Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2948

Support Azure Pod Identity Webhook in ARO HCP

XMLWordPrintable

    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Acceptance Criteria

      ARO HCP has a component which deploys the azure-pod-identity webhook for Azure clusters, similar to the ROSA/AWS one, so that customers can annotate their service accounts and label their pod to support the injection of environment variables to support azure login via workload identity.

      https://azure.github.io/azure-workload-identity/docs/quick-start.html

      ROSA HCP:

      For ROSA, it looks like the pod identity webhook is maintained by the CPO and the pod identity container is deployed alongside the kube-apiserver.

      KAS container: https://github.com/openshift/hypershift/blob/59ec1a8e60f4bbbeeeb4e2801e1ad9d9114b5dd5/control-plane-operator/controllers/hostedcontrolplane/v2/kas/deployment.go#L89-L91
      webhook, cluster role, cluster role binding: https://github.com/openshift/hypershift/blob/59ec1a8e60f4bbbeeeb4e2801e1ad9d9114b5dd5/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go#L731-L737

              asegurap1@redhat.com Antoni Segura Puimedon
              jboutaud@redhat.com Jerome Boutaud
              None
              None
              Cesar Wong Cesar Wong
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: