[HIVE-1794] Azure first party service principal support

Type: Story
Resolution: Won't Do
Priority: Blocker
Fix Version/s: openshift-4.12
Affects Version/s: None
Labels:

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
SD ARO

Target Version:

openshift-4.12

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

For SDE-1447 we need Hive (and installer as a result) to support first party service principal. First party apps are special kind of apps which must be used by a resource providers (RPs) to access resources in customer tanants.

Currently Hive and installer only support cluster provisioning and management using a service principal provided by a customer. This is the service principal specified in ClusterDeployment: spec.platform.azure.credentialsSecretRef. It is the same service principal which ends up in inside of the provisioned cluster for further in-cluster operations such as machine set scaling, etc.

Now that we are adding Hive into Azure Red Hat OpenShift RP this has to change to meet the requirements for the first party resource providers. We need to split responsibilities between two service principals:

First party service principal must be used for cluster provisioning, deprovisioning and any other operations which require a call from RP (Hive/installer) to Azure API to manage resources in a customer subscription.
"Regular" service principal provided by a customer must be used for in-cluster operations (machine set scaling, etc)

is related to

CORS-2027 Azure: Authenticate with First-party Service Principal

Closed

relates to

HIVE-1989 Create manifests from Secret

Closed

OCPSTRAT-186 Support all OCM cluster service actions for ARO clusters

In Progress

links to

openshift/hive#1845: ClusterDeployment.Spec.Provisioning.ManifestsSecretRef

Eric Fried added a comment - 2022/08/26 2:04 PM

Yes, as far as I'm concerned. We can always reopen it.

Eric Fried added a comment - 2022/08/26 2:04 PM Yes, as far as I'm concerned. We can always reopen it.

Mike Worthington added a comment - 2022/08/26 1:18 PM

efried.openshift jaharrin shall we close as wont do given we believe ~~HIVE-1989~~ is what we need?

Mike Worthington added a comment - 2022/08/26 1:18 PM efried.openshift jaharrin shall we close as wont do given we believe HIVE-1989 is what we need?

Eric Fried added a comment - 2022/08/09 2:00 PM

Tracking the above via ~~HIVE-1989~~, setting this card back to TODO (though I'm not sure what it'll be used for).

Eric Fried added a comment - 2022/08/09 2:00 PM Tracking the above via HIVE-1989 , setting this card back to TODO (though I'm not sure what it'll be used for).

Eric Fried added a comment - 2022/08/05 6:37 PM

Scoping this card to enable adding/overriding installer manifests via a Secret rather than a ConfigMap.

Eric Fried added a comment - 2022/08/05 6:37 PM Scoping this card to enable adding/overriding installer manifests via a Secret rather than a ConfigMap.

Patrick Dillon added a comment - 2022/05/10 9:26 PM

jaharrin the installer card is CORS-2027. This would cover enabling installer and terraform auth with first party service principals.

If you want to use different creds for the installer and the cluster, the manifest `openshift/99_cloud-creds-secret.yaml` can be edited before install to use a different credential. So if the goal is to use a first party service principal for install but not the cluster, you can add a new service principal to that manifest and the first party service principal would never be in the cluster.

Patrick Dillon added a comment - 2022/05/10 9:26 PM jaharrin the installer card is CORS-2027 . This would cover enabling installer and terraform auth with first party service principals. If you want to use different creds for the installer and the cluster, the manifest `openshift/99_cloud-creds-secret.yaml` can be edited before install to use a different credential. So if the goal is to use a first party service principal for install but not the cluster, you can add a new service principal to that manifest and the first party service principal would never be in the cluster.

Mike Worthington added a comment - 2022/05/04 7:30 PM

jaharrin is investigating alternate config to work around

Mike Worthington added a comment - 2022/05/04 7:30 PM jaharrin is investigating alternate config to work around

Assignee:: Eric Fried

Reporter:: Mikalai Radchuk (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2022/03/28 3:52 PM

Updated:: 2022/09/09 6:36 AM

Resolved:: 2022/08/26 2:04 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Eric Fried added a comment - 2022/08/26 2:04 PM

Expand comment: Eric Fried added a comment - 2022/08/26 2:04 PM

Collapse comment: Mike Worthington added a comment - 2022/08/26 1:18 PM

Expand comment: Mike Worthington added a comment - 2022/08/26 1:18 PM

Collapse comment: Eric Fried added a comment - 2022/08/09 2:00 PM

Expand comment: Eric Fried added a comment - 2022/08/09 2:00 PM

Collapse comment: Eric Fried added a comment - 2022/08/05 6:37 PM

Expand comment: Eric Fried added a comment - 2022/08/05 6:37 PM

Collapse comment: Patrick Dillon added a comment - 2022/05/10 9:26 PM

Expand comment: Patrick Dillon added a comment - 2022/05/10 9:26 PM

Collapse comment: Mike Worthington added a comment - 2022/05/04 7:30 PM

Expand comment: Mike Worthington added a comment - 2022/05/04 7:30 PM

People

Dates