Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-372

Implement Azure Workload Identity

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Critical Critical
    • openshift-4.15
    • openshift-4.13, openshift-4.14
    • None
    • Strategic Product Work
    • False
    • None
    • False
    • OCPSTRAT-517 - CloudCredentialOperator-based flow for OLM-managed operators and Azure Identity

      Summary:

      Similar to work done for AWS STS (https://issues.redhat.com/browse/CCO-286), enable in CCO a new workflow (see EP PR [here|https://github.com/openshift/enhancements/pull/1339)] to detect when temporary authentication tokens (TAT) (workload identity credential) are in use on a cluster. {{}}

      Important details:

      Detection that workload identity credentials (TAT) are in use will mean CCO is in Manual mode and the Service Account has a non-empty Service Account Issuer field.

      This workflow will be triggered by additions to the CredentialsRequest for an operator:

      spec.cloudTokenString
      spec.cloudTokenPath

      Acceptance Criteria:

      When OCP is running on an Azure platform with temporary authentication tokens enabled, CCO will detect this and on the presence of properly annotated CredentialsRequest create a Secret to allow Azure SDK calls for Azure resources to succeed.

              lgallett Lance Galletti
              btofelrh Brett Tofel
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: