Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-370

Update image-registry to consume Azure workload identity tokens

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Blocker
    • openshift-4.14
    • None
    • None
    • Sprint 237, Sprint 238

    Description

      This effort is dependent on the completion of work for CCO-187, and effort in dependent modules is planned to be worked on by the CCO team unless individual repo owners can help. Operators owners/teams will be expected to review merge requests and complete appropriate QE effort for an openshift release.

      • azure-sdk-for-go module dependency updated to support workload identity federation.
      • Mount the OIDC token in the operator pod. This needs to go in the deployment. See example from addition to the cluster-image-registry-operator here

       

      ACCEPTANCE CRITERIA

      • image-registry uses latest openshift/docker-distribution
      • CIRO can detect when the creds it gets from CCO are for federated workload identity (the credentials secret will contain a "azure_federated_token_file")
      • when using federated workload identity, CIRO adds the "AZURE_FEDERATED_TOKEN_FILE" env var to the image-registry deployment
      • when using federated workload identity, CIRO does not add the "REGISTRY_STORAGE_AZURE_ACCOUNTKEY" env var to the image-registry deployment
      • the image-registry operates normally when using federated workload identity

      Attachments

        Issue Links

          blocks

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. IR-344 Review: Update image-registry to consume Azure workload identity tokens

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is depended on by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CCO-235 Update OpenShift operators to consume Azure workload identity tokens

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          links to

          GitHub openshift/cluster-image-registry-operator#857: IR-369,IR-370: support Azure workload identity

          Activity

            People

              fmissi Flavian Missi
              mworthin@redhat.com Mike Worthington
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: