Add claude interactive google service account creation during cluster creation

[ngopalak-redhat]

What this PR does / why we need it:

Adds the recommended service account and roles to be created in GCP for cluster creation.

As mentioned earlier in the document this process of cluster creation is the last resort. ClusterBot and other methods are preferred. It help teams needing special hardware and visibility into the nodes on the cluster.

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.

[openshift-ci]

Hi @ngopalak-redhat. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ngopalak-redhat]

/assign @stbenjam This is similar to the previous PR (#72) you reviewed

[stbenjam]

/ok-t-test

[stbenjam]

/ok-to-test

[stbenjam]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ngopalak-redhat, stbenjam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [stbenjam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Documentation update to the OpenShift cluster creation guide that adds a comprehensive GCP Service Account Setup workflow (Step 5.2a) with interactive user prompts, creation commands, and configuration steps for new or existing service accounts, including IAM permissions and credential handling.

Changes

Cohort / File(s)

Change Summary

GCP Service Account Setup Documentation plugins/openshift/commands/create-cluster.md

Adds Step 5.2a with comprehensive GCP Service Account workflow: user prompts for choosing between existing or new service account, full creation flow with Kerberos-id-based naming, IAM permission grants, key generation, and GOOGLE_APPLICATION_CREDENTIALS export. Extends Step 5.1 prompts and mirrors GCP setup logic in prerequisites and install-config generation sections. Updates install-config.yaml context to accommodate newly captured project ID and credentials.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify the GCP service account creation commands (gcloud commands syntax and IAM role assignments)
• Confirm consistency of the GCP setup flow across multiple sections (prerequisites, interactive prompts, install-config generation)
• Check that environment variable naming and export patterns are correct (GOOGLE_APPLICATION_CREDENTIALS)
• Validate step numbering and cross-references within the documentation

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

plugins/openshift/commands/create-cluster.md (1)

264-367: Add guidance on credential management and cleanup after cluster creation.

The GCP Service Account Setup section does not address credential cleanup, key rotation, or lifecycle management best practices.

Consider adding a subsection (e.g., "Credential Cleanup and Security") after Step 5.2a that covers:

**Credential Cleanup & Security**

After cluster creation is complete, consider:

1. **Rotate or delete the service account key** if it's no longer needed:
   ```bash
   gcloud iam service-accounts keys delete KEY_ID --iam-account="$SERVICE_ACCOUNT_EMAIL"

2. Secure the GOOGLE_APPLICATION_CREDENTIALS file:

   • Never commit to version control
   • Use .gitignore: Add ~/.gcp/ to prevent accidental commits
   • Set file permissions to 0600 (already done above)

3. Review and remove service account roles if using a temporary account:

   gcloud projects remove-iam-policy-binding "$PROJECT_ID" \
     --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
     --role="ROLE_NAME"

4. Delete the service account if no longer needed:

   gcloud iam service-accounts delete "$SERVICE_ACCOUNT_EMAIL"

</blockquote></details>

</blockquote></details>

<details>
<summary>📜 Review details</summary>

**Configuration used**: CodeRabbit UI

**Review profile**: CHILL

**Plan**: Pro

**Cache: Disabled due to data retention organization setting**

**Knowledge base: Disabled due to `Reviews -> Disable Knowledge Base` setting**

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 2157c1918b22a3408e063759e19a40d6d8287725 and 59008bc1beafb0b13bfc10377fbbd0f5f2a80153.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `plugins/openshift/commands/create-cluster.md` (3 hunks)

</details>

<details>
<summary>🧰 Additional context used</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.18.1)</summary>

<details>
<summary>plugins/openshift/commands/create-cluster.md</summary>

273-273: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

284-284: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

</details>

</details>

</details>

<details>
<summary>🔇 Additional comments (1)</summary><blockquote>

<details>
<summary>plugins/openshift/commands/create-cluster.md (1)</summary><blockquote>

`58-58`: **LGTM on GCP prerequisites update and Step 5.2a reference.**

The updated prerequisite language (line 58) and reference to Step 5.2a (line 245) correctly guide users to the new guided service account setup workflow. These integrations are clear and well-placed.





Also applies to: 245-245

</blockquote></details>

</blockquote></details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdown linting violations: use headings instead of emphasis.

Lines 273 and 284 use bold emphasis (**text**) where markdown headings should be used, violating MD036.

Apply this diff to convert emphasis to proper markdown headings:

-**Ask the user**: "Do you want to use an existing service account JSON file or create a new one?"
+### Ask the user: "Do you want to use an existing service account JSON file or create a new one?"

-**Option 1: Use Existing Service Account**
+### Option 1: Use Existing Service Account

Also apply the same fix at line 284:

-**Option 2: Create New Service Account**
+### Option 2: Create New Service Account

Also applies to: 284-284

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

273-273: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🤖 Prompt for AI Agents

In plugins/openshift/commands/create-cluster.md around lines 273 and 284, bold
emphasis is being used where markdown headings are required (MD036); replace the
bolded lines (e.g., "**Option 1: Use Existing Service Account**") with the
appropriate heading syntax (e.g., use "#" or "##" depending on document
structure) for each occurrence so they become proper headings, and ensure
heading level is consistent with surrounding sections.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add error handling and validation after service account creation and role grants.

The service account creation (line 310) and IAM role grants (lines 328–344) lack error checking. If these commands fail, subsequent operations will fail silently or with confusing errors.

Add error checks and validation:

 4. **Create the service account**:
    ```bash
    echo "Creating service account: $SERVICE_ACCOUNT_NAME"
+   if gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME" --display-name="$SERVICE_ACCOUNT_NAME"; then
+       echo "Service account created successfully."
+   else
+       echo "Error: Failed to create service account. Exiting."
+       exit 1
+   fi
-   gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME" --display-name="$SERVICE_ACCOUNT_NAME"
    ```

Also add validation after granting roles (after line 346):

    echo "All roles granted successfully."
+   
+   # Verify roles were assigned
+   ASSIGNED_ROLES="$(gcloud projects get-iam-policy "$PROJECT_ID" --flatten='bindings[].members' --format='value(bindings.role)' --filter="bindings.members:serviceAccount:$SERVICE_ACCOUNT_EMAIL")"
+   if [ -z "$ASSIGNED_ROLES" ]; then
+       echo "Warning: Could not verify role assignment. Please check manually."
+   fi

🤖 Prompt for AI Agents

In plugins/openshift/commands/create-cluster.md around lines 307 to 347, the
service account creation and IAM role grant steps lack error handling and
validation; update the script so the gcloud iam service-accounts create call is
tested for success and exits with a clear error message on failure, verify
SERVICE_ACCOUNT_JSON, SERVICE_ACCOUNT_EMAIL and PROJECT_ID are non-empty after
extraction (exit with error if not), and wrap each gcloud projects
add-iam-policy-binding invocation to check its exit status (log failures, stop
and exit non-zero if any role grant fails, or accumulate failed roles and report
them before exiting); ensure all error messages are descriptive and return
non-zero status so downstream steps don't run on silent failure.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix jq filter syntax for extracting service account details.

The jq filter on line 316 uses incorrect syntax for environment variable interpolation: \(env.SERVICE_ACCOUNT_NAME) will not work as intended. The jq env object requires a different syntax, and this approach is fragile.

Simplify by extracting the account after storing the email address, or use a direct approach:

-   # Get service account information
-   SERVICE_ACCOUNT_JSON="$(gcloud iam service-accounts list --format json | jq -r '.[] | select(.name | match("/\(env.SERVICE_ACCOUNT_NAME)@"))')"
-   SERVICE_ACCOUNT_EMAIL="$(jq -r .email <<< "$SERVICE_ACCOUNT_JSON")"
-   PROJECT_ID="$(jq -r .projectId <<< "$SERVICE_ACCOUNT_JSON")"
+   # Get service account email directly using gcloud
+   SERVICE_ACCOUNT_EMAIL="$(gcloud iam service-accounts list --format='value(email)' --filter='displayName:*'"$SERVICE_ACCOUNT_NAME"'*')"
+   if [ -z "$SERVICE_ACCOUNT_EMAIL" ]; then
+       echo "Error: Failed to retrieve service account email. Exiting."
+       exit 1
+   fi
+   
+   # Get project ID from gcloud config
+   PROJECT_ID="$(gcloud config get-value project)"
+   if [ -z "$PROJECT_ID" ]; then
+       echo "Error: Project ID not set in gcloud config. Exiting."
+       exit 1
+   fi

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In plugins/openshift/commands/create-cluster.md around lines 316–322, the jq
filter currently attempts to interpolate the environment variable using
incorrect syntax; replace that fragile regex approach with a robust selection by
comparing the .email field to the SERVICE_ACCOUNT_NAME environment variable (or
better, use gcloud's --filter to return the specific service account), then
extract .email and .projectId from that selected object; ensure you set
SERVICE_ACCOUNT_EMAIL and PROJECT_ID from that selected JSON result so
interpolation is correct and reliable.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add error handling for key file creation and secure permissions.

The service account key creation (lines 355–356) and environment variable setup lack error checking. Additionally, the generated key file should have restrictive permissions.

Add error handling and secure file permissions:

 7. **Create and download service account key**:
    ```bash
    KEY_FILE="${HOME}/.gcp/${SERVICE_ACCOUNT_NAME}-key.json"
    mkdir -p "$(dirname "$KEY_FILE")"
    
    echo "Creating service account key..."
+   if gcloud iam service-accounts keys create "$KEY_FILE" \
+      --iam-account="$SERVICE_ACCOUNT_EMAIL"; then
+       # Secure the key file with restrictive permissions
+       chmod 600 "$KEY_FILE"
+       echo "Service account key saved to: $KEY_FILE (permissions: 0600)"
+   else
+       echo "Error: Failed to create service account key. Exiting."
+       exit 1
+   fi
-   gcloud iam service-accounts keys create "$KEY_FILE" \
-      --iam-account="$SERVICE_ACCOUNT_EMAIL"
-
-   echo "Service account key saved to: $KEY_FILE"
    ```

🤖 Prompt for AI Agents

In plugins/openshift/commands/create-cluster.md around lines 349 to 366, the
gcloud service-account key creation and subsequent steps lack error handling and
do not secure the key file; update the snippet so the gcloud key creation is
executed inside a conditional that checks for success, on success run chmod 600
on the generated KEY_FILE and echo the saved path and permissions, on failure
print an error and exit with non-zero status; keep the export
GOOGLE_APPLICATION_CREDENTIALS step but only set it after verifying the key was
created and permissions set.