-
Story
-
Resolution: Done
-
Critical
-
openshift-4.13, openshift-4.14
-
None
-
False
-
None
-
False
-
OCPSTRAT-517 - CloudCredentialOperator-based flow for OLM-managed operators and Azure Identity
-
-
This is a clone of issue CCO-372. The following is the description of the original issue:
—
Summary:
Similar to work done for AWS STS (https://issues.redhat.com/browse/CCO-286), enable in CCO a new workflow (see EP PR [here|https://github.com/openshift/enhancements/pull/1339)] to detect when temporary authentication tokens (TAT) (workload identity credential) are in use on a cluster. {{}}
Important details:
Detection that workload identity credentials (TAT) are in use will mean CCO is in Manual mode and the Service Account has a non-empty Service Account Issuer field.
This workflow will be triggered by additions to the CredentialsRequest for an operator:
spec.cloudTokenString
spec.cloudTokenPath
Acceptance Criteria:
When OCP is running on an Azure platform with temporary authentication tokens enabled, CCO will detect this and on the presence of properly annotated CredentialsRequest create a Secret to allow Azure SDK calls for Azure resources to succeed.
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- is duplicated by
-
OCPBUGS-25275 [release 4.14] Azure Workload Identity Management for layered products (OLM operators)
-
- Closed
-
- links to
