-
Epic
-
Resolution: Done
-
Major
-
None
-
None
-
Enable GCP Workload Identity Webhook
-
BU Product Work
-
False
-
None
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-1367 - GCP Workload Identity Webhook
-
OCPSTRAT-1367GCP Workload Identity Webhook
-
0% To Do, 0% In Progress, 100% Done
-
M
Will require following
- fork webhook
- make part of build process + OCP build dockerfile receival
- write CCO controller which deploys the webhook
- see https://github.com/pfnet-research/gcp-workload-identity-federation-webhook
Background
- For AWS, we deploy the AWS STS pod identity webhook as a customer convenience for configuring their applications to utilize service account tokens minted by a cluster that supports STS. When you create a pod that references a service account, the webhook looks for annotations on that service account and if found, the webhook mutates the deployment in order to set environment variables + mounts the service account token on that deployment so that the pod has everything it needs to make an API client.
- Our temporary access token (using TAT in place of STS because STS is AWS specific) enablement for (select) third party operators does not rely on the webhook and is instead using CCO to create a secret containing the variables based on the credentials requests. The service account token is also explicitly mounted for those operators. Pod identity webhooks were considered as an alternative to this approach but weren't chosen.
- Basically, if we deploy this webhook it will be for customer convenience and will enable us to potentially use the Azure pod identity webhook in the future if we so chose. Note that AKS provides this webhook and other clouds like Google offer a webhook solution for configuring customer applications.
- This is about providing parity with other solutions but not required for anything directly related to the product.
If we don't provide this Azure pod identity webhook method, customer would need to get the details via some other way like a secret or set explicitly as environment variables. With the webhook, you just annotate your service account. - For Azure pod identity webhook, see
CCO-363and https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html.
- is related to
-
CCO-426 e2e test AWS pod identity webhook
- To Do
-
CCO-427 e2e test Azure workload identity webhook
- To Do
-
CCO-363 Azure pod identity webhook
- Closed
-
CCO-401 Integrate Azure AD pod identity webhook into ART build process
- Closed
-
CCO-402 ccoctl: Create Azure AD pod identity webhook config secret
- Closed
- relates to
-
CCO-607 CI tests to ensure pod-identity-webhooks function properly
- New
- links to
(1 relates to, 2 links to)