-
Feature
-
Resolution: Done
-
Critical
-
openshift-4.14
-
Strategic Portfolio Work
-
False
-
-
False
-
0% To Do, 0% In Progress, 100% Done
-
0
-
Program Call
-
Approved
Feature Overview
- Customers want to create and manage OpenShift clusters using managed identities for Azure resources for authentication.
Goals
- A customer using ARO wants to spin up an OpenShift cluster with "az aro create" without needing additional input, i.e. without the need for an AD account or service principal credentials, and the identity used is never visible to the customer and cannot appear in the cluster.
- As an administrator, I want to deploy OpenShift 4 and run Operators on Azure using access controls (IAM roles) with temporary, limited privilege credentials.
Requirements
- Azure managed identities must work for installation with all install methods including IPI and UPI, work with upgrades, and day-to-day cluster lifecycle operations.
- Support HyperShift and non-HyperShift clusters.
- Support use of Operators with Azure managed identities.
- Support in all Azure regions where Azure managed identity is available. Note: Federated credentials is associated with Azure Managed Identity, and federated credentials is not available in all Azure regions.
More details at ARO managed identity scope and impact.
Â
This Section: A list of specific needs or objectives that a Feature must deliver to satisfy the Feature.. Some requirements will be flagged as MVP. If an MVP gets shifted, the feature shifts. If a non MVP requirement slips, it does not shift the feature.
Requirement | Notes | isMvp? |
---|---|---|
CI - MUST be running successfully with test automation | This is a requirement for ALL features. | YES |
Release Technical Enablement | Provide necessary release enablement details and documents. | YES |
(Optional) Use Cases
This Section:
- Main success scenarios - high-level user stories
- Alternate flow/scenarios - high-level user stories
- ...
Questions to answer…
- ...
Out of Scope
- …
Background, and strategic fit
This Section: What does the person writing code, testing, documenting need to know? What context can be provided to frame this feature.
Assumptions
- ...
Customer Considerations
- ...
Documentation Considerations
Questions to be addressed:
- What educational or reference material (docs) is required to support this product feature? For users/admins? Other functions (security officers, etc)?
- Does this feature have doc impact?
- New Content, Updates to existing content, Release Note, or No Doc Impact
- If unsure and no Technical Writer is available, please contact Content Strategy.
- What concepts do customers need to understand to be successful in [action]?
- How do we expect customers will use the feature? For what purpose(s)?
- What reference material might a customer want/need to complete [action]?
- Is there source material that can be used as reference for the Technical Writer in writing the content? If yes, please link if available.
- What is the doc impact (New Content, Updates to existing content, or Release Note)?
References
- https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation
- https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview
- https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview
- blocks
-
RFE-1773 Support for managed identity in Azure to fetch protected assets from Azure Storage
- Accepted
-
OCPSTRAT-517 CloudCredentialOperator-based flow for OLM-managed operators and Azure Identity
- Closed
- causes
-
OCPSTRAT-1185 In-place migration to Microsoft Entra Workload ID for self-managed OpenShift on Azure
- Closed
- depends on
-
CCO-282 Azure OpenShift role granularity for Azure managed identity
- Release Pending
-
CCO-187 Azure Managed Identity (Workload Identity) Support
- Closed
-
OCPSTRAT-513 Azure managed identity with Azure AD workload identity for self-managed OpenShift
- Closed
- is cloned by
-
OCPSTRAT-513 Azure managed identity with Azure AD workload identity for self-managed OpenShift
- Closed
- is related to
-
HOSTEDCP-432 Lifecycle Hosted Clusters in HyperShift via Managed Identities
- In Progress
-
RFE-3157 Azure Workload Identity Federation
- Accepted
-
OCPSTRAT-1448 Eliminate installer-aro fork of OpenShift Installer (Phase I)
- In Progress
- split to
-
CCO-422 ARO Workload identity 4.15 items (CAPI)
- Closed
-
OCPSTRAT-909 ARO Managed Identity Phase II
- Closed
- links to
- mentioned on