Add docs for gke with oidc on headlamp

[ashu8912]

This PR adds documentation for setting up a gke cluster and enabling identity service on it and oidc configuration setup with headlamp

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ashu8912
Once this PR has been reviewed and has the lgtm label, please assign sniok for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull Request Overview

This PR adds documentation for setting up a GKE cluster with OIDC authentication using Headlamp.

• Adds a new “Cloud Provider Specific Guides” section linking to EKS, GKE, and AKS tutorials.
• Introduces a comprehensive GKE tutorial covering Google Identity Platform configuration, cluster setup, RBAC, and Helm deployment.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
docs/installation/in-cluster/index.md	Added Cloud Provider Specific Guides section with links to OIDC guides
docs/installation/in-cluster/gke/index.md	New tutorial for Headlamp on GKE with Google Identity Platform

Comments suppressed due to low confidence (3)

docs/installation/in-cluster/index.md:102

• [nitpick] The link text “GKE with OIDC” may imply a generic OIDC setup, but this guide is specific to Google Identity Platform. Consider renaming it to “GKE with Google Identity Platform” for clarity.

- **[GKE with OIDC](./gke/)** - Google Kubernetes Engine with OIDC providers

docs/installation/in-cluster/gke/index.md:70

• The --zone flag in the existing cluster update command is missing the closing > bracket; it should be --zone=<YOUR_ZONE>.

  --zone=<YOUR_ZONE \

docs/installation/in-cluster/gke/index.md:88

• In the ClientConfig YAML example, the sequence item - name: oidc must be indented under the authentication: key (e.g., two spaces deeper) to produce valid YAML.

  - name: oidc

[illume]

I was working though this and noticed the warning:

Caution: Starting on July 1, 2025, new Google Cloud organizations that you create won't support Identity Service for GKE.

https://cloud.google.com/kubernetes-engine/docs/how-to/oidc

It looks like they are moving folks to "Workforce Identity Federation".

Should we still have this tutorial? I guess for some time existing users of the identity service might want to use it. If we keep this tutorial, we should add a warning to the top that Identity service is being phased out.

If we're going to keep it, I'll continue the review. Let me know @ashu8912 ?

[illume]

Needs a closing ">"

[illume]

I think adding references or further reading could help.

Maybe link to the appropriate section of this doc here? https://cloud.google.com/kubernetes-engine/docs/how-to/oidc

[illume]

example.com should be used for example domains generally.

What about? [email protected]

[illume]

I think this should match the RBAC config?

[illume]

This is so you don't need to write? name: oidc:[email protected]

[illume]

I tried to find docs for a groups claim, but couldn't. Do you have a pointer for documentation for this?

It's only available for Google Workspace? Can you please add some detail here?

[engnatha]

Based on https://cloud.google.com/kubernetes-engine/docs/how-to/oidc#external-idp-authentication-methods, identity service is not recommended. They prefer Workforce Identity Federation