Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-1888

Support for Azure Managed Identities for new OpenShift deployments

XMLWordPrintable

    • Support for Azure Managed Identities for new OpenShift deployments
    • Strategic Product Work
    • False
    • False
    • Green
    • Done
    • OCPSTRAT-506 - ARO Managed Identity
    • OCPSTRAT-506ARO Managed Identity
    • 0% To Do, 0% In Progress, 100% Done
    • Hide

      09/8/23

      Docs awaiting review by devs.

      22/6/23
      Code has merged - QE testing and docs remaining

      5/6/23

      We decided that requiring user IDs is not a problem (see https://issues.redhat.com/browse/CORS-2611). Work is complete and awaiting dev review.

      5/5/23
      Rafael Fonseca dos Santos is going to be creating a further story to capture the step 2 implementation of this work (CORS-2372 to cover step 1) since we do not know if it is possible to implement this without the requirement for the user to add IDs manually due to terraform. Step 1 will be to implement based on user input required and is almost complete. Step 2 to investigate removing the need for users to add IDs manually.

      Show
      09/8/23 Docs awaiting review by devs. 22/6/23 Code has merged - QE testing and docs remaining 5/6/23 We decided that requiring user IDs is not a problem (see https://issues.redhat.com/browse/CORS-2611 ). Work is complete and awaiting dev review. 5/5/23 Rafael Fonseca dos Santos is going to be creating a further story to capture the step 2 implementation of this work ( CORS-2372 to cover step 1) since we do not know if it is possible to implement this without the requirement for the user to add IDs manually due to terraform. Step 1 will be to implement based on user input required and is almost complete. Step 2 to investigate removing the need for users to add IDs manually.
    • Approved

      Epic Goal

      • Enable the OpenShift Installer to authenticate using authentication methods supported by both the azure sdk for go and the terraform azure provider
      • Future proofing to enable Terraform support for workload identity authentication when it is enabled upstream

      Why is this important?

      • This ties in to the larger OpenShift goal of: as an infrastructure owner, I want to deploy OpenShift on Azure using Azure Managed Identities (vs. using Azure Service Principal) for authentication and authorization.
      • Customers want support for using Azure managed identities in lieu of using an Azure service principal. In the OpenShift documentation, we are directed to use an Azure Service Principal - "Azure offers the ability to create service accounts, which access, manage, or create components within Azure. The service account grants API access to specific services". However, Microsoft and the customer would prefer that we use User Managed Identities to keep from putting the Service Principal and principal password in clear text within the azure.conf file. 
      • See https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation for additional information.

      Scenarios

      1. ...

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. ...

      Open questions::

      1. ...

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            rdossant Rafael Fonseca dos Santos
            julim Ju Lim
            Jinyun Ma Jinyun Ma
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: