Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-1888

Support for Azure Managed Identities for new OpenShift deployments

    XMLWordPrintable

Details

    • Support for Azure Managed Identities for new OpenShift deployments
    • False
    • False
    • Green
    • To Do
    • OCPSTRAT-506 - ARO Managed Identity
    • OCPSTRAT-506ARO Managed Identity
    • 100
    • 100% 100%
    • Hide

      09/8/23

      Docs awaiting review by devs.

      22/6/23
      Code has merged - QE testing and docs remaining

      5/6/23

      We decided that requiring user IDs is not a problem (see https://issues.redhat.com/browse/CORS-2611). Work is complete and awaiting dev review.

      5/5/23
      Rafael Fonseca dos Santos is going to be creating a further story to capture the step 2 implementation of this work (CORS-2372 to cover step 1) since we do not know if it is possible to implement this without the requirement for the user to add IDs manually due to terraform. Step 1 will be to implement based on user input required and is almost complete. Step 2 to investigate removing the need for users to add IDs manually.

      Show
      09/8/23 Docs awaiting review by devs. 22/6/23 Code has merged - QE testing and docs remaining 5/6/23 We decided that requiring user IDs is not a problem (see https://issues.redhat.com/browse/CORS-2611 ). Work is complete and awaiting dev review. 5/5/23 Rafael Fonseca dos Santos is going to be creating a further story to capture the step 2 implementation of this work ( CORS-2372 to cover step 1) since we do not know if it is possible to implement this without the requirement for the user to add IDs manually due to terraform. Step 1 will be to implement based on user input required and is almost complete. Step 2 to investigate removing the need for users to add IDs manually.
    • Approved

    Description

      Epic Goal

      • Enable the OpenShift Installer to authenticate using authentication methods supported by both the azure sdk for go and the terraform azure provider
      • Future proofing to enable Terraform support for workload identity authentication when it is enabled upstream

      Why is this important?

      • This ties in to the larger OpenShift goal of: as an infrastructure owner, I want to deploy OpenShift on Azure using Azure Managed Identities (vs. using Azure Service Principal) for authentication and authorization.
      • Customers want support for using Azure managed identities in lieu of using an Azure service principal. In the OpenShift documentation, we are directed to use an Azure Service Principal - "Azure offers the ability to create service accounts, which access, manage, or create components within Azure. The service account grants API access to specific services". However, Microsoft and the customer would prefer that we use User Managed Identities to keep from putting the Service Principal and principal password in clear text within the azure.conf file. 
      • See https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation for additional information.

      Scenarios

      1. ...

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. ...

      Open questions::

      1. ...

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          is depended on by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-187 Azure Managed Identity (Workload Identity) Support

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. HIVE-1876 Azure managed identity (workload identity) Hive support

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Outcome - Organizational objective focused on a measurable outcome. May be in support of larger strategic goals. XCMSTRAT-5 Azure Security

          • Undefined - Priority not specified.
          • New
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-1072 Azure Disk support for managed identities

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-1073 Azure File support for managed identities

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              rdossant Rafael Fonseca dos Santos
              julim Ju Lim
              Jinyun Ma Jinyun Ma
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: