Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-371

Update docker-distribution to consume Azure workload identity tokens


    • Icon: Story Story
    • Resolution: Done
    • Icon: Blocker Blocker
    • openshift-4.14
    • None
    • None
    • Sprint 236, Sprint 237, Sprint 238

      This effort is dependent on the completion of work for CCO-187, and effort in dependent modules is planned to be worked on by the CCO team unless individual repo owners can help. Operators owners/teams will be expected to review merge requests and complete appropriate QE effort for an openshift release.

      • azure-sdk-for-go module dependency updated to support workload identity federation.
      • Mount the OIDC token in the operator pod. This needs to go in the deployment. See example from addition to the cluster-image-registry-operator here



      • Upstream distribution/distribution uses azure identity sdk 1.3.0
      • openshift/docker-distribution uses the latest upstream distribution/distribution (after the above has merged)
      • Green CI
      • Every storage driver passes regression tests


      • Can DefaultAzureCredential be relied on to transparently use workload identities? (in this case the operator would need to export environment varialbes that DefaultAzureCredential expects for workload identities)
        • I have tested manually exporting the required env vars and DefaultAzureCredential correctly detects and attempts to authenticate using federated workload identity, so it works as expected.

            fmissi Flavian Missi
            mworthin@redhat.com Mike Worthington
            0 Vote for this issue
            4 Start watching this issue