Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-17209

CCM Azure Credentials Injector AzureWorkloadIdentity featuregate logic will fail when feature is promoted to the default featureset

XMLWordPrintable

    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The Azure credentials injector within CCCMO enforces a single authentication method as either being client secret or workload identity. This enforcement includes logic which is based on the AzureWorkloadIdentity feature gate having been enabled or disabled.

If the AzureWorkloadIdentity feature gate were to be promoted to the default featureset, logic in the Azure credentials injector would fail as configured by azure-{file,disk}-csi-driver-operator(s) because the injector would recognize that AzureWorkloadIdentity had been requested in non-AzureWorkloadIdentity based clusters but require that Azure AD Workload Identity fields have been provided in the credentials secret provided by CCO.

Azure file and disk csi drivers provide an argument "--enable-azure-workload-identity" to the Azure credentials injector when the AzureWorkloadIdentity feature gate is enabled. This argument would be set in all installation scenarios, including clusters which do not utilize Azure AD Workload Identity.

      Version-Release number of selected component (if applicable):

      4.14.0

      How reproducible:

      100% with "--enable-azure-workload-identity" argument set to "true" on non Azure AD Workload Identity Clusters.

      Steps to Reproduce:

      1. Modify Azure Disk or File CSI driver operators to always enable Azure Workload Identity for the CCCMO Azure Credentials Injector. https://github.com/openshift/azure-disk-csi-driver-operator/blob/b8411e15cee397732f0d8e10c11840fe78221b98/pkg/operator/starter.go#L288-L292
2. Install an Azure OpenShift cluster which uses passthrough credentials rather than using Azure AD Workload Identity.
3. Observe CCCMO Azure credentials injector require that Azure AD Workload Identity configuration has been provided via CCO created secrets.

2023-07-28T18:57:28.962679214Z Error: workload identity method failed: AZURE_FEDERATED_TOKEN_FILE environment variable not found or empty

      Actual results:

      AzureWorkloadIdentity cannot be promoted to the default featureset without causing failure for non-Azure AD Workload Identity Azure clusters.

      Expected results:

      AzureWorkloadIdentity can be promoted to the default featureset without causing failure for non-Azure AD Workload Identity Azure clusters.

      Additional info:

      Discovered while testing conversion from MSI (system-assigned identity) to CCO provided credentials in CCM and Node manager. https://github.com/openshift/cluster-cloud-controller-manager-operator/pull/268#issuecomment-1656341358

       

            jstuever@redhat.com Jeremiah Stuever
            abutcher@redhat.com Andrew Butcher
            Mingxia Huang Mingxia Huang
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: