Goal

Spike to evaluate if we can provide an automated way to support migration to Azure Managed Identity (preferred), or alternatively a manual method (second option) for customers to perform the migration themselves that is documented and supported, or not at all.

This spike will evaluate, scope the level of effort (sizing), and make recommendation on next steps.

Feature request

Support migration to Azure Managed Identity

Feature description

Many customers would like to migrate to Azure Managed Identity but have numerous existing clusters and an aversion to supporting two concurrent operational requirements. Therefore they would like to migrate existing Azure clusters to Managed Identity in a safe manner after they have been upgraded to a version of OCP supporting that feature (4.14+).

Why?

Provide a uniform operational experience for all clusters running versions which support Azure Managed Identity without having to decommission long running clusters

Other considerations

• Disruption to customer's workload.
• Has to be closely coordinated with update effort to minimize disruption.
• Tokenized operators and other layered products - work not yet done (OCP 4.15/4.16 plans) and has to be manually done for now and may not cover the full set.
• If we grant this for Azure MI/WI, we will likely will need to also do this for STS and GCP WIF.
• If we grant this, would we do this for self-managed and managed OpenShift (ARO)?