Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-232

Implement ccoctl command to create infrastructure required for Azure workload identity

    XMLWordPrintable

Details

    Description

      Implement ccoctl command to create the infrastructure necessary for Azure workload identity:

      • Create key pair
      • Azure blob storage container OIDC Issuer
        • OIDC discovery document
        • jkws document
      • User assigned managed identities
      • Federated identity credentials for user assigned managed identities

      From the enhancement proposal,

      The Cloud Credential Operator's command-line utility (ccoctl) will be extended with subcommands for Azure which provide methods for,

      • Generating a key pair to be used for ServiceAccount token signing for a fresh OpenShift cluster.
      • Creating an Azure blob storage container to serve as the OIDC Issuer in which to publish OIDC discovery and JWKS documents needed to establish trust at a publicly available address. This sub-command will output a modified cluster Authentication CR, containing a serviceAccountIssuer pointing to the Azure blob storage container's URL to be provided as a manifest for installation.
      • Creating Managed Identity infrastructure with federated credentials for OpenShift operator ServiceAccounts (identified by namespace & name) and to output secrets containing the clientID of the Managed Identity to be provided as manifests for the installer. This command will process CredentialsRequest custom resources to identify service accounts that will be associated with Managed Identities in Azure as federated credentials. For self-managed installation, CredentialsRequests will be extracted from the release image.
      ➜  ccoctl azure -h
Creating/updating/deleting cloud credentials objects for Azure

Usage:
  ccoctl azure [command]

Available Commands:
  create-all                Create OIDC issuer and managed identities
  create-key-pair           Create a key pair
  create-managed-identities Create Azure Managed Identities
  create-oidc-issuer        Create OIDC Issuer
  delete                    Delete OIDC issuer and managed identities

Flags:
  -h, --help   help for azure

Use "ccoctl azure [command] --help" for more information about a command.

      Azure workload identity documentation: https://azure.github.io/azure-workload-identity/docs/introduction.html

      Pull request: https://github.com/openshift/cloud-credential-operator/pull/523

      Attachments

        Issue Links

          blocks

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-233 Document Azure workload identity usage within CCO repo documentation

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-234 Azure workload identity e2e testing

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. NE-1244 Update Azure Credentials Request manifest of the Cluster Ingress Operator to use new API field for requesting permissions

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-8665 cert-manager does not work with "Managed Identity Using AAD Pod Identities"

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is depended on by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-187 Azure Managed Identity (Workload Identity) Support

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-15907 ccoctl azure delete leaks role assignments

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-16228 ccoctl azure --dry-run does not output either bash script or template for the resources to be created

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • POST
          links to

          Web Link Azure workload identity enhancement proposal

          Web Link https://github.com/openshift/cloud-credential-operator/pull/523

          GitHub openshift/cloud-credential-operator#523: Implement ccoctl command to create infrastructure required for Azure workload identity

          GitHub openshift/cluster-ingress-operator#929: NE-1244: Use fine-grained roles in Azure CredentialsRequest

          Activity

            People

              mihuang@redhat.com Mingxia Huang
              abutcher@redhat.com Andrew Butcher
              Mingxia Huang Mingxia Huang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: