Overview

For XCMSTRAT-574, to support external auth IdP in ARO, Microsoft requires that all secrets to be managed by the customers. Unlike the Rosa implementation of external auth IdP, where users provide the client secret to cluster service where it is persisted, users in ARO will manually create the client secret in the guest cluster.

Current implementation in HyperShift requires spec.oidcProviders.oidcClients.clientSecret to be specified in the HostedCluster resource. Since Cluster Service will not be handling the client secret in ARO, it needs to be able to create a HostedCluster without providing the clientSecret. 

If the client secret is not specified, HyperShift will use a default name for the secret, where it will expect a secret with that name to be manually created on the hosted cluster.

See the ARO DDR for additional details: https://docs.google.com/document/d/1XOqs_JUlcXq0C2P6WEbmgmAurhgQEWkXQPmAyheneM8/edit?tab=t.0

Updates (26.06.2025)

The following is the new approach for supporting day-2 OIDC client secrets (see the comment below for the background)

1. HyperShift will support day-2 client secrets by allowing HyperShift operators (i.e. ARO-HCP) to provide a client secret name that's referring to an empty Secret resource existing in the HostedCluster's namespace which includes a special annotation designating it as a day-2 secret.
2. For those day-2 secrets, HCCO will not reconcile them on the hosted cluster.
3. Once the end user creates the expected secret on the hosted-cluster in the openshift-config namespace, HCCO will update the Authentication resource with the full client details (that way, preventing components from breaking before the secret gets created)