Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-187

Azure Managed Identity (Workload Identity) Support


    • Azure Managed Identity (Workload Identity) Support
    • False
    • False
    • To Do
    • OCPSTRAT-506 - ARO Managed Identity
    • OCPSTRAT-506ARO Managed Identity
    • 0% To Do, 0% In Progress, 100% Done
    • L
    • Approved

      Epic Overview

      • Enable customers to create and manage OpenShift clusters using managed identities for Azure resources for authentication.
      • A customer using ARO wants to spin up an OpenShift cluster with "az aro create" without needing additional input, i.e. without the need for an AD account or service principal credentials, and the identity used is never visible to the customer and cannot appear in the cluster.

      Epic Goal

      • A customer creates an OpenShift cluster ("az aro create") using Azure managed identity.
      • Azure managed identities must work for installation with all install methods including IPI and UPI, work with upgrades, and day-to-day cluster lifecycle operations.
      • After Azure failed to implement workable golang API changes after deprecation of their old API, we have removed mint mode and work entirely in passthrough mode. Azure has plans to implement pod/workload identity similar to how they have been implemented in AWS and GCP, and when this feature is available, we should implement permissions similar to AWS/GCP
      • This work cannot start until Azure have implemented this feature - as such, this Epic is a placeholder to track the effort when available.

      Why is this important?

      • Microsoft and the customer would prefer that we use Managed Identities vs. Service Principal (which requires putting the Service Principal and principal password in clear text within the azure.conf file).


      1. ...

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>



            jstuever@redhat.com Jeremiah Stuever
            mworthin@redhat.com Mike Worthington
            Mingxia Huang Mingxia Huang
            1 Vote for this issue
            29 Start watching this issue