Workload Identity Federation Spike

[rh-amarin]

Document explaining how to use WIF in GKE to interact with customer cloud resources

Summary by CodeRabbit

• Documentation
  • Added a comprehensive Workload Identity Federation (WIF) guide for Hyperfleet: problem context, TL;DR GKE approach, alternative approaches and operator considerations, Q&A, step‑by‑step exploration (namespace/service account, pod identity, token/pool notes), example commands for IAM bindings and conditions, caveats about identity/tag nuances, and links to relevant cloud references.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new documentation file at hyperfleet/docs/wif-spike.md describing Workload Identity Federation (WIF) usage and considerations for GKE within Hyperfleet. The document contains problem statements, a TL;DR solution, Q&A scenarios, step-by-step exploration (namespace/KSA creation, pod identity, pool considerations, token usage), example gcloud IAM commands and condition snippets, caveats about identity sameness and tags/conditions, and references to Google Cloud docs. No code or runtime behavior changes are introduced.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Review focus: correctness of technical statements and example commands
• Verify gcloud IAM command syntax and policy binding examples
• Check links/references to Google Cloud docs and clarify ambiguous phrasing (if any)
• File to inspect: hyperfleet/docs/wif-spike.md

Suggested reviewers

• xueli181114

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding documentation about Workload Identity Federation (WIF) as a spike/exploration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (12)

hyperfleet/docs/wif-spike.md (12)

61-61: Add hyphen to compound adjective.

Line 61 uses "customer generated" which should be hyphenated as "customer-generated" when modifying the noun.

-The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer generated credentials.
+The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer-generated credentials.

---

144-144: Add hyphen to compound adjective.

Line 144 uses "Google managed" which should be hyphenated as "Google-managed" when modifying the noun.

-All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google managed Identity Pool that is not visible in the GCP console.
+All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google-managed Identity Pool that is not visible in the GCP console.

---

22-28: Fix list indentation to 4 spaces.

Lines 24-25 use 5-space indentation for nested list items; markdown style requires 4 spaces.

  - A customer creates a HostedCluster with name `CLUSTER_NAME`
  - An adapter task runs wants to access customer infrastructure for the `CLUSTER_NAME` HostedCluster
    - It runs in a GKE cluster for the Regional setup
-     - In a GCP project with 
-        - GCP project name `HYPERFLEET_PROJECT_NAME`
-        - GCP project number `HYPERFLEET_PROJECT_NUMBER`
+   - In a GCP project with 
+     - GCP project name `HYPERFLEET_PROJECT_NAME`
+     - GCP project number `HYPERFLEET_PROJECT_NUMBER`

---

75-79: Fix list indentation to 4 spaces.

Lines 77-78 use 5-space indentation for nested list items; markdown style requires 4 spaces.

   - Customer's use a Hypershift provided CLI tool to:
     - Create a private_key/public_key credentials pair
     - Upload the public key to the customer's Workload Identity Pool 
-       - In the customer's GCP project that will host the worker nodes
-       - Grant permissions in the customer's GCP project to certain kubernetes service accounts in the customer HostedCluster to be created
+     - In the customer's GCP project that will host the worker nodes
+     - Grant permissions in the customer's GCP project to certain kubernetes service accounts in the customer HostedCluster to be created
       - This step only requires the name of the customer_k8s_sa (to be created later)

---

32-36: Specify language for code block.

The code block on lines 32-36 should include a language identifier for syntax highlighting.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_NAME_PROJECT \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/CLUSTER_NAME/sa/CLUSTER_NAME" --condition=None 
-```
+```

---

123-128: Specify language for code block.

The code block on lines 123-128 should include a language identifier for syntax highlighting.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/12341234/locations/global/workloadIdentityPools/hcm-hyperfleet.svc.id.goog/subject/ns/hyperfleet/sa/hyperfleet-sa" --condition=None
-```
+```

---

148-153: Specify language for code block.

The code block on lines 148-153 (gcloud describe output) should include a language identifier for syntax highlighting.

-```
+```yaml
 gcloud iam workload-identity-pools describe hcm-hyperfleet.svc.id.goog  --location=global --project hcm-hyperfleet
 
 name: projects/275239757837/locations/global/workloadIdentityPools/hcm-hyperfleet.svc.id.goog
 state: ACTIVE
-```
+```

---

157-161: Specify language for code block.

The code block on lines 157-161 (gcloud list output) should include a language identifier for syntax highlighting.

-```
+```bash
 gcloud iam workload-identity-pools list  --location=global --project hcm-hyperfleet
 
 Listed 0 items.
-```
+```

---

136-136: Fix heading hierarchy.

Line 136 uses h4 (####) but should be h3 (###) to maintain proper heading hierarchy under the h2 section.

-#### caveat: Workload Identity sameness
+### caveat: Workload Identity sameness

---

138-138: Wrap bare URL in markdown link syntax.

Line 138 contains a bare URL that should be wrapped in markdown link format for better formatting and accessibility.

-GCP documentation: https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness
+GCP documentation: [Workload Identity Sameness](https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness)

---

166-166: Wrap bare URL in markdown link syntax.

Line 166 contains a bare URL that should be wrapped in markdown link format.

-https://container.googleapis.com/v1/projects/hcm-hyperfleet/locations/us-central1-a/clusters/hyperfleet-dev/.well-known/openid-configuration
+[OpenID Configuration](https://container.googleapis.com/v1/projects/hcm-hyperfleet/locations/us-central1-a/clusters/hyperfleet-dev/.well-known/openid-configuration)

---

171-172: Wrap bare URLs in markdown link syntax.

Lines 171-172 contain bare URLs that should be wrapped in markdown link format.

 References:
-- Workload Identity from GKE: https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to
-- Workload Identity Sameness: https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13
+- [Workload Identity from GKE](https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to)
+- [Workload Identity Sameness](https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c1d9d6d and 92dc741.

📒 Files selected for processing (1)

• hyperfleet/docs/wif-spike.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

hyperfleet/docs/wif-spike.md

[grammar] ~61-~61: Use a hyphen to join words.
Context: ... is a temporal solution sharing customer generated credentials. - Customer's us...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~144-~144: Use a hyphen to join words.
Context: ...ROJECT_ID.svc.id.goog`. This is a Google managed Identity Pool that is not visibl...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

hyperfleet/docs/wif-spike.md

24-24: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

25-25: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

32-32: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

77-77: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

78-78: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

123-123: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

136-136: Heading levels should only increment by one level at a time
Expected: h3; Actual: h4

(MD001, heading-increment)

---

138-138: Bare URL used

(MD034, no-bare-urls)

---

148-148: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

157-157: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

166-166: Bare URL used

(MD034, no-bare-urls)

---

171-171: Bare URL used

(MD034, no-bare-urls)

---

172-172: Bare URL used

(MD034, no-bare-urls)

[coderabbitai]

Actionable comments posted: 14

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92dc741 and c8a8718.

📒 Files selected for processing (1)

• hyperfleet/docs/wif-spike.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

hyperfleet/docs/wif-spike.md

[grammar] ~49-~49: Use a hyphen to join words.
Context: ... can access be restricted in a more fine grained way?** First, we can use `add-i...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~78-~78: Use a hyphen to join words.
Context: ... is a temporal solution sharing customer generated credentials. - Customer's us...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~161-~161: Use a hyphen to join words.
Context: ...ROJECT_ID.svc.id.goog`. This is a Google managed Identity Pool that is not visibl...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

hyperfleet/docs/wif-spike.md

24-24: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

25-25: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

32-32: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

57-57: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

94-94: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

95-95: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

140-140: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

153-153: Heading levels should only increment by one level at a time
Expected: h3; Actual: h4

(MD001, heading-increment)

---

155-155: Bare URL used

(MD034, no-bare-urls)

---

165-165: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

174-174: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

183-183: Bare URL used

(MD034, no-bare-urls)

---

188-188: Bare URL used

(MD034, no-bare-urls)

---

189-189: Bare URL used

(MD034, no-bare-urls)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix unordered list indentation.

Lines 24–25 have inconsistent indentation (5 spaces instead of 4). As per markdownlint guidelines, use 4-space indentation for nested lists.

   - It runs in a GKE cluster for the Regional setup
-     - In a GCP project with 
-        - GCP project name `HYPERFLEET_PROJECT_NAME`
+   - In a GCP project with 
+     - GCP project name `HYPERFLEET_PROJECT_NAME`

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

24-24: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

25-25: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around lines 23 to 26, the nested list items for
GCP project name/number and namespace use 5 spaces for indentation instead of
the required 4; adjust those lines to use exactly 4 spaces for the nested list
indentation so the markdown list is consistently formatted per markdownlint.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use hyphen in compound adjective.

Change "fine grained" to "fine-grained" for correct grammar.

-**Question: can access be restricted in a more fine grained way?**
+**Question: can access be restricted in a more fine-grained way?**

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	**Question: can access be restricted in a more fine grained way?**
	**Question: can access be restricted in a more fine-grained way?**

🧰 Tools

🪛 LanguageTool

[grammar] ~49-~49: Use a hyphen to join words.
Context: ... can access be restricted in a more fine grained way?** First, we can use `add-i...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

hyperfleet/docs/wif-spike.md around line 49: the phrase "fine grained" is
missing a hyphen; replace it with the compound adjective "fine-grained" so the
sentence reads "Can access be restricted in a more fine-grained way?" (ensure
capitalization and punctuation remain consistent).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use hyphen in compound adjective.

Change "Google managed" to "Google-managed" for correct grammar.

-All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google managed Identity Pool that is not visible in the GCP console.
+All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google-managed Identity Pool that is not visible in the GCP console.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google managed Identity Pool that is not visible in the GCP console.
	All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google-managed Identity Pool that is not visible in the GCP console.

🧰 Tools

🪛 LanguageTool

[grammar] ~161-~161: Use a hyphen to join words.
Context: ...ROJECT_ID.svc.id.goog`. This is a Google managed Identity Pool that is not visibl...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around line 161, the phrase "Google managed
Identity Pool" should use a hyphen for the compound adjective; change it to
"Google-managed Identity Pool" to correct the grammar.

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (16)

hyperfleet/docs/wif-spike.md (16)

26-30: Fix nested list indentation to use 4 spaces instead of 5.

Lines 27–28 have inconsistent indentation.

   - In a GCP project with 
-     - GCP project name `HYPERFLEET_PROJECT_NAME`
-     - GCP project number `HYPERFLEET_PROJECT_NUMBER`
+   - GCP project name `HYPERFLEET_PROJECT_NAME`
+   - GCP project number `HYPERFLEET_PROJECT_NUMBER`

---

35-39: Add language identifier to fenced code block.

Missing language specifier for syntax highlighting.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT_NAME \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/HOSTEDCLUSTER_NAME/sa/HOSTEDCLUSTER_NAME" --condition=None 
-```
+```

---

70-70: Use hyphen in compound adjective: "fine-grained".

Compound adjectives must be hyphenated.

-**Question: can access be restricted in a more fine grained way?**
+**Question: can access be restricted in a more fine-grained way?**

---

78-82: Add language identifier to fenced code block.

Missing language specifier for syntax highlighting.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT_NAME \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/HOSTEDCLUSTER_NAME/sa/HOSTEDCLUSTER_NAME"     --condition=^:^'expression=resource.matchTag("CUSTOMER_PROJECT_NAME/purpose", "hyperfleet"):title=hyperfleet-tag-condition:description=Grant access only for resources tagged as purpose hyperfleet'
-``` 
+```

---

103-108: Wrap bare URL in markdown link syntax.

Bare URLs should be formatted as proper markdown links.

-Yes, that is named "identity sameness", it is explained also in GCP documentation: https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness
+Yes, that is named "identity sameness", it is explained also in GCP documentation: [Workload Identity Identity Sameness](https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness)

---

114-117: Use hyphen in compound adjective: "customer-generated".

"Customer-generated" is a compound adjective modifying "credentials."

-The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer generated credentials.
+The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer-generated credentials.

---

125-128: Fix nested list indentation to use 4 spaces instead of 5.

Lines 126–127 have inconsistent indentation.

   - Transfer the private_key to the Hypershift Operator leveraging CLM
-     - CLM API accepts the private_key as part of the cluster.spec
-     - CLM will transfer the private_key to HO using the "maestro adapter"
+   - CLM API accepts the private_key as part of the cluster.spec
+   - CLM will transfer the private_key to HO using the "maestro adapter"

---

165-170: Add language identifier to fenced code block.

Code block at line 166 is missing language specifier.

 2. Create a Kubernetes Namespace and Service Account
-```
+```bash
 NAME=myname
 kubectl create namespace $NAME
 kubectl create serviceaccount $NAME -n $NAME
-```
+```

---

178-203: Add language identifier to fenced code block.

Code block at line 178 (YAML deployment) is missing language specifier.

-```
+```yaml
 cat <<EOF | kubectl apply -f -
 apiVersion: apps/v1
 kind: Deployment

---

208-214: Add language identifier to fenced code block.

Code block at line 208 (kubectl command) is missing language specifier.

-```
+```bash
 kubectl exec -ti $POD -- gcloud auth list
 
 Credentialed Accounts
 ACTIVE  ACCOUNT
 *       PROJECT_NAME.svc.id.goog
-```
+```

---

220-225: Add language identifier to fenced code block.

Code block at line 220 (gcloud command) is missing language specifier.

-```
+```bash
 gcloud iam workload-identity-pools describe hcm-hyperfleet.svc.id.goog  --location=global --project hcm-hyperfleet
 
 name: projects/275239757837/locations/global/workloadIdentityPools/hcm-hyperfleet.svc.id.goog
 state: ACTIVE
-```
+```

---

229-233: Add language identifier to fenced code block.

Code block at line 229 (gcloud list command) is missing language specifier.

-```
+```bash
 gcloud iam workload-identity-pools list  --location=global --project hcm-hyperfleet
 
 Listed 0 items.
-```
+```

---

241-244: Add language identifier to fenced code block.

Code block at line 241 (command with jwt-cli) is missing language specifier.

-```
+```bash
 kubectl exec -ti $POD -- cat /var/run/secrets/kubernetes.io/serviceaccount/token \
 xargs jwt decode
-```
+```

---

249-287: Add language identifier to fenced code block.

Code block at line 249 (JWT token structure) is missing language specifier. Should be json.

-```
+```json
 Token header
 -----------
 {

---

291-298: Wrap bare URLs in markdown link syntax.

Reference links should use markdown link formatting.

 References:
 
-A note of caution. The are multiple scattered references for Workload Identity, Workload Identity Federation and Workload Identity Federation for GKE. Each may have subtle differences
+A note of caution. There are multiple scattered references for Workload Identity, Workload Identity Federation and Workload Identity Federation for GKE. Each may have subtle differences
 
 
-- Workload Identity Federation for GKE: https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to
-- Workload Identity Sameness: https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13
+- [Workload Identity Federation for GKE](https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to)
+- [Workload Identity Sameness](https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13)

---

216-216: Use hyphen in compound adjective: "Google-managed".

"Google-managed" is a compound adjective modifying "Identity Pool."

-All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_NAME.svc.id.goog`. This is a Google managed Identity Pool that is not visible in the GCP console.
+All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_NAME.svc.id.goog`. This is a Google-managed Identity Pool that is not visible in the GCP console.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c8a8718 and 718d5f2.

📒 Files selected for processing (1)

• hyperfleet/docs/wif-spike.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

hyperfleet/docs/wif-spike.md

[grammar] ~5-~5: Ensure spelling is correct
Context: ...mer's cloud infrastructure from several Hyperfleeet components. There are different situat...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[uncategorized] ~48-~48: Do not mix variants of the same word (‘adaptor’ and ‘adapter’) within a single text.
Context: ... example This makes the assumption that Adaptor Tasks will run each in a namespace name...

(EN_WORD_COHERENCY)

---

[grammar] ~70-~70: Use a hyphen to join words.
Context: ... can access be restricted in a more fine grained way?** First, we can use `add-i...

(QB_NEW_EN_HYPHEN)

---

[style] ~96-~96: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ... with a GCP project. **Question: Do we need to annotate Kubernetes Service Accounts or...

(REP_NEED_TO_VB)

---

[grammar] ~107-~107: Use a hyphen to join words.
Context: ...an set conditions to make it more fine grained. **Do I need to configure the ...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~116-~116: Use a hyphen to join words.
Context: ... is a temporal solution sharing customer generated credentials. - Customer's us...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~216-~216: Use a hyphen to join words.
Context: ...JECT_NAME.svc.id.goog`. This is a Google managed Identity Pool that is not visibl...

(QB_NEW_EN_HYPHEN)

---

[style] ~227-~227: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...t.svc.id.goog state: ACTIVE ``` But it can not be found when listing other Workload Id...

(CAN_NOT_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

hyperfleet/docs/wif-spike.md

27-27: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

28-28: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

35-35: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

78-78: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

105-105: Bare URL used

(MD034, no-bare-urls)

---

132-132: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

133-133: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

166-166: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

178-178: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

208-208: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

220-220: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

229-229: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

241-241: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

249-249: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

296-296: Bare URL used

(MD034, no-bare-urls)

---

297-297: Bare URL used

(MD034, no-bare-urls)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix spelling: "Hyperfleeet" should be "Hyperfleet".

Three 'e's instead of two.

-We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleeet components.
+We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleet components.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleeet components.
	We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleet components.

🧰 Tools

🪛 LanguageTool

[grammar] ~5-~5: Ensure spelling is correct
Context: ...mer's cloud infrastructure from several Hyperfleeet components. There are different situat...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around line 5, the project name is misspelled as
"Hyperfleeet" (three e's); update the text to "Hyperfleet" (two e's) so the
document consistently uses the correct product name. Ensure you search the file
for other occurrences of "Hyperfleeet" and correct them to "Hyperfleet" to avoid
remaining typos.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use consistent terminology: "Adapter" instead of "Adaptor".

The document uses both "Adapter" and "Adaptor" inconsistently. Standardize on "Adapter" throughout.

-This makes the assumption that Adaptor Tasks will run each in a namespace named after `HOSTEDCLUSTER_NAME`
+This makes the assumption that Adapter Tasks will run each in a namespace named after `HOSTEDCLUSTER_NAME`

🧰 Tools

🪛 LanguageTool

[uncategorized] ~48-~48: Do not mix variants of the same word (‘adaptor’ and ‘adapter’) within a single text.
Context: ... example This makes the assumption that Adaptor Tasks will run each in a namespace name...

(EN_WORD_COHERENCY)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around lines 46 to 49, the document uses both
"Adaptor" and "Adapter" inconsistently; update all occurrences of "Adaptor" to
"Adapter" to standardize terminology across the file (including headings, inline
text, and code samples or variable names if present) and run a quick
search/replace to ensure consistency and no leftover instances remain.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use hyphen in compound adjective: "fine-grained".

Compound adjectives must be hyphenated.

-As with the `HOSTEDCLUSTER_NAME` discussion before, there are other `principals` that can be used for identity, or we can set `conditions` to make it more fine grained.
+As with the `HOSTEDCLUSTER_NAME` discussion before, there are other `principals` that can be used for identity, or we can set `conditions` to make it more fine-grained.

🧰 Tools

🪛 LanguageTool

[grammar] ~107-~107: Use a hyphen to join words.
Context: ...an set conditions to make it more fine grained. **Do I need to configure the ...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

hyperfleet/docs/wif-spike.md around line 107: the phrase "fine grained" should
be corrected to the hyphenated compound adjective "fine-grained"; update the
text to read "make it more fine-grained" (or rephrase to "make it more
granular") to use the correct hyphenation for a compound adjective.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use "cannot" instead of "can not".

"Cannot" is the standard, more common form.

-But it can not be found when listing other Workload Identity pools that are usually used for external identity federation like AWS or Azure
+But it cannot be found when listing other Workload Identity pools that are usually used for external identity federation like AWS or Azure

🧰 Tools

🪛 LanguageTool

[style] ~227-~227: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...t.svc.id.goog state: ACTIVE ``` But it can not be found when listing other Workload Id...

(CAN_NOT_PREMIUM)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around line 227, the phrase "can not" is used;
replace it with the single word "cannot" so the sentence reads "But it cannot be
found when listing other Workload Identity pools..." to follow standard English
usage.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix malformed link reference.

Line 239 contains a typo in the link reference: "jwt-cliL[...]" should be "jwt-cli".

-GKE automatically injects tokens in the file system at `/var/run/secrets/kubernetes.io/serviceaccount/token`, let's explore the contents with the (jwt-cliL[https://github.com/mike-engel/jwt-cli]) utility to decode the JWT 
+GKE automatically injects tokens in the file system at `/var/run/secrets/kubernetes.io/serviceaccount/token`, let's explore the contents with the [jwt-cli](https://github.com/mike-engel/jwt-cli) utility to decode the JWT

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around lines 238 to 240, the markdown link text
is malformed ("jwt-cliL[https://github.com/mike-engel/jwt-cli]"); correct it to
a proper markdown link by replacing the typo with
[jwt-cli](https://github.com/mike-engel/jwt-cli) so the link renders correctly.

[ciaranRoche]

I have a few concerns here.

1. The user needs to know the namespace, at the moment the namespace is based on the users cluster id, so we have a chicken and egg problem here.
2. Customer would have to take action for ever cluster in a specific region to do the policy binding
3. Just regions in general, I dont see in this document how this will scale with regions. I dont think it becomes complex I think it is more poor UX

[rafabene]

"An adapter task that wants"??

[rafabene]

As this is VERY IMPORTANT, I would try to somehow highlight it even more.

[rh-amarin]

Yes, this is to be discussed and decided.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (21)

hyperfleet/docs/wif-spike.md (21)

5-5: Fix spelling: "Hyperfleeet" should be "Hyperfleet".

Line 5 contains a typo with three e's. This was flagged in a past review but remains unfixed.

-We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleeet components.
+We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleet components.

---

26-28: Fix list indentation to use 4 spaces instead of 5.

The nested list items use 5-space indentation instead of the markdown standard of 4 spaces. This was flagged in a past review.

   - It runs in a GKE cluster for the Regional setup
-     - In a GCP project with 
-        - GCP project name `HYPERFLEET_PROJECT_NAME`
-        - GCP project number `HYPERFLEET_PROJECT_NUMBER`
+   - In a GCP project with 
+     - GCP project name `HYPERFLEET_PROJECT_NAME`
+     - GCP project number `HYPERFLEET_PROJECT_NUMBER`

---

35-39: Add bash language identifier to fenced code block.

The gcloud command block should specify bash for proper syntax highlighting. This was flagged in a past review.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT_NAME \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/HOSTEDCLUSTER_NAME/sa/HOSTEDCLUSTER_NAME" --condition=None 
-```
+```

---

46-48: Standardize terminology: use "Adapter" consistently, not "Adaptor".

Line 48 uses "Adaptor" but the document and codebase use "Adapter" elsewhere. Standardize on "Adapter" throughout.

-This makes the assumption that Adaptor Tasks will run each in a namespace named after `HOSTEDCLUSTER_NAME`
+This makes the assumption that Adapter Tasks will run each in a namespace named after `HOSTEDCLUSTER_NAME`

---

70-70: Hyphenate compound adjective "fine-grained".

-**Question: can access be restricted in a more fine grained way?**
+**Question: can access be restricted in a more fine-grained way?**

---

78-82: Add bash language identifier to fenced code block.

The gcloud command block with conditions should specify bash for syntax highlighting. This was flagged in a past review.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT_NAME \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/HOSTEDCLUSTER_NAME/sa/HOSTEDCLUSTER_NAME"     --condition=^:^'expression=resource.matchTag("CUSTOMER_PROJECT_NAME/purpose", "hyperfleet"):title=hyperfleet-tag-condition:description=Grant access only for resources tagged as purpose hyperfleet'
-``` 
+```

---

105-105: Wrap bare URL in markdown link syntax.

The GCP documentation URL should use proper markdown link formatting. This was flagged in a past review.

-Yes, that is named "identity sameness", it is explained also in GCP documentation: https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness
+Yes, that is named "identity sameness", it is explained also in [GCP documentation](https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness)

---

107-107: Hyphenate compound adjective "fine-grained".

-As with the `HOSTEDCLUSTER_NAME` discussion before, there are other `principals` that can be used for identity, or we can set `conditions` to make it more fine grained.
+As with the `HOSTEDCLUSTER_NAME` discussion before, there are other `principals` that can be used for identity, or we can set `conditions` to make it more fine-grained.

---

116-116: Hyphenate compound adjective "customer-generated".

-The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer generated credentials.
+The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer-generated credentials.

---

132-133: Fix list indentation to use 4 spaces instead of 5.

The nested list items use 5-space indentation instead of 4 spaces. This was flagged in a past review.

   - Transfer the private_key to the Hypershift Operator leveraging CLM
-     - CLM API accepts the private_key as part of the cluster.spec
-     - CLM will transfer the private_key to HO using the "maestro adapter"
+   - CLM API accepts the private_key as part of the cluster.spec
+   - CLM will transfer the private_key to HO using the "maestro adapter"

---

166-170: Add bash language identifier to fenced code block.

The shell command block should specify bash for syntax highlighting. This was flagged in a past review.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/12341234/locations/global/workloadIdentityPools/hcm-hyperfleet.svc.id.goog/subject/ns/hyperfleet/sa/hyperfleet-sa" --condition=None
-```
+```

---

178-179: Add bash or yaml language identifier to fenced code block.

The kubectl command block should specify a language identifier for syntax highlighting.

-```
+```bash
 cat <<EOF | kubectl apply -f -
 apiVersion: apps/v1
 kind: Deployment

---

208-209: Add bash language identifier to fenced code block.

The kubectl command should specify bash for syntax highlighting.

-```
+```bash
 kubectl exec -ti $POD -- gcloud auth list
 
 Credentialed Accounts
 ACTIVE  ACCOUNT
 *       PROJECT_NAME.svc.id.goog
-```
+```

---

216-216: Hyphenate compound adjective "Google-managed".

-All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_NAME.svc.id.goog`. This is a Google managed Identity Pool that is not visible in the GCP console.
+All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google-managed Identity Pool that is not visible in the GCP console.

---

220-225: Add bash language identifier to fenced code block.

The gcloud command and output should specify bash for syntax highlighting. This was flagged in a past review.

-```
+```bash
 gcloud iam workload-identity-pools describe hcm-hyperfleet.svc.id.goog  --location=global --project hcm-hyperfleet
 
 name: projects/275239757837/locations/global/workloadIdentityPools/hcm-hyperfleet.svc.id.goog
 state: ACTIVE
-```
+```

---

227-227: Use "cannot" instead of "can not".

"Cannot" is the standard form in formal writing.

-But it can not be found when listing other Workload Identity pools that are usually used for external identity federation like AWS or Azure
+But it cannot be found when listing other Workload Identity pools that are usually used for external identity federation like AWS or Azure

---

229-233: Add bash language identifier to fenced code block.

The gcloud list command output should specify bash for syntax highlighting. This was flagged in a past review.

-```
+```bash
 gcloud iam workload-identity-pools list  --location=global --project hcm-hyperfleet
 
 Listed 0 items.
-```
+```

---

239-239: Fix malformed markdown link.

The jwt-cli link has incorrect syntax and should use proper markdown link formatting. This was flagged in a past review.

-GKE automatically injects tokens in the file system at `/var/run/secrets/kubernetes.io/serviceaccount/token`, let's explore the contents with the (jwt-cliL[https://github.com/mike-engel/jwt-cli]) utility to decode the JWT 
+GKE automatically injects tokens in the file system at `/var/run/secrets/kubernetes.io/serviceaccount/token`, let's explore the contents with the [jwt-cli](https://github.com/mike-engel/jwt-cli) utility to decode the JWT

---

241-244: Add bash language identifier to fenced code block.

The kubectl exec command should specify bash for syntax highlighting.

-```
+```bash
 kubectl exec -ti $POD -- cat /var/run/secrets/kubernetes.io/serviceaccount/token \
 xargs jwt decode
-```
+```

---

249-286: Add json language identifier to fenced code block.

The JWT token contents should specify json for syntax highlighting.

-```
+```json
 Token header
 ...
 }
-```
+```

---

296-297: Wrap bare URLs in markdown link syntax.

Both reference URLs should use proper markdown link formatting. This was flagged in a past review.

 References:
 
-A note of caution. The are multiple scattered references for Workload Identity, Workload Identity Federation and Workload Identity Federation for GKE. Each may have subtle differences
 
 
-- Workload Identity Federation for GKE: https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to
-- Workload Identity Sameness: https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13
+- [Workload Identity Federation for GKE](https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to)
+- [Workload Identity Sameness](https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 718d5f2 and 5d4c8ba.

📒 Files selected for processing (1)

• hyperfleet/docs/wif-spike.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

hyperfleet/docs/wif-spike.md

[grammar] ~5-~5: Ensure spelling is correct
Context: ...mer's cloud infrastructure from several Hyperfleeet components. There are different situat...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[uncategorized] ~48-~48: Do not mix variants of the same word (‘adaptor’ and ‘adapter’) within a single text.
Context: ... example This makes the assumption that Adaptor Tasks will run each in a namespace name...

(EN_WORD_COHERENCY)

---

[grammar] ~70-~70: Use a hyphen to join words.
Context: ... can access be restricted in a more fine grained way?** First, we can use `add-i...

(QB_NEW_EN_HYPHEN)

---

[style] ~96-~96: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ... with a GCP project. **Question: Do we need to annotate Kubernetes Service Accounts or...

(REP_NEED_TO_VB)

---

[grammar] ~107-~107: Use a hyphen to join words.
Context: ...an set conditions to make it more fine grained. **Do I need to configure the ...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~116-~116: Use a hyphen to join words.
Context: ... is a temporal solution sharing customer generated credentials. - Customer's us...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~216-~216: Use a hyphen to join words.
Context: ...JECT_NAME.svc.id.goog`. This is a Google managed Identity Pool that is not visibl...

(QB_NEW_EN_HYPHEN)

---

[style] ~227-~227: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...t.svc.id.goog state: ACTIVE ``` But it can not be found when listing other Workload Id...

(CAN_NOT_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

hyperfleet/docs/wif-spike.md

27-27: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

28-28: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

35-35: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

78-78: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

105-105: Bare URL used

(MD034, no-bare-urls)

---

132-132: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

133-133: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

166-166: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

178-178: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

208-208: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

220-220: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

229-229: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

241-241: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

249-249: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

296-296: Bare URL used

(MD034, no-bare-urls)

---

297-297: Bare URL used

(MD034, no-bare-urls)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat -n hyperfleet/docs/wif-spike.md | sed -n '20,30p'

Repository: openshift-hyperfleet/architecture

Length of output: 889

---

Fix grammatical error: remove "runs" from "adapter task runs wants".

Line 24 contains the phrase "An adapter task runs wants to access" which is grammatically incorrect. Remove "runs" for clarity.

-An adapter task runs wants to access customer infrastructure for the `HOSTEDCLUSTER_NAME` HostedCluster
+An adapter task that wants to access customer infrastructure for the `HOSTEDCLUSTER_NAME` HostedCluster

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around line 24, the sentence reads "An adapter
task runs wants to access customer infrastructure for the `HOSTEDCLUSTER_NAME`
HostedCluster"; remove the extraneous word "runs" so the sentence reads "An
adapter task wants to access customer infrastructure for the
`HOSTEDCLUSTER_NAME` HostedCluster" to correct the grammar and improve clarity.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

hyperfleet/docs/wif-spike.md (2)

5-5: Fix spelling: "Hyperfleeet" should be "Hyperfleet".

Three e's instead of two in the product name.

-We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleeet components.
+We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleet components.

---

26-26: Fix grammatical error: remove "runs" from sentence.

The phrase "An adapter task runs wants to access" is incorrect; remove "runs".

-An adapter task runs wants to access customer infrastructure for the `HOSTEDCLUSTER_NAME` HostedCluster
+An adapter task that wants to access customer infrastructure for the `HOSTEDCLUSTER_NAME` HostedCluster

🧹 Nitpick comments (14)

hyperfleet/docs/wif-spike.md (14)

28-30: Fix markdown list indentation.

Lines 29–30 use 5 spaces instead of 4 for nested list items. Per markdownlint, use 4-space indentation.

   - It runs in a GKE cluster for the Regional setup
-     - In a GCP project with 
-        - GCP project name `HYPERFLEET_PROJECT_NAME`
+   - In a GCP project with 
+     - GCP project name `HYPERFLEET_PROJECT_NAME`

---

37-41: Add language identifier to fenced code block.

The gcloud command block needs a language specifier for proper syntax highlighting.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT_NAME \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/HOSTEDCLUSTER_NAME/sa/HOSTEDCLUSTER_NAME" --condition=None 
-```
+```

---

50-50: Standardize terminology: use "Adapter" consistently, not "Adaptor".

The document uses both "Adapter" and "Adaptor"; standardize on "Adapter" throughout.

-This makes the assumption that Adaptor Tasks will run each in a namespace named after `HOSTEDCLUSTER_NAME`
+This makes the assumption that Adapter Tasks will run each in a namespace named after `HOSTEDCLUSTER_NAME`

---

72-72: Use hyphen in compound adjective: "fine-grained".

-**Question: can access be restricted in a more fine grained way?**
+**Question: can access be restricted in a more fine-grained way?**

---

80-84: Add language identifier to fenced code block.

The gcloud condition example block needs a language specifier.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT_NAME \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/HOSTEDCLUSTER_NAME/sa/HOSTEDCLUSTER_NAME"     --condition=^:^'expression=resource.matchTag("CUSTOMER_PROJECT_NAME/purpose", "hyperfleet"):title=hyperfleet-tag-condition:description=Grant access only for resources tagged as purpose hyperfleet'
-```
+```

---

107-107: Wrap bare URL in markdown link syntax.

The GCP documentation URL should be formatted as a proper markdown link.

-Yes, that is named "identity sameness", it is explained also in GCP documentation: https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness
+Yes, that is named "identity sameness", it is explained also in GCP documentation: [Workload Identity](https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness)

---

109-109: Use hyphen in compound adjective: "fine-grained".

-As with the `HOSTEDCLUSTER_NAME` discussion before, there are other `principals` that can be used for identity, or we can set `conditions` to make it more fine grained.
+As with the `HOSTEDCLUSTER_NAME` discussion before, there are other `principals` that can be used for identity, or we can set `conditions` to make it more fine-grained.

---

118-118: Use hyphen in compound adjective: "customer-generated".

-The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer generated credentials.
+The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer-generated credentials.

---

134-135: Fix markdown list indentation.

Lines 134–135 use 5 spaces instead of 4 for nested list items. Per markdownlint, use 4-space indentation.

   - Transfer the private_key to the Hypershift Operator leveraging CLM
-     - CLM API accepts the private_key as part of the cluster.spec
-     - CLM will transfer the private_key to HO using the "maestro adapter"
+   - CLM API accepts the private_key as part of the cluster.spec
+   - CLM will transfer the private_key to HO using the "maestro adapter"

---

181-181: Add language identifiers to multiple fenced code blocks.

Several code blocks throughout the exploration section are missing language specifiers. Add appropriate language identifiers (e.g., bash, yaml, json, text) for proper syntax highlighting:

• Line 181: kubectl command block → add bash
• Line 193: kubectl/cat command block → add bash
• Line 223: gcloud command block → add bash
• Line 235: gcloud output block → add bash
• Line 244: gcloud list output block → add bash
• Line 256: jwt decode command block → add bash
• Line 264: JWT token output block → add json

Also applies to: 193-193, 223-223, 235-235, 244-244, 256-256, 264-264

---

231-231: Use hyphen in compound adjective: "Google-managed".

-All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google managed Identity Pool that is not visible in the GCP console.
+All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google-managed Identity Pool that is not visible in the GCP console.

---

242-242: Use "cannot" instead of "can not".

"Cannot" is the standard, more common form.

-But it can not be found when listing other Workload Identity pools that are usually used for external identity federation like AWS or Azure
+But it cannot be found when listing other Workload Identity pools that are usually used for external identity federation like AWS or Azure

---

254-254: Fix malformed markdown link.

The jwt-cli link syntax is incorrect.

-GKE automatically injects tokens in the file system at `/var/run/secrets/kubernetes.io/serviceaccount/token`, let's explore the contents with the (jwt-cliL[https://github.com/mike-engel/jwt-cli]) utility to decode the JWT
+GKE automatically injects tokens in the file system at `/var/run/secrets/kubernetes.io/serviceaccount/token`, let's explore the contents with the [jwt-cli](https://github.com/mike-engel/jwt-cli) utility to decode the JWT

---

311-312: Wrap reference URLs in markdown link syntax.

The reference links should use markdown link formatting for proper rendering.

 References:
 
-A note of caution. The are multiple scattered references for Workload Identity, Workload Identity Federation and Workload Identity Federation for GKE. Each may have subtle differences
+A note of caution. There are multiple scattered references for Workload Identity, Workload Identity Federation and Workload Identity Federation for GKE. Each may have subtle differences
 
 
-- Workload Identity from GKE: https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to
-- Workload Identity Sameness: https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13
+- [Workload Identity from GKE](https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to)
+- [Workload Identity Sameness](https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13)

I also noticed a typo on line 308: "The are" should be "There are".

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d4c8ba and c832ab4.

📒 Files selected for processing (1)

• hyperfleet/docs/wif-spike.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

hyperfleet/docs/wif-spike.md

[grammar] ~5-~5: Ensure spelling is correct
Context: ...mer's cloud infrastructure from several Hyperfleeet components. There are different use ca...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[uncategorized] ~50-~50: Do not mix variants of the same word (‘adaptor’ and ‘adapter’) within a single text.
Context: ... example This makes the assumption that Adaptor Tasks will run each in a namespace name...

(EN_WORD_COHERENCY)

---

[grammar] ~72-~72: Use a hyphen to join words.
Context: ... can access be restricted in a more fine grained way?** First, we can use `add-i...

(QB_NEW_EN_HYPHEN)

---

[style] ~98-~98: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ... with a GCP project. **Question: Do we need to annotate Kubernetes Service Accounts or...

(REP_NEED_TO_VB)

---

[grammar] ~109-~109: Use a hyphen to join words.
Context: ...an set conditions to make it more fine grained. **Do I need to configure the ...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~118-~118: Use a hyphen to join words.
Context: ... is a temporal solution sharing customer generated credentials. - Customer's us...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~231-~231: Use a hyphen to join words.
Context: ...JECT_NAME.svc.id.goog`. This is a Google managed Identity Pool that is not visibl...

(QB_NEW_EN_HYPHEN)

---

[style] ~242-~242: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...t.svc.id.goog state: ACTIVE ``` But it can not be found when listing other Workload Id...

(CAN_NOT_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

hyperfleet/docs/wif-spike.md

29-29: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

30-30: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

37-37: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

80-80: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

107-107: Bare URL used

(MD034, no-bare-urls)

---

134-134: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

135-135: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

181-181: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

193-193: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

223-223: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

235-235: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

244-244: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

256-256: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

264-264: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

311-311: Bare URL used

(MD034, no-bare-urls)

---

312-312: Bare URL used

(MD034, no-bare-urls)

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (18)

hyperfleet/docs/wif-spike.md (18)

5-5: Fix spelling: "Hyperfleeet" should be "Hyperfleet".

The project name is misspelled with three e's instead of two.

-We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleeet components.
+We need to provide a secure way to access customer's cloud infrastructure from several Hyperfleet components.

---

26-26: Fix grammatical error in adapter task description.

Remove the extraneous word "runs" from the sentence.

-An adapter task runs wants to access customer infrastructure for the `HOSTEDCLUSTER_NAME` HostedCluster
+An adapter task that wants to access customer infrastructure for the `HOSTEDCLUSTER_NAME` HostedCluster

---

29-30: Fix unordered list indentation.

Lines 29–30 use 5 spaces instead of the required 4 for nested list items.

   - In a GCP project with 
-     - GCP project name `HYPERFLEET_PROJECT_NAME`
-     - GCP project number `HYPERFLEET_PROJECT_NUMBER`
+   - GCP project name `HYPERFLEET_PROJECT_NAME`
+   - GCP project number `HYPERFLEET_PROJECT_NUMBER`

---

37-41: Add language identifier to fenced code block.

The gcloud command block lacks a language specifier for proper syntax highlighting.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT_NAME \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/HOSTEDCLUSTER_NAME/sa/HOSTEDCLUSTER_NAME" --condition=None 
-```
+```

---

50-50: Use consistent terminology: "Adapter" instead of "Adaptor".

The document uses both "Adapter" and "Adaptor" inconsistently. Standardize on "Adapter" throughout.

-This makes the assumption that Adaptor Tasks will run each in a namespace named after `HOSTEDCLUSTER_NAME`
+This makes the assumption that Adapter Tasks will run each in a namespace named after `HOSTEDCLUSTER_NAME`

---

72-72: Use hyphen in compound adjective: "fine-grained".

-**Question: can access be restricted in a more fine grained way?**
+**Question: can access be restricted in a more fine-grained way?**

---

80-84: Add language identifier to fenced code block.

The gcloud command with condition example needs a language specifier for syntax highlighting.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT_NAME \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/HYPERFLEET_PROJECT_NUMBER/locations/global/workloadIdentityPools/HYPERFLEET_PROJECT_NAME.svc.id.goog/subject/ns/HOSTEDCLUSTER_NAME/sa/HOSTEDCLUSTER_NAME"     --condition=^:^'expression=resource.matchTag("CUSTOMER_PROJECT_NAME/purpose", "hyperfleet"):title=hyperfleet-tag-condition:description=Grant access only for resources tagged as purpose hyperfleet'
-``` 
+```

---

107-107: Wrap bare URL in markdown link syntax.

The GCP documentation URL should be formatted as a proper markdown link.

-Yes, that is named "identity sameness", it is explained also in GCP documentation: https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness
+Yes, that is named "identity sameness", it is explained also in GCP documentation: [Workload Identity Sameness](https://docs.cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#identity_sameness)

---

109-109: Use hyphen in compound adjective: "fine-grained".

-As with the `HOSTEDCLUSTER_NAME` discussion before, there are other `principals` that can be used for identity, or we can set `conditions` to make it more fine grained.
+As with the `HOSTEDCLUSTER_NAME` discussion before, there are other `principals` that can be used for identity, or we can set `conditions` to make it more fine-grained.

---

118-118: Use hyphen in compound adjective: "customer-generated".

-The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer generated credentials.
+The current approach by GCP team for Hypershift Operator in their PoC is a temporal solution sharing customer-generated credentials.

---

134-135: Fix unordered list indentation.

Lines 134–135 use 5 spaces instead of the required 4 for nested list items.

   - Transfer the private_key to the Hypershift Operator leveraging CLM
-     - CLM API accepts the private_key as part of the cluster.spec
-     - CLM will transfer the private_key to HO using the "maestro adapter"
+   - CLM API accepts the private_key as part of the cluster.spec
+   - CLM will transfer the private_key to HO using the "maestro adapter"

---

181-185: Add language identifier to fenced code block.

The gcloud command example in the "Leverage Regional cluster" section needs a language specifier.

-```
+```bash
 gcloud projects add-iam-policy-binding  projects/CUSTOMER_PROJECT \
   --role="roles/pubsub.admin" \
   --member="principal://iam.googleapis.com/projects/12341234/locations/global/workloadIdentityPools/hcm-hyperfleet.svc.id.goog/subject/ns/hyperfleet/sa/hyperfleet-sa" --condition=None
-
-```
+```

---

231-231: Use hyphen in compound adjective: "Google-managed".

-All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google managed Identity Pool that is not visible in the GCP console.
+All GKE cluster in a GCP project with Workload Identity enabled use the same Workload Identity Pool named `PROJECT_ID.svc.id.goog`. This is a Google-managed Identity Pool that is not visible in the GCP console.

---

235-240: Add language identifier to fenced code block.

The gcloud workload-identity-pools describe output block needs a language specifier.

-```
+```bash
 gcloud iam workload-identity-pools describe hcm-hyperfleet.svc.id.goog  --location=global --project hcm-hyperfleet
 
 name: projects/275239757837/locations/global/workloadIdentityPools/hcm-hyperfleet.svc.id.goog
 state: ACTIVE
-```
+```

---

242-242: Use "cannot" instead of "can not".

"Cannot" is the standard, more common form.

-But it can not be found when listing other Workload Identity pools that are usually used for external identity federation like AWS or Azure
+But it cannot be found when listing other Workload Identity pools that are usually used for external identity federation like AWS or Azure

---

244-248: Add language identifier to fenced code block.

The gcloud workload-identity-pools list output block needs a language specifier.

-```
+```bash
 gcloud iam workload-identity-pools list  --location=global --project hcm-hyperfleet
 
 Listed 0 items.
-```
+```

---

254-254: Fix malformed markdown link.

The jwt-cli link syntax is incorrect and needs proper markdown link formatting.

-GKE automatically injects tokens in the file system at `/var/run/secrets/kubernetes.io/serviceaccount/token`, let's explore the contents with the (jwt-cliL[https://github.com/mike-engel/jwt-cli]) utility to decode the JWT
+GKE automatically injects tokens in the file system at `/var/run/secrets/kubernetes.io/serviceaccount/token`, let's explore the contents with the [jwt-cli](https://github.com/mike-engel/jwt-cli) utility to decode the JWT

---

311-312: Wrap bare URLs in markdown link syntax.

The reference links should use markdown link formatting for proper rendering.

 References:
-
-A note of caution. The are multiple scattered references for Workload Identity, Workload Identity Federation and Workload Identity Federation for GKE. Each may have subtle differences
-
-
-- Workload Identity Federation for GKE: https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to
-- Workload Identity Sameness: https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13
+- [Workload Identity Federation for GKE](https://docs.cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to)
+- [Workload Identity Sameness](https://medium.com/google-cloud/solving-the-workload-identity-sameness-with-iam-conditions-c02eba2b0c13)

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c832ab4 and 48ab586.

📒 Files selected for processing (1)

• hyperfleet/docs/wif-spike.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

hyperfleet/docs/wif-spike.md

[grammar] ~5-~5: Ensure spelling is correct
Context: ...mer's cloud infrastructure from several Hyperfleeet components. There are different use ca...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[uncategorized] ~50-~50: Do not mix variants of the same word (‘adaptor’ and ‘adapter’) within a single text.
Context: ... example This makes the assumption that Adaptor Tasks will run each in a namespace name...

(EN_WORD_COHERENCY)

---

[grammar] ~72-~72: Use a hyphen to join words.
Context: ... can access be restricted in a more fine grained way?** First, we can use `add-i...

(QB_NEW_EN_HYPHEN)

---

[style] ~98-~98: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ... with a GCP project. **Question: Do we need to annotate Kubernetes Service Accounts or...

(REP_NEED_TO_VB)

---

[grammar] ~109-~109: Use a hyphen to join words.
Context: ...an set conditions to make it more fine grained. **Do I need to configure the ...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~118-~118: Use a hyphen to join words.
Context: ... is a temporal solution sharing customer generated credentials. - Customer's us...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~231-~231: Use a hyphen to join words.
Context: ...JECT_NAME.svc.id.goog`. This is a Google managed Identity Pool that is not visibl...

(QB_NEW_EN_HYPHEN)

---

[style] ~242-~242: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...t.svc.id.goog state: ACTIVE ``` But it can not be found when listing other Workload Id...

(CAN_NOT_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

hyperfleet/docs/wif-spike.md

29-29: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

30-30: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

37-37: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

80-80: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

107-107: Bare URL used

(MD034, no-bare-urls)

---

134-134: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

135-135: Unordered list indentation
Expected: 4; Actual: 5

(MD007, ul-indent)

---

181-181: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

193-193: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

223-223: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

235-235: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

244-244: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

256-256: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

264-264: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

311-311: Bare URL used

(MD034, no-bare-urls)

---

312-312: Bare URL used

(MD034, no-bare-urls)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifier to fenced code block.

The deployment YAML example lacks a language specifier.

-```
+```yaml
 cat <<EOF | kubectl apply -f -
 apiVersion: apps/v1
 kind: Deployment
 ...
 EOF
-```
+```

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

193-193: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around lines 193 to 218 the fenced code block
containing the Kubernetes deployment YAML lacks a language identifier; update
the opening fence to include "yaml" (i.e., replace the initial ``` with ```yaml)
so the block is syntax-highlighted and leave the closing fence as is.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifier to fenced code block.

The kubectl auth list output block needs a language specifier.

-```
+```bash
 kubectl exec -ti $POD -- gcloud auth list
 
 Credentialed Accounts
 ACTIVE  ACCOUNT
 *       PROJECT_NAME.svc.id.goog
-```
+```

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

223-223: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around lines 223 to 229, the fenced code block
showing the kubectl/gcloud output is missing a language identifier; update the
opening fence from ``` to ```bash so the block starts with ```bash and leave the
closing fence as ``` to enable proper syntax/highlight rendering.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifier to fenced code block.

The kubectl exec command block needs a language specifier for syntax highlighting.

-```
+```bash
 kubectl exec -ti $POD -- cat /var/run/secrets/kubernetes.io/serviceaccount/token \
 xargs jwt decode
-```
+```

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

256-256: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around lines 256 to 259, the fenced code block
containing the kubectl exec command lacks a language identifier so it doesn't
get syntax highlighting; update the opening backticks to include the language
(bash) by changing the fence from ``` to ```bash and leave the content and
closing fence unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifier to fenced code block.

The JWT token structure example block needs a language specifier (JSON).

-```
+```json
 Token header
 ...
 }
-```
+```

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

264-264: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In hyperfleet/docs/wif-spike.md around lines 264 to 301 the fenced code block
showing the JWT token structure is missing a language identifier; change the
opening fence from ``` to ```json so the block is marked as JSON (i.e., add the
"json" language specifier immediately after the three backticks) and leave the
closing fence unchanged.

[ciaranRoche]

LGTM, based on slack, this enables us for CLM components, we need more discussion for customer account access