Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-187

Azure Managed Identity (Workload Identity) Support

    XMLWordPrintable

Details

    • Azure Managed Identity (Workload Identity) Support
    • False
    • False
    • To Do
    • OCPSTRAT-506 - ARO Managed Identity
    • OCPSTRAT-506ARO Managed Identity
    • 100
    • 100% 100%
    • L
    • Approved

    Description

      Epic Overview

      • Enable customers to create and manage OpenShift clusters using managed identities for Azure resources for authentication.
      • A customer using ARO wants to spin up an OpenShift cluster with "az aro create" without needing additional input, i.e. without the need for an AD account or service principal credentials, and the identity used is never visible to the customer and cannot appear in the cluster.

      Epic Goal

      • A customer creates an OpenShift cluster ("az aro create") using Azure managed identity.
      • Azure managed identities must work for installation with all install methods including IPI and UPI, work with upgrades, and day-to-day cluster lifecycle operations.
      • After Azure failed to implement workable golang API changes after deprecation of their old API, we have removed mint mode and work entirely in passthrough mode. Azure has plans to implement pod/workload identity similar to how they have been implemented in AWS and GCP, and when this feature is available, we should implement permissions similar to AWS/GCP
      • This work cannot start until Azure have implemented this feature - as such, this Epic is a placeholder to track the effort when available.

      Why is this important?

      • Microsoft and the customer would prefer that we use Managed Identities vs. Service Principal (which requires putting the Service Principal and principal password in clear text within the azure.conf file).

      Scenarios

      1. ...

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. …

      Open questions::

      1. …

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

       

       

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-371 Azure Workload Identity Management for layered products (OLM operators)

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-8665 cert-manager does not work with "Managed Identity Using AAD Pod Identities"

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          depends on

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CORS-1888 Support for Azure Managed Identities for new OpenShift deployments

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Release Pending

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-232 Implement ccoctl command to create infrastructure required for Azure workload identity

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-233 Document Azure workload identity usage within CCO repo documentation

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-234 Azure workload identity e2e testing

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-235 Update OpenShift operators to consume Azure workload identity tokens

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-363 Azure pod identity webhook

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is depended on by

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-506 ARO Managed Identity

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-513 Azure managed identity with Azure AD workload identity for self-managed OpenShift

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-909 ARO Managed Identity Phase II

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. IR-364 Azure Managed [Workload] Identity Support

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Release Pending

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CORS-1872 Azure: Handle Deprecation of AD Graph & ADAL API

          • Critical - To be worked on immediately following BLOCKER issues.
          • Release Pending

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-189 Microsoft Graph support for granular access

          • Undefined - Priority not specified.
          • Closed
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. HIVE-1876 Azure managed identity (workload identity) Hive support

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-1072 Azure Disk support for managed identities

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-1073 Azure File support for managed identities

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-422 ARO Workload identity 4.15 items (CAPI)

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. NE-1256 test

          • Undefined - Priority not specified.
          • Closed
          links to

          Web Link Azure Workload Identity Repo

          GitHub openshift/api#1436: config/v1: Add AzureWorkloadIdentity to TechPreviewNoUpgrade

          GitHub openshift/cloud-credential-operator#502: WIP: azure move away from ADAL and AD Graph

          Web Link Private preview API

          Activity

            People

              jstuever@redhat.com Jeremiah Stuever
              mworthin@redhat.com Mike Worthington
              Mingxia Huang Mingxia Huang
              Votes:
              1 Vote for this issue
              Watchers:
              29 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: