Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1232

Enable Azure managed identity with Azure AD workload identity for self-managed OpenShift for Azure Stack Hub

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-10Install and update OpenShift on Infrastructure Providers
    • 0
    • 0% 0%
    • 0
    • 0
    • Program Call

    Description

      Feature Overview

      • As a self-managed OpenShift on Azure administrator, I want to be create and manage OpenShift clusters using Azure managed identities for Azure resources for authentication, in conjunction with Azure AD workload identities to access Azure cloud resources securely in Azure Stack Hub.

      Goals

      • As an administrator, I want to deploy OpenShift 4 and run Operators on Azure using access controls (IAM roles) with temporary, limited privilege credentials in Microsoft Azure Government regions.
      • Note: The Azure MI/WI feature was introduced in OpenShift 4.14 for self-managed OpenShift (OCPSTRAT-513) and is available in all Azure regions where Azure MI/WI is available.
      • This does not yet work in Microsoft Azure Government regions and Azure Stack Hub, and this feature aims to address adding support for Azure Stack Hub..

      Requirements

      • Azure managed identities and workload identities must work for installation with all install methods including IPI and UPI, work with upgrades, and day-to-day cluster lifecycle operations.
      • Support HyperShift and non-HyperShift clusters.
      • Support use of Operators with Azure managed identities.
      • Support in all Azure regions where Azure managed identity and Azure AD workload identity is available. Note: Federated credentials is associated with Azure Managed Identity, and federated credentials is not available in all Azure regions.

       

      This Section: A list of specific needs or objectives that a Feature must deliver to satisfy the Feature.. Some requirements will be flagged as MVP. If an MVP gets shifted, the feature shifts. If a non MVP requirement slips, it does not shift the feature.

      Requirement Notes isMvp?
      CI - MUST be running successfully with test automation This is a requirement for ALL features. YES
      Release Technical Enablement Provide necessary release enablement details and documents. YES

      (Optional) Use Cases

      This Section:

      • Main success scenarios - high-level user stories
      • Alternate flow/scenarios - high-level user stories
      • ...

      Questions to answer…

      • ...

      Out of Scope

      Background, and strategic fit

      This Section: What does the person writing code, testing, documenting need to know? What context can be provided to frame this feature.

      Assumptions

      • ...

      Customer Considerations

      • ...

      Documentation Considerations

      Questions to be addressed:

      • What educational or reference material (docs) is required to support this product feature? For users/admins? Other functions (security officers, etc)?
      • Does this feature have doc impact?
      • New Content, Updates to existing content, Release Note, or No Doc Impact
      • If unsure and no Technical Writer is available, please contact Content Strategy.
      • What concepts do customers need to understand to be successful in [action]?
      • How do we expect customers will use the feature? For what purpose(s)?
      • What reference material might a customer want/need to complete [action]?
      • Is there source material that can be used as reference for the Technical Writer in writing the content? If yes, please link if available.
      • What is the doc impact (New Content, Updates to existing content, or Release Note)?

      References

      Attachments

        Issue Links

          clones

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-1231 Enable Azure managed identity with Azure AD workload identity for self-managed OpenShift for Microsoft Azure Government regions

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • New
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CCO-456 Support migration to Azure Managed Identity

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Testing

          Activity

            People

              julim Ju Lim
              julim Ju Lim
              Antoni Segura Puimedon, Ju Lim, Marcos Entenza Garcia, Mike Worthington, Patrick Dillon
              Jianping Shu Jianping Shu
              Stephanie Stout Stephanie Stout
              Scott Dodson Scott Dodson
              Jeremiah Stuever Jeremiah Stuever
              Dave Mulford Dave Mulford
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: