-
Feature
-
Resolution: Done
-
Undefined
-
Logging 5.9
1. Proposed title of this feature request
OpenShift Loki Operator WIF Support
2. What is the nature and description of the request?
OpenShift Loki Operator does not support WIF out of the box compared to some of the other RedHat Operators.
When customer passes in a JSON to use WIF with External Accounts, (instead of a service account key), the Operator does not project a secret with the openshift audience token.
Example JSON:
{
"audience": "//iam.googleapis.com/projects/locations/global/workloadIdentityPools/sb105-g8c5z/providers/sb105-g8c5z",
"credential_source": {
"file": "/var/run/secrets/openshift/serviceaccount/token",
"format": {
"type": "text"
}
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxxx.iam.gserviceaccount.com:generateAccessToken",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"type": "external_account"
}
An example of projecting the Secret, (refer to system operators for other examples)
volumeMounts: - name: bound-sa-token mountPath: /var/run/secrets/openshift/serviceaccount readOnly: true volumes: - name: bound-sa-token projected: sources: - serviceAccountToken: audience: openshift expirationSeconds: 3600 path: token defaultMode: 420
Their Workaround, set the CR to UnManaged after It stands up, and modify the Deployments/StatefulSets.
3. Why does the customer need this? (List the business requirements here)
This is needed to achive Zero Trust
4. List any affected packages or components.
OpenShift Loki Operator Custom Resource
Customer is Ford Motor Company.
- is depended on by
-
-
- In Progress
-
- is incorporated by
-
-
- Closed
-
