// +kubebuilder:validation:MinLength=37
// +kubebuilder:validation:MaxLength=100
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Storage is immutable"
Storage string `json:"storage,omitempty"`

// imageRegistry is the Google Service Account email for the Image Registry Operator
// that manages GCS storage for the internal container image registry.
// This GSA requires the following IAM roles:
// - roles/storage.admin (Storage Admin - for creating and managing GCS buckets and objects)
// See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions.
// Format: service-account-name@project-id.iam.gserviceaccount.com
//
// This is a user-provided value referencing a pre-created Google Service Account.
// Typically obtained from the output of `hypershift infra create gcp` which creates
// the required service accounts with appropriate IAM roles and WIF bindings.
//
// +required
// +immutable
// +kubebuilder:validation:Pattern=`^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$`
// +kubebuilder:validation:MinLength=37
// +kubebuilder:validation:MaxLength=100
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ImageRegistry is immutable"
ImageRegistry string `json:"imageRegistry,omitempty"`
Comment thread
coderabbitai[bot] marked this conversation as resolved.
}

// GCPOnHostMaintenance defines the behavior when a host maintenance event occurs.
Expand Down
33 changes: 29 additions & 4 deletions ...erated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5139,7 +5139,7 @@ spec:
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 38
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
Expand All @@ -5160,12 +5160,31 @@ spec:
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 38
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
- message: ControlPlane is immutable
rule: self == oldSelf
imageRegistry:
description: |-
imageRegistry is the Google Service Account email for the Image Registry Operator
that manages GCS storage for the internal container image registry.
This GSA requires the following IAM roles:
- roles/storage.admin (Storage Admin - for creating and managing GCS buckets and objects)
See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions.
Format: service-account-name@project-id.iam.gserviceaccount.com

This is a user-provided value referencing a pre-created Google Service Account.
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
- message: ImageRegistry is immutable
rule: self == oldSelf
nodePool:
description: |-
nodePool is the Google Service Account email for CAPG controllers
Expand All @@ -5181,7 +5200,7 @@ spec:
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 38
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
Expand All @@ -5203,7 +5222,7 @@ spec:
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 38
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
Expand All @@ -5212,6 +5231,7 @@ spec:
required:
- cloudController
- controlPlane
- imageRegistry
- nodePool
- storage
type: object
Expand Down Expand Up @@ -5249,6 +5269,11 @@ spec:
rule: self.workloadIdentity.serviceAccountsEmails.storage.contains('@')
&& self.workloadIdentity.serviceAccountsEmails.storage.endsWith('@'
+ self.project + '.iam.gserviceaccount.com')
- message: imageRegistry service account must belong to the same
project
rule: self.workloadIdentity.serviceAccountsEmails.imageRegistry.contains('@')
&& self.workloadIdentity.serviceAccountsEmails.imageRegistry.endsWith('@'
+ self.project + '.iam.gserviceaccount.com')
ibmcloud:
description: ibmcloud defines IBMCloud specific settings for components
properties:
Expand Down
33 changes: 29 additions & 4 deletions ...d.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5031,7 +5031,7 @@ spec:
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 38
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
Expand All @@ -5052,12 +5052,31 @@ spec:
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 38
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
- message: ControlPlane is immutable
rule: self == oldSelf
imageRegistry:
description: |-
imageRegistry is the Google Service Account email for the Image Registry Operator
that manages GCS storage for the internal container image registry.
This GSA requires the following IAM roles:
- roles/storage.admin (Storage Admin - for creating and managing GCS buckets and objects)
See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions.
Format: service-account-name@project-id.iam.gserviceaccount.com

This is a user-provided value referencing a pre-created Google Service Account.
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
- message: ImageRegistry is immutable
rule: self == oldSelf
Comment thread
cblecker marked this conversation as resolved.
nodePool:
description: |-
nodePool is the Google Service Account email for CAPG controllers
Expand All @@ -5073,7 +5092,7 @@ spec:
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 38
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
Expand All @@ -5095,7 +5114,7 @@ spec:
Typically obtained from the output of `hypershift infra create gcp` which creates
the required service accounts with appropriate IAM roles and WIF bindings.
maxLength: 100
minLength: 38
minLength: 37
pattern: ^[a-z][a-z0-9-]{4,28}[a-z0-9]@[a-z][a-z0-9-]{4,28}[a-z0-9]\.iam\.gserviceaccount\.com$
type: string
x-kubernetes-validations:
Expand All @@ -5104,6 +5123,7 @@ spec:
required:
- cloudController
- controlPlane
- imageRegistry
- nodePool
- storage
type: object
Expand Down Expand Up @@ -5141,6 +5161,11 @@ spec:
rule: self.workloadIdentity.serviceAccountsEmails.storage.contains('@')
&& self.workloadIdentity.serviceAccountsEmails.storage.endsWith('@'
+ self.project + '.iam.gserviceaccount.com')
- message: imageRegistry service account must belong to the same
project
rule: self.workloadIdentity.serviceAccountsEmails.imageRegistry.contains('@')
&& self.workloadIdentity.serviceAccountsEmails.imageRegistry.endsWith('@'
+ self.project + '.iam.gserviceaccount.com')
ibmcloud:
description: ibmcloud defines IBMCloud specific settings for components
properties:
Expand Down
9 changes: 9 additions & 0 deletions client/applyconfiguration/hypershift/v1beta1/gcpserviceaccountsemails.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions cmd/cluster/gcp/create.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ const (
flagControlPlaneServiceAccount = "control-plane-service-account"
flagCloudControllerServiceAccount = "cloud-controller-service-account"
flagStorageServiceAccount = "storage-service-account"
flagImageRegistryServiceAccount = "image-registry-service-account"
flagServiceAccountSigningKeyPath = "service-account-signing-key-path"
flagEndpointAccess = "endpoint-access"
flagIssuerURL = "oidc-issuer-url"
Expand Down Expand Up @@ -79,6 +80,9 @@ type RawCreateOptions struct {
// StorageServiceAccount is the Google Service Account email for the GCP PD CSI Driver
StorageServiceAccount string

// ImageRegistryServiceAccount is the Google Service Account email for the Image Registry Operator
ImageRegistryServiceAccount string

// ServiceAccountSigningKeyPath is the path to the private key file for the service account token issuer
ServiceAccountSigningKeyPath string

Expand Down Expand Up @@ -114,6 +118,7 @@ func BindOptions(opts *RawCreateOptions, flags *pflag.FlagSet) {
flags.StringVar(&opts.ControlPlaneServiceAccount, flagControlPlaneServiceAccount, opts.ControlPlaneServiceAccount, "Google Service Account email for Control Plane Operator (from `hypershift create iam gcp` output)")
flags.StringVar(&opts.CloudControllerServiceAccount, flagCloudControllerServiceAccount, opts.CloudControllerServiceAccount, "Google Service Account email for Cloud Controller Manager (from `hypershift create iam gcp` output)")
flags.StringVar(&opts.StorageServiceAccount, flagStorageServiceAccount, opts.StorageServiceAccount, "Google Service Account email for GCP PD CSI Driver (from `hypershift create iam gcp` output)")
flags.StringVar(&opts.ImageRegistryServiceAccount, flagImageRegistryServiceAccount, opts.ImageRegistryServiceAccount, "Google Service Account email for Image Registry Operator (from `hypershift create iam gcp` output)")
flags.StringVar(&opts.ServiceAccountSigningKeyPath, flagServiceAccountSigningKeyPath, "", "The file to the private key for the service account token issuer")
flags.StringVar(&opts.EndpointAccess, flagEndpointAccess, string(hyperv1.GCPEndpointAccessPrivate), "Endpoint access type (Private or PublicAndPrivate)")
flags.StringVar(&opts.IssuerURL, flagIssuerURL, "", "The OIDC provider issuer URL")
Expand Down Expand Up @@ -170,6 +175,9 @@ func (o *RawCreateOptions) Validate(_ context.Context, _ *core.CreateOptions) (c
if err := util.ValidateRequiredOption(flagStorageServiceAccount, o.StorageServiceAccount); err != nil {
return nil, err
}
if err := util.ValidateRequiredOption(flagImageRegistryServiceAccount, o.ImageRegistryServiceAccount); err != nil {
return nil, err
}
return &ValidatedCreateOptions{
validatedCreateOptions: &validatedCreateOptions{
RawCreateOptions: o,
Expand Down Expand Up @@ -274,6 +282,7 @@ func (o *CreateOptions) ApplyPlatformSpecifics(hostedCluster *hyperv1.HostedClus
ControlPlane: o.ControlPlaneServiceAccount,
CloudController: o.CloudControllerServiceAccount,
Storage: o.StorageServiceAccount,
ImageRegistry: o.ImageRegistryServiceAccount,
},
},
EndpointAccess: hyperv1.GCPEndpointAccessType(o.EndpointAccess),
Expand Down
Loading