Uploaded image for project: 'Observability and Data Analysis Program'
  1. Observability and Data Analysis Program
  2. OBSDA-319

OpenShift Loki Operator WIF Support Missing.

XMLWordPrintable

    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
      OpenShift Loki Operator WIF Support

      2. What is the nature and description of the request?
      OpenShift Loki Operator does not support WIF out of the box compared to some of the other RedHat Operators.

      When customer passes in a JSON to use WIF with External Accounts, (instead of a service account key), the Operator does not project a secret with the openshift audience token.

      Example JSON:

      {
        "audience": "//iam.googleapis.com/projects/locations/global/workloadIdentityPools/sb105-g8c5z/providers/sb105-g8c5z",
        "credential_source": {
          "file": "/var/run/secrets/openshift/serviceaccount/token",
          "format": {
            "type": "text"
          }
        },
        "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxxx.iam.gserviceaccount.com:generateAccessToken",
        "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
        "token_url": "https://sts.googleapis.com/v1/token",
        "type": "external_account"
      }
      

      An example of projecting the Secret, (refer to system operators for other examples)

       volumeMounts: 
                  - name: bound-sa-token
                    mountPath: /var/run/secrets/openshift/serviceaccount
                    readOnly: true
      volumes: 
              - name: bound-sa-token
                projected: 
                  sources: 
                    - serviceAccountToken: 
                        audience: openshift
                        expirationSeconds: 3600
                        path: token
                  defaultMode: 420
      

      Their Workaround, set the CR to UnManaged after It stands up, and modify the Deployments/StatefulSets.

      3. Why does the customer need this? (List the business requirements here)
      This is needed to achive Zero Trust

      4. List any affected packages or components.
      OpenShift Loki Operator Custom Resource

      Customer is Ford Motor Company.

              jamparke@redhat.com Jamie Parker
              rhn-support-sparpate Silvia Parpatekar (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: