Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-232

Implement ccoctl command to create infrastructure required for Azure workload identity

XMLWordPrintable

      Implement ccoctl command to create the infrastructure necessary for Azure workload identity:

      • Create key pair
      • Azure blob storage container OIDC Issuer
        • OIDC discovery document
        • jkws document
      • User assigned managed identities
      • Federated identity credentials for user assigned managed identities

      From the enhancement proposal,

      The Cloud Credential Operator's command-line utility (ccoctl) will be extended with subcommands for Azure which provide methods for,

      • Generating a key pair to be used for ServiceAccount token signing for a fresh OpenShift cluster.
      • Creating an Azure blob storage container to serve as the OIDC Issuer in which to publish OIDC discovery and JWKS documents needed to establish trust at a publicly available address. This sub-command will output a modified cluster Authentication CR, containing a serviceAccountIssuer pointing to the Azure blob storage container's URL to be provided as a manifest for installation.
      • Creating Managed Identity infrastructure with federated credentials for OpenShift operator ServiceAccounts (identified by namespace & name) and to output secrets containing the clientID of the Managed Identity to be provided as manifests for the installer. This command will process CredentialsRequest custom resources to identify service accounts that will be associated with Managed Identities in Azure as federated credentials. For self-managed installation, CredentialsRequests will be extracted from the release image.
      ➜  ccoctl azure -h
Creating/updating/deleting cloud credentials objects for Azure

Usage:
  ccoctl azure [command]

Available Commands:
  create-all                Create OIDC issuer and managed identities
  create-key-pair           Create a key pair
  create-managed-identities Create Azure Managed Identities
  create-oidc-issuer        Create OIDC Issuer
  delete                    Delete OIDC issuer and managed identities

Flags:
  -h, --help   help for azure

Use "ccoctl azure [command] --help" for more information about a command.

      Azure workload identity documentation: https://azure.github.io/azure-workload-identity/docs/introduction.html

      Pull request: https://github.com/openshift/cloud-credential-operator/pull/523

        1. CCO-232-install.log
          222 kB
        2. create-managed-identities-identity-tags.png
          create-managed-identities-identity-tags.png
          77 kB
        3. create-managed-identities-rolebindings-1.png
          create-managed-identities-rolebindings-1.png
          68 kB
        4. create-managed-identities-roles-2.png
          create-managed-identities-roles-2.png
          78 kB
        5. create-oidc-issuer-resource-group-tags.png
          create-oidc-issuer-resource-group-tags.png
          68 kB
        6. create-oidc-issuer-storage-account-tags.png
          create-oidc-issuer-storage-account-tags.png
          71 kB
        7. Screenshot from 2023-07-06 16-34-24.png
          Screenshot from 2023-07-06 16-34-24.png
          14 kB
        8. 截图 2023-06-29 15-26-55.png
          截图 2023-06-29 15-26-55.png
          241 kB
        9. 截图 2023-06-29 15-35-40.png
          截图 2023-06-29 15-35-40.png
          243 kB

              mihuang@redhat.com Mingxia Huang
              abutcher@redhat.com Andrew Butcher
              Mingxia Huang Mingxia Huang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: