Details
-
Story
-
Resolution: Done
-
Blocker
-
None
-
None
Description
This effort is dependent on the completion of work for CCO-187, and effort in dependent modules is planned to be worked on by the CCO team unless individual repo owners can help. Operators owners/teams will be expected to review merge requests and complete appropriate QE effort for an openshift release.
- azure-sdk-for-go module dependency updated to support workload identity federation.
- Support for workload identity federation is not yet complete for azure-sdk-for-go. Support is being tracked in the following issues,
- Mount the OIDC token in the operator pod. This needs to go in the deployment. See example from addition to the cluster-image-registry-operator here
ACCEPTANCE CRITERIA
- Upstream distribution/distribution uses azure identity sdk 1.3.0
- openshift/docker-distribution uses the latest upstream distribution/distribution (after the above has merged)
- Green CI
- Every storage driver passes regression tests
OPEN QUESTIONS
- Can DefaultAzureCredential be relied on to transparently use workload identities? (in this case the operator would need to export environment varialbes that DefaultAzureCredential expects for workload identities)
- I have tested manually exporting the required env vars and DefaultAzureCredential correctly detects and attempts to authenticate using federated workload identity, so it works as expected.
Attachments
Issue Links
- blocks
-
-
- Closed
-
- is blocked by
-
IR-387 Investigate necessary changes to distribution
-
- Closed
-
- is depended on by
-
-
- Closed
-
- relates to
-
-
- Closed
-
- links to
