Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-9998

RH cert-manager operator does not work with Google Workload Identity when certmanager/cluster is "managementState: Managed"

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 4.13
    • cert-manager
    • Critical
    • CFE Sprint 234, CFE Sprint 235, CFE Sprint 236
    • 3
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:
      Upstream cert-manager supports Google Workload Identity in GKE cluster, the document is https://cert-manager.io/docs/configuration/acme/dns01/google/#gke-workload-identity , the way in https://cert-manager.io/docs/configuration/acme/dns01/google/#gke-workload-identity is for GKE cluster.

      OCP has been supported Google Workload Identity, the document is here https://docs.openshift.com/container-platform/4.12/authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.html , so that OpenShift Container Platform cluster components can impersonate IAM service accounts using short-term, limited-privilege credentials to call Google APIs, like GKE does. For more details, see https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers and https://cloud.google.com/iam/docs/workload-identity-federation .

      Nevertheless, for OCP, there is no way for RH cert-manager operand to use the Google Workload Identity to work with the "Ambient Credential Usage" https://cert-manager.io/docs/configuration/acme/dns01/google/#enable-ambient-credential-usage .

      Version-Release number of selected component (if applicable):

      cert-manager operator bunddle 1.10.2-18

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install cert-manager operator
      2. Investigate https://docs.openshift.com/container-platform/4.12/authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.html#cco-ccoctl-upgrading_wif-mode-upgrading and follow its steps:
      
      [xxia@2023-03-12 22:26:04 CST cert-manager-test]$ ccoctl gcp create-service-accounts --credentials-requests-dir=credentialsrequest-dir --name=xxia-cert-manager-gsa --project=openshift-qe --workload-identity-pool=xxia-10g-31561 --workload-identity-provider=xxia-10g-31561 --output-dir credentialsrequest-ccoctl-output-2
      ...
      2023/03/12 22:26:39 IAM service account xxia-cert-manager-gsa-cert-manager-gcp created
      2023/03/12 22:26:42 Updated policy bindings for IAM service account xxia-cert-manager-gsa-cert-manager-gcp
      2023/03/12 22:26:42 Saved credentials configuration to: credentialsrequest-ccoctl-output-2/manifests/cert-manager-cloud-credentials-credentials.yaml
      
      [xxia@2023-03-12 22:27:14 CST cert-manager-test]$ ls credentialsrequest-ccoctl-output-2/manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
      secret/cloud-credentials created
      
      [xxia@2023-03-12 22:29:32 CST cert-manager-test]$ oc extract secret/cloud-credentials -n cert-manager
      service_account.json  # <- this is the output
      
      [xxia@2023-03-12 22:34:39 CST cert-manager-test]$ cat service_account.json
      {
            "type": "external_account",
            "audience": "//iam.googleapis.com/projects/<snipped>/locations/global/workloadIdentityPools/xxia-10g-31561/providers/xxia-10g-31561",
            "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
            "token_url": "https://sts.googleapis.com/v1/token",
            "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxia-cert-ma-cert-manage-mpsxq@openshift-qe.iam.gserviceaccount.com:generateAccessToken",
            "credential_source": {
              "file": "/var/run/secrets/openshift/serviceaccount/token",
              "format": {
                    "type": "text"
              }
          }
      }
      
      3. However, no way to make cert-manager pod to inject the /var/run/secrets/openshift/serviceaccount/token to call Google APIs . Users may need there is some way, given OCP announces GCP Workload Identity support: https://docs.openshift.com/container-platform/4.12/authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.html .

      Actual results:

      As above steps, RH cert-manager operator has no way to use Ambient Credential Usage with Google CloudDNS https://cert-manager.io/docs/configuration/acme/dns01/google/#enable-ambient-credential-usage .

      Expected results:

      RH cert-manager operator should have a way to work well with Ambient Credential Usage with Google CloudDNS https://cert-manager.io/docs/configuration/acme/dns01/google/#enable-ambient-credential-usage .

      Attachments

        Activity

          People

            swghosh@redhat.com Swarup Ghosh
            xxia-1 Xingxing Xia
            Xingxing Xia Xingxing Xia
            Anjali Telang, Swarup Ghosh, Thejas N (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: