Add GCD cluster profile

[rochacbruno]

Summary

• Add gcd (Google Cloud Dedicated) cluster profile with cluster_type: gcp, owned by openshift/installer
• Add cluster-secrets-gcd to secret bootstrap config (distributed to non_app_ci clusters)
• Add 3 Boskos quota slices for gcd-quota-slice (region europe-west3)

The installer CI job (e2e-gcd) will be added in a follow-up PR once the profile is registered.

Context

Part of CORS-4508: setting up Workload Identity Federation authentication for the OpenShift installer on Google Cloud Dedicated (Berlin environment).

Companion PRs

• Add GCD cluster profile ci-tools#5261 - registers ClusterProfileGCD in clusterprofile.go (must merge first)
• CORS-4420, CORS-4421, CORS-4422, CORS-4449, CORS-4514, CORS-4515: Add GCP Germany Sovereign Cloud support installer#10630 - adds GCP Germany Sovereign Cloud support to the installer

Test plan

• ci-tools PR merges first
• Vault secret cluster-secrets-gcd is populated with WIF credential config
• WIF pool/provider setup completed in GCD (tracked separately)
• Follow-up PR adds e2e-gcd installer job

Generated with Claude Code

Summary by CodeRabbit

This PR establishes infrastructure support for the GCD (Google Cloud Dedicated) cluster profile, enabling OpenShift installer testing on Google Cloud Dedicated's Berlin environment using Workload Identity Federation authentication.

Infrastructure Changes:

1. Cluster Profile Registration (cluster-profiles-config.yaml): Added a new gcd cluster profile configured for GCP with ownership assigned to both the openshift/installer and csi-operator teams, making it available for CI jobs targeting this testing environment.

2. Secret Distribution (ci-secret-bootstrap/_config.yaml): Integrated cluster-secrets-gcd into the secret bootstrap configuration to distribute credentials to non_app_ci clusters, ensuring proper credential management for the new profile.

3. Resource Quotas (_boskos.yaml): Added three Boskos quota slices for gcd-quota-slice in the europe-west3 region to manage resource allocation for GCD cluster provisioning.

Scope: This PR focuses exclusively on cluster profile registration and infrastructure setup. The corresponding e2e-gcd installer CI job will be added in a follow-up PR once the profile becomes available in the system (dependent on openshift/ci-tools#5261).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a1a998ac-e967-4660-b323-e35aaa449f62

📥 Commits

Reviewing files that changed from the base of the PR and between c36f6c2 and 151a11a.

📒 Files selected for processing (1)

• ci-operator/step-registry/cluster-profiles/cluster-profiles-config.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/cluster-profiles/cluster-profiles-config.yaml

---

Walkthrough

A new gcd cluster profile is registered in three configuration files: the cluster profile registry (type gcp, owner openshift/installer), the secret bootstrap config (cluster-secrets-gcd targeting non_app_ci), and Boskos quota resources (three europe-west3 quota slices).

Changes

gcd Cluster Profile Registration

Layer / File(s)	Summary
gcd profile definition, secrets, and quota slices ci-operator/step-registry/cluster-profiles/cluster-profiles-config.yaml, core-services/ci-secret-bootstrap/_config.yaml, core-services/prow/02_config/_boskos.yaml	Adds the gcd profile entry with cluster_type: gcp and openshift/installer ownership, a cluster-secrets-gcd secret destination targeting cluster_groups: [non_app_ci] in the ci namespace, and three europe-west3--gcd-quota-slice-{0,1,2} Boskos resources with state: free.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Add GCD cluster profile' directly and clearly summarizes the main change—the addition of a new GCD cluster profile entry across configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only YAML configuration files (cluster profiles, secret bootstrap, and Boskos quotas); no Ginkgo test files or test names are present or modified.
Test Structure And Quality	✅ Passed	Check is not applicable to this PR. The PR contains only YAML configuration file changes (cluster profiles, secret bootstrap, Boskos resources) with no Ginkgo test code to review.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All changes are to infrastructure configuration files (cluster-profiles-config.yaml, _config.yaml, _boskos.yaml). The e2e-gcd installer job will be added i...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies YAML configuration files (cluster profiles, secret bootstrap, Boskos resources) and does not add any Ginkgo e2e tests. The SNO compatibility check is not applicable to infrast...
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI configuration files (cluster profiles, secret bootstrap, Boskos quota) with no deployment manifests, operator code, or pod scheduling constraints that could affect topology comp...
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML configuration changes (cluster profiles, secret bootstrap, boskos resources); no executable code or test modifications that could violate OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds cluster profile infrastructure (YAML config files only) with no Ginkgo e2e tests. E2e job will be added in a follow-up PR per the PR description.
No-Weak-Crypto	✅ Passed	PR adds YAML configuration files only (cluster profile, secret distribution, Boskos quotas). No weak cryptographic algorithms, custom crypto implementations, or insecure token comparisons detected.
Container-Privileges	✅ Passed	PR contains no Kubernetes/container manifests. Files modified are CI infrastructure configs (cluster profiles, secret bootstrap, Boskos quotas) with no container privilege settings.
No-Sensitive-Data-In-Logs	✅ Passed	The PR adds only configuration entries (cluster profile, secret bootstrap mapping, and Boskos quotas) with no logging statements or exposed credentials. No sensitive data is logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@rochacbruno, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not load configuration from candidate revision of release repo: failed to load ci-operator configuration from release repo: invalid ci-operator config: invalid configuration: tests[28]: invalid cluster profile "gcd"

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

@rochacbruno, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not load configuration from candidate revision of release repo: failed to load ci-operator configuration from release repo: invalid ci-operator config: invalid configuration: tests[28]: invalid cluster profile "gcd"

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[tthvo]

I wonder if we should scope this PR to just adding the cluster-profile. We can add the installer CI job in a follow-up 🤔 WDYT?

[rochacbruno]

@tthvo Good point. The CI tests are failing because the ci-tools PR (openshift/ci-tools#5261) needs to merge first to register the gcd cluster profile - otherwise validation rejects it as invalid.

I'll split this into two PRs:

1. This PR - scoped to just the cluster profile registration (cluster-profiles-config, boskos, secret bootstrap)
2. Follow-up PR - adds the e2e-gcd installer CI job once the profile is available

Will push an update shortly.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rochacbruno
Once this PR has been reviewed and has the lgtm label, please assign hector-vido for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/cluster-profiles/OWNERS
• core-services/ci-secret-bootstrap/OWNERS
• core-services/prow/02_config/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@rochacbruno: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/check-gh-automation	c36f6c2	link	true	/test check-gh-automation
ci/prow/generated-config	c36f6c2	link	true	/test generated-config
ci/prow/ci-operator-config-metadata	c36f6c2	link	true	/test ci-operator-config-metadata
ci/prow/check-cluster-profiles-config	151a11a	link	false	/test check-cluster-profiles-config
ci/prow/boskos-config-generation	151a11a	link	true	/test boskos-config-generation

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@rochacbruno: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.