Details
-
Story
-
Resolution: Done
-
Critical
-
openshift-4.13, openshift-4.14
-
None
-
False
-
None
-
False
-
OCPSTRAT-517 - CloudCredentialOperator-based flow for OLM-managed operators and Azure Identity
Description
Summary:
Similar to work done for AWS STS (https://issues.redhat.com/browse/CCO-286), enable in CCO a new workflow (see EP PR [here|https://github.com/openshift/enhancements/pull/1339)] to detect when temporary authentication tokens (TAT) (workload identity credential) are in use on a cluster. {{}}
Important details:
Detection that workload identity credentials (TAT) are in use will mean CCO is in Manual mode and the Service Account has a non-empty Service Account Issuer field.
This workflow will be triggered by additions to the CredentialsRequest for an operator:
spec.cloudTokenString
spec.cloudTokenPath
Acceptance Criteria:
When OCP is running on an Azure platform with temporary authentication tokens enabled, CCO will detect this and on the presence of properly annotated CredentialsRequest create a Secret to allow Azure SDK calls for Azure resources to succeed.
Attachments
Issue Links
- blocks
-
-
- Closed
-
- duplicates
-
OCPBUGS-25613 Azure Workload Identity for layered products
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
