Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18246

Azure AD Workload Identity does not work with bring your own vnet

    XMLWordPrintable

Details

    • Moderate
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      Role assignment for Azure AD Workload Identity performed by ccoctl does not provide an option to scope role assignments to a resource group containing customer vnet in a byo vnet installation workflow.

https://docs.openshift.com/container-platform/4.13/installing/installing_azure/installing-azure-vnet.html

      Version-Release number of selected component (if applicable):

      4.14.0

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create Azure resource group and vnet for OpenShift within that resource group.
2. Create Azure AD Workload Identity infrastructure with ccoctl.
3. Follow steps to configure existing vnet for installation setting networkResourceGroupName within the install config.
4. Attempt cluster installation.

      Actual results:

      Cluster installation fails.

      Expected results:

      Cluster installation succeeds.

      Additional info:

      ccoctl must be extended to accept a parameter specifying the network resource group name and scope relevant component role assignments to the network resource group in addition to the installation resource group.

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19865 Azure AD Workload Identity does not work with bring your own vnet

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. CCO-380 CI Integration-Azure Managed Identity (Workload Identity) Support

          • Undefined - Priority not specified.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19865 Azure AD Workload Identity does not work with bring your own vnet

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19047 When creating an Azure Workload Identity cluster on an existing vnet, the creation failed due to permission errors.

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          links to

          GitHub openshift/cloud-credential-operator#597: OCPBUGS-18246: Add networkResourceGroupName parameter for Azure

          Web Link RHEA-2023:7198 rpm

          Activity

            People

              rh-ee-mold Mark Old
              abutcher@redhat.com Andrew Butcher
              Mingxia Huang Mingxia Huang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: