Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-232

Implement ccoctl command to create infrastructure required for Azure workload identity

XMLWordPrintable

      Implement ccoctl command to create the infrastructure necessary for Azure workload identity:

      • Create key pair
      • Azure blob storage container OIDC Issuer
        • OIDC discovery document
        • jkws document
      • User assigned managed identities
      • Federated identity credentials for user assigned managed identities

      From the enhancement proposal,

      The Cloud Credential Operator's command-line utility (ccoctl) will be extended with subcommands for Azure which provide methods for,

      • Generating a key pair to be used for ServiceAccount token signing for a fresh OpenShift cluster.
      • Creating an Azure blob storage container to serve as the OIDC Issuer in which to publish OIDC discovery and JWKS documents needed to establish trust at a publicly available address. This sub-command will output a modified cluster Authentication CR, containing a serviceAccountIssuer pointing to the Azure blob storage container's URL to be provided as a manifest for installation.
      • Creating Managed Identity infrastructure with federated credentials for OpenShift operator ServiceAccounts (identified by namespace & name) and to output secrets containing the clientID of the Managed Identity to be provided as manifests for the installer. This command will process CredentialsRequest custom resources to identify service accounts that will be associated with Managed Identities in Azure as federated credentials. For self-managed installation, CredentialsRequests will be extracted from the release image.
      ➜  ccoctl azure -h
      Creating/updating/deleting cloud credentials objects for Azure
      
      Usage:
        ccoctl azure [command]
      
      Available Commands:
        create-all                Create OIDC issuer and managed identities
        create-key-pair           Create a key pair
        create-managed-identities Create Azure Managed Identities
        create-oidc-issuer        Create OIDC Issuer
        delete                    Delete OIDC issuer and managed identities
      
      Flags:
        -h, --help   help for azure
      
      Use "ccoctl azure [command] --help" for more information about a command.

      Azure workload identity documentation: https://azure.github.io/azure-workload-identity/docs/introduction.html

      Pull request: https://github.com/openshift/cloud-credential-operator/pull/523

        1. CCO-232-install.log
          222 kB
          Mingxia Huang
        2. create-managed-identities-identity-tags.png
          77 kB
          Andrew Butcher
        3. create-managed-identities-rolebindings-1.png
          68 kB
          Andrew Butcher
        4. create-managed-identities-roles-2.png
          78 kB
          Andrew Butcher
        5. create-oidc-issuer-resource-group-tags.png
          68 kB
          Andrew Butcher
        6. create-oidc-issuer-storage-account-tags.png
          71 kB
          Andrew Butcher
        7. Screenshot from 2023-07-06 16-34-24.png
          14 kB
          Andrew Butcher
        8. 截图 2023-06-29 15-26-55.png
          241 kB
          Mingxia Huang
        9. 截图 2023-06-29 15-35-40.png
          243 kB
          Mingxia Huang

              mihuang@redhat.com Mingxia Huang
              abutcher@redhat.com Andrew Butcher
              Mingxia Huang Mingxia Huang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: