openshift
diff --git a/‎api/observability/v1/output_types.go‎
Lines changed: 12 additions & 1 deletion b/‎api/observability/v1/output_types.go‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎api/observability/v1/zz_generated.deepcopy.go‎
Lines changed: 5 additions & 0 deletions b/‎api/observability/v1/zz_generated.deepcopy.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎bundle/manifests/cluster-logging.clusterserviceversion.yaml‎
Lines changed: 28 additions & 2 deletions b/‎bundle/manifests/cluster-logging.clusterserviceversion.yaml‎
Lines changed: 28 additions & 2 deletions
diff --git a/‎bundle/manifests/observability.openshift.io_clusterlogforwarders.yaml‎
Lines changed: 40 additions & 2 deletions b/‎bundle/manifests/observability.openshift.io_clusterlogforwarders.yaml‎
Lines changed: 40 additions & 2 deletions
diff --git a/‎config/crd/bases/observability.openshift.io_clusterlogforwarders.yaml‎
Lines changed: 40 additions & 2 deletions b/‎config/crd/bases/observability.openshift.io_clusterlogforwarders.yaml‎
Lines changed: 40 additions & 2 deletions
diff --git a/‎config/manifests/bases/cluster-logging.clusterserviceversion.yaml‎
Lines changed: 27 additions & 1 deletion b/‎config/manifests/bases/cluster-logging.clusterserviceversion.yaml‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎…utputs/aws-cross-account-forwarding.adoc‎ ‎…ts/aws/aws-cross-account-forwarding.adoc‎docs/features/logforwarding/outputs/aws-cross-account-forwarding.adoc renamed to docs/features/logforwarding/outputs/aws/aws-cross-account-forwarding.adoc b/‎…utputs/aws-cross-account-forwarding.adoc‎ ‎…ts/aws/aws-cross-account-forwarding.adoc‎docs/features/logforwarding/outputs/aws-cross-account-forwarding.adoc renamed to docs/features/logforwarding/outputs/aws/aws-cross-account-forwarding.adoc
diff --git a/‎…g/outputs/cloudwatch-sts-forwarding.adoc‎ ‎…tputs/aws/cloudwatch-sts-forwarding.adoc‎docs/features/logforwarding/outputs/cloudwatch-sts-forwarding.adoc renamed to docs/features/logforwarding/outputs/aws/cloudwatch-sts-forwarding.adoc b/‎…g/outputs/cloudwatch-sts-forwarding.adoc‎ ‎…tputs/aws/cloudwatch-sts-forwarding.adoc‎docs/features/logforwarding/outputs/cloudwatch-sts-forwarding.adoc renamed to docs/features/logforwarding/outputs/aws/cloudwatch-sts-forwarding.adoc
diff --git a/‎…logforwarding/outputs/s3-forwarding.adoc‎ ‎…orwarding/outputs/aws/s3-forwarding.adoc‎docs/features/logforwarding/outputs/s3-forwarding.adoc renamed to docs/features/logforwarding/outputs/aws/s3-forwarding.adoc b/‎…logforwarding/outputs/s3-forwarding.adoc‎ ‎…orwarding/outputs/aws/s3-forwarding.adoc‎docs/features/logforwarding/outputs/s3-forwarding.adoc renamed to docs/features/logforwarding/outputs/aws/s3-forwarding.adoc
diff --git a/‎…ing/outputs/google-cloud-forwarding.adoc‎ ‎…googlecloud/google-cloud-forwarding.adoc‎docs/features/logforwarding/outputs/google-cloud-forwarding.adoc renamed to docs/features/logforwarding/outputs/googlecloud/google-cloud-forwarding.adoc
Lines changed: 9 additions & 4 deletions b/‎…ing/outputs/google-cloud-forwarding.adoc‎ ‎…googlecloud/google-cloud-forwarding.adoc‎docs/features/logforwarding/outputs/google-cloud-forwarding.adoc renamed to docs/features/logforwarding/outputs/googlecloud/google-cloud-forwarding.adoc
Lines changed: 9 additions & 4 deletions
@@ -719,11 +719,22 @@ type Elasticsearch struct {
 
 // GoogleCloudLoggingAuthentication contains configuration for authenticating requests to a GoogleCloudLogging output.
 type GoogleCloudLoggingAuthentication struct {
-	// Credentials points to the secret containing the `google-application-credentials.json`.
+	// Credentials points to the secret containing the GCP credentials JSON file.
+	// For service account auth, this is a service_account key file.
+	// For Workload Identity Federation (WIF), this is an external_account configuration file.
 	//
 	// +kubebuilder:validation:Required
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Secret with Credentials File"
 	Credentials *SecretReference `json:"credentials"`
+
+	// Token specifies the source of the bearer token used as the subject token for
+	// GCP Workload Identity Federation token exchange. Only needed when the credentials
+	// file is an external_account type.
+	//
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Token"
+	Token *BearerToken `json:"token,omitempty"`
 }
 
 type GoogleCloudLoggingTuningSpec struct {
 
@@ -82,7 +82,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing, Observability
     certified: "false"
     containerImage: quay.io/openshift-logging/cluster-logging-operator:latest
-    createdAt: "2026-04-24T14:35:45Z"
+    createdAt: "2026-04-30T19:37:39Z"
     description: The Red Hat OpenShift Logging Operator for OCP provides a means for
       configuring and managing log collection and forwarding.
     features.operators.openshift.io/cnf: "false"
@@ -965,7 +965,10 @@ spec:
       - description: Authentication sets credentials for authenticating the requests.
         displayName: Authentication Options
         path: outputs[0].googleCloudLogging.authentication
-      - description: Credentials points to the secret containing the `google-application-credentials.json`.
+      - description: |-
+          Credentials points to the secret containing the GCP credentials JSON file.
+          For service account auth, this is a service_account key file.
+          For Workload Identity Federation (WIF), this is an external_account configuration file.
         displayName: Secret with Credentials File
         path: outputs[0].googleCloudLogging.authentication.credentials
       - description: Key contains the name of the key inside the referenced Secret.
@@ -979,6 +982,29 @@ spec:
         path: outputs[0].googleCloudLogging.authentication.credentials.secretName
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: |-
+          Token specifies the source of the bearer token used as the subject token for
+          GCP Workload Identity Federation token exchange. Only needed when the credentials
+          file is an external_account type.
+        displayName: Token
+        path: outputs[0].googleCloudLogging.authentication.token
+      - description: From is the source from where to find the token
+        displayName: Token Source
+        path: outputs[0].googleCloudLogging.authentication.token.from
+      - description: Use Secret if the value should be sourced from a Secret in the
+          same namespace.
+        displayName: Token Secret
+        path: outputs[0].googleCloudLogging.authentication.token.secret
+      - description: Name of the key used to get the value from the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].googleCloudLogging.authentication.token.secret.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Name of secret
+        displayName: Secret Name
+        path: outputs[0].googleCloudLogging.authentication.token.secret.name
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: ID must be one of the required ID fields for the output
         displayName: Logging ID
         path: outputs[0].googleCloudLogging.id
 
@@ -2527,8 +2527,10 @@ spec:
                             the requests.
                           properties:
                             credentials:
-                              description: Credentials points to the secret containing
-                                the `google-application-credentials.json`.
+                              description: |-
+                                Credentials points to the secret containing the GCP credentials JSON file.
+                                For service account auth, this is a service_account key file.
+                                For Workload Identity Federation (WIF), this is an external_account configuration file.
                               properties:
                                 key:
                                   description: Key contains the name of the key inside
@@ -2542,6 +2544,42 @@ spec:
                               - key
                               - secretName
                               type: object
+                            token:
+                              description: |-
+                                Token specifies the source of the bearer token used as the subject token for
+                                GCP Workload Identity Federation token exchange. Only needed when the credentials
+                                file is an external_account type.
+                              nullable: true
+                              properties:
+                                from:
+                                  description: From is the source from where to find
+                                    the token
+                                  enum:
+                                  - secret
+                                  - serviceAccount
+                                  type: string
+                                secret:
+                                  description: Use Secret if the value should be sourced
+                                    from a Secret in the same namespace.
+                                  properties:
+                                    key:
+                                      description: Name of the key used to get the
+                                        value from the referenced Secret.
+                                      type: string
+                                    name:
+                                      description: Name of secret
+                                      type: string
+                                  required:
+                                  - key
+                                  - name
+                                  type: object
+                              required:
+                              - from
+                              type: object
+                              x-kubernetes-validations:
+                              - message: Additional secret spec is required when bearer
+                                  token is sourced from a secret
+                                rule: self.from != 'secret' || has(self.secret)
                           required:
                           - credentials
                           type: object
 
@@ -2527,8 +2527,10 @@ spec:
                             the requests.
                           properties:
                             credentials:
-                              description: Credentials points to the secret containing
-                                the `google-application-credentials.json`.
+                              description: |-
+                                Credentials points to the secret containing the GCP credentials JSON file.
+                                For service account auth, this is a service_account key file.
+                                For Workload Identity Federation (WIF), this is an external_account configuration file.
                               properties:
                                 key:
                                   description: Key contains the name of the key inside
@@ -2542,6 +2544,42 @@ spec:
                               - key
                               - secretName
                               type: object
+                            token:
+                              description: |-
+                                Token specifies the source of the bearer token used as the subject token for
+                                GCP Workload Identity Federation token exchange. Only needed when the credentials
+                                file is an external_account type.
+                              nullable: true
+                              properties:
+                                from:
+                                  description: From is the source from where to find
+                                    the token
+                                  enum:
+                                  - secret
+                                  - serviceAccount
+                                  type: string
+                                secret:
+                                  description: Use Secret if the value should be sourced
+                                    from a Secret in the same namespace.
+                                  properties:
+                                    key:
+                                      description: Name of the key used to get the
+                                        value from the referenced Secret.
+                                      type: string
+                                    name:
+                                      description: Name of secret
+                                      type: string
+                                  required:
+                                  - key
+                                  - name
+                                  type: object
+                              required:
+                              - from
+                              type: object
+                              x-kubernetes-validations:
+                              - message: Additional secret spec is required when bearer
+                                  token is sourced from a secret
+                                rule: self.from != 'secret' || has(self.secret)
                           required:
                           - credentials
                           type: object
 
@@ -888,7 +888,10 @@ spec:
       - description: Authentication sets credentials for authenticating the requests.
         displayName: Authentication Options
         path: outputs[0].googleCloudLogging.authentication
-      - description: Credentials points to the secret containing the `google-application-credentials.json`.
+      - description: |-
+          Credentials points to the secret containing the GCP credentials JSON file.
+          For service account auth, this is a service_account key file.
+          For Workload Identity Federation (WIF), this is an external_account configuration file.
         displayName: Secret with Credentials File
         path: outputs[0].googleCloudLogging.authentication.credentials
       - description: Key contains the name of the key inside the referenced Secret.
@@ -902,6 +905,29 @@ spec:
         path: outputs[0].googleCloudLogging.authentication.credentials.secretName
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: |-
+          Token specifies the source of the bearer token used as the subject token for
+          GCP Workload Identity Federation token exchange. Only needed when the credentials
+          file is an external_account type.
+        displayName: Token
+        path: outputs[0].googleCloudLogging.authentication.token
+      - description: From is the source from where to find the token
+        displayName: Token Source
+        path: outputs[0].googleCloudLogging.authentication.token.from
+      - description: Use Secret if the value should be sourced from a Secret in the
+          same namespace.
+        displayName: Token Secret
+        path: outputs[0].googleCloudLogging.authentication.token.secret
+      - description: Name of the key used to get the value from the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].googleCloudLogging.authentication.token.secret.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Name of secret
+        displayName: Secret Name
+        path: outputs[0].googleCloudLogging.authentication.token.secret.name
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: ID must be one of the required ID fields for the output
         displayName: Logging ID
         path: outputs[0].googleCloudLogging.id
 
@@ -1,7 +1,7 @@
 
-=== Steps to send logs to Google Cloud Logging
+=== Steps to send logs to Google Cloud Logging using a service account key
 
-. Create a secret which contains google application credentials (the credentials which will be used to send logs to Google Cloud Logging)
+. Create a secret which contains the GCP service account key JSON file (the credentials which will be used to send logs to Google Cloud Logging)
 +
 ----
     oc -n openshift-logging create secret generic gcp-secret --from-file=google-application-credentials.json
@@ -26,6 +26,8 @@
 +
 Replace `project_id` and `private_key` with real values.
 
+NOTE: The credentials file must have `"type": "service_account"`. The operator validates that the secret content matches the declared authentication type.
+
 . Create a Cluster Log Forwarder instance with following yaml.
 +
 ----
@@ -51,9 +53,9 @@ spec:
         id:
           type: project
           value: openshift-gce-devel
-        logId : app-gcp
+        logId: app-gcp
         authentication:
-          credentials:
+          credentials:  # <1>
             key: google-application-credentials.json
             secretName: gcp-secret
   pipelines:
@@ -65,6 +67,9 @@ spec:
       outputRefs:
         - gcp-1
 ----
+<1> Points to the secret containing the GCP service account key JSON file.
+
+For Workload Identity Federation (WIF) authentication, see link:google-cloud-workload-identity.adoc[Google Cloud Logging with Workload Identity Federation].
 
 . Login to google console and check logs
 +