From 1cb89f2a51cd322450d23be552b946596fd558aa Mon Sep 17 00:00:00 2001
From: Khurram <kbaig@redhat.com>
Date: Thu, 29 Aug 2024 19:17:25 +0530
Subject: [PATCH] Add Projected volume configuration for Google's WIF

We have added configuration for the Projected volume needed for Google's Workload Identity federation. Here we have assumed that an OIDC is set up in OpenShift/kubernetes which project tokens at the specified path.
---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 50f97c2eb..3779fd99b 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,9 @@ spec:
     - name: source
     - name: google-credentials
       optional: true
+    - name: bound-sa-token
+      mountPath: /var/run/secrets/openshift/serviceaccount
+      optional: true
     steps:
     - # […] git clone, …
     - name: cache-fetch
@@ -127,7 +130,17 @@ spec:
     - name: google-credentials
       secret:
        secretName: gcs-secret
+    - name: bound-sa-token
+      projected:
+        sources:
+          - serviceAccountToken:
+              audience: openshift
+              expirationSeconds: 3600
+              path: token
+        defaultMode: 420
 ```
+`bound-sa-token` workspace isn't required if Workload Identity federation isn't setup. Here we assumed an OIDC is configured in OpenShift. 
+
 
 ## License