Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-232

Implement ccoctl command to create infrastructure required for Azure workload identity


      Implement ccoctl command to create the infrastructure necessary for Azure workload identity:

      • Create key pair
      • Azure blob storage container OIDC Issuer
        • OIDC discovery document
        • jkws document
      • User assigned managed identities
      • Federated identity credentials for user assigned managed identities

      From the enhancement proposal,

      The Cloud Credential Operator's command-line utility (ccoctl) will be extended with subcommands for Azure which provide methods for,

      • Generating a key pair to be used for ServiceAccount token signing for a fresh OpenShift cluster.
      • Creating an Azure blob storage container to serve as the OIDC Issuer in which to publish OIDC discovery and JWKS documents needed to establish trust at a publicly available address. This sub-command will output a modified cluster Authentication CR, containing a serviceAccountIssuer pointing to the Azure blob storage container's URL to be provided as a manifest for installation.
      • Creating Managed Identity infrastructure with federated credentials for OpenShift operator ServiceAccounts (identified by namespace & name) and to output secrets containing the clientID of the Managed Identity to be provided as manifests for the installer. This command will process CredentialsRequest custom resources to identify service accounts that will be associated with Managed Identities in Azure as federated credentials. For self-managed installation, CredentialsRequests will be extracted from the release image.
      ➜  ccoctl azure -h
      Creating/updating/deleting cloud credentials objects for Azure
        ccoctl azure [command]
      Available Commands:
        create-all                Create OIDC issuer and managed identities
        create-key-pair           Create a key pair
        create-managed-identities Create Azure Managed Identities
        create-oidc-issuer        Create OIDC Issuer
        delete                    Delete OIDC issuer and managed identities
        -h, --help   help for azure
      Use "ccoctl azure [command] --help" for more information about a command.

      Azure workload identity documentation: https://azure.github.io/azure-workload-identity/docs/introduction.html

      Pull request: https://github.com/openshift/cloud-credential-operator/pull/523

            mihuang@redhat.com Mingxia Huang
            abutcher@redhat.com Andrew Butcher
            Mingxia Huang Mingxia Huang
            0 Vote for this issue
            8 Start watching this issue