-
Bug
-
Resolution: Done
-
Major
-
None
-
4.13
-
Critical
-
No
-
CFE Sprint 234, CFE Sprint 235, CFE Sprint 236
-
3
-
Rejected
-
False
-
Description of problem:
Upstream cert-manager supports Google Workload Identity in GKE cluster, the document is https://cert-manager.io/docs/configuration/acme/dns01/google/#gke-workload-identity , the way in https://cert-manager.io/docs/configuration/acme/dns01/google/#gke-workload-identity is for GKE cluster.
OCP has been supported Google Workload Identity, the document is here https://docs.openshift.com/container-platform/4.12/authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.html , so that OpenShift Container Platform cluster components can impersonate IAM service accounts using short-term, limited-privilege credentials to call Google APIs, like GKE does. For more details, see https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers and https://cloud.google.com/iam/docs/workload-identity-federation .
Nevertheless, for OCP, there is no way for RH cert-manager operand to use the Google Workload Identity to work with the "Ambient Credential Usage" https://cert-manager.io/docs/configuration/acme/dns01/google/#enable-ambient-credential-usage .
Version-Release number of selected component (if applicable):
cert-manager operator bunddle 1.10.2-18
How reproducible:
Always
Steps to Reproduce:
1. Install cert-manager operator
2. Investigate https://docs.openshift.com/container-platform/4.12/authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.html#cco-ccoctl-upgrading_wif-mode-upgrading and follow its steps:
[xxia@2023-03-12 22:26:04 CST cert-manager-test]$ ccoctl gcp create-service-accounts --credentials-requests-dir=credentialsrequest-dir --name=xxia-cert-manager-gsa --project=openshift-qe --workload-identity-pool=xxia-10g-31561 --workload-identity-provider=xxia-10g-31561 --output-dir credentialsrequest-ccoctl-output-2
...
2023/03/12 22:26:39 IAM service account xxia-cert-manager-gsa-cert-manager-gcp created
2023/03/12 22:26:42 Updated policy bindings for IAM service account xxia-cert-manager-gsa-cert-manager-gcp
2023/03/12 22:26:42 Saved credentials configuration to: credentialsrequest-ccoctl-output-2/manifests/cert-manager-cloud-credentials-credentials.yaml
[xxia@2023-03-12 22:27:14 CST cert-manager-test]$ ls credentialsrequest-ccoctl-output-2/manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
secret/cloud-credentials created
[xxia@2023-03-12 22:29:32 CST cert-manager-test]$ oc extract secret/cloud-credentials -n cert-manager
service_account.json # <- this is the output
[xxia@2023-03-12 22:34:39 CST cert-manager-test]$ cat service_account.json
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<snipped>/locations/global/workloadIdentityPools/xxia-10g-31561/providers/xxia-10g-31561",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxia-cert-ma-cert-manage-mpsxq@openshift-qe.iam.gserviceaccount.com:generateAccessToken",
"credential_source": {
"file": "/var/run/secrets/openshift/serviceaccount/token",
"format": {
"type": "text"
}
}
}
3. However, no way to make cert-manager pod to inject the /var/run/secrets/openshift/serviceaccount/token to call Google APIs . Users may need there is some way, given OCP announces GCP Workload Identity support: https://docs.openshift.com/container-platform/4.12/authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.html .
Actual results:
As above steps, RH cert-manager operator has no way to use Ambient Credential Usage with Google CloudDNS https://cert-manager.io/docs/configuration/acme/dns01/google/#enable-ambient-credential-usage .
Expected results:
RH cert-manager operator should have a way to work well with Ambient Credential Usage with Google CloudDNS https://cert-manager.io/docs/configuration/acme/dns01/google/#enable-ambient-credential-usage .
