Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-961

OCP Console support for short-lived token enablement of OLM-managed operators using Azure Identity


    • False
    • Hide


    • False
    • OCPSTRAT-6Tokenized Auth Enablement for OLM-managed Operators on Cloud Providers
    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • Program Call

      Feature Overview

      Users of the OpenShift Console leverage a streamlined, visual experience when discovering and installing OLM-managed operators in clusters that run on cloud providers with support for short-lived token authentication enabled. Users are intuitively becoming aware when this is the case and are put on the happy path to configure OLM-managed operators with the necessary information to support Azure Identity.



      Customers do not need to re-learn how to enable Azure Managed Identity authentication support for each and every OLM-managed operator that supports it. The experience is standardized and repeatable so customers spend less time with initial configuration and more team implementing business value. The process is so easy that OpenShift is perceived as enabler for an increased security posture.



      • based on OCPSTRAT-517, the installation and configuration experience for any OLM-managed operator using short-lived token authentication is streamlined using the OCP console in the form of a guided process that avoids misconfiguration or unexpected behavior of the operators in question
      • the OCP Console helps in detecting when the cluster itself is already using Azure Identity for core functionality
      • the OCP Console helps discover operators capable of Azure Identity authentication and their IAM permission requirements
      • the OCP Console drives the collection of the required information for Azure Identity authentication at the right stages of the installation process and stops the process when the information is not provided
      • the OCP Console implements this process with minimal differences across different cloud providers and is capable of adjusting the terminology depending on the cloud provider that the cluster is running on


      Use Cases:

      • A cluster admin browses the OperatorHub catalog and looks at the details view of a particular operator, there they discover that the cluster is configured for Azure Identity
      • A cluster admin browsing the OperatorHub catalog content can filter for operators that support the Azure Identity flow described in OCPSTRAT-517
      • A cluster admin reviewing the details of a particular operator in the OperatorHub view can discover that this operator supports Azure Identity authentication
      • A cluster admin installing a particular operator can get information about the Azure IAM permission requirements the operator has
      • A cluster admin installing a particular operator is asked to provide Azure Service Principal that is required for Azure Identity prior to the actual installation step and is prevented from continuing without this information
      • A cluster admin reviewing an installed operators with support for Azure Identity can discover the related CredentialRequest object that the operator created in an intuitive way (not generically via related objects that have an ownership reference or as part of the InstallPlan)

      Out of Scope

      • update handling and blocking in case of increased permission requirements in the next / new version of the operator
      • more complex scenarios with multiple service principals resulting in multiple CredentialRequest objects used by a single operator



      The OpenShift Console today provides little to no support for configuring OLM-managed operators for short-lived token authentication. Users are generally unaware if their cluster runs on a cloud provider and is set up to use short-lived tokens for its core functionality and users are not aware which operators have support for that by implementing the respective flows defined in OCPSTRAT-517.

      Customer Considerations

      Customers may or may not be aware about short-lived token authentication support. They need to proper context and pointers to follow-up documentation to explain the general concept and the specific configuration flow the Console supports. It needs to become clear that the Console cannot 100% automate the overall process and some steps need to be run outside of the cluster/Console using Cloud-provider specific tooling.

            DanielMesser Daniel Messer
            DanielMesser Daniel Messer
            Jakub Hadvig, Lance Galletti
            Yanping Zhang Yanping Zhang
            Ashley Hardin Ashley Hardin
            Samuel Padgett Samuel Padgett
            Ali Mobrem Ali Mobrem
            Senthamilarasu S Senthamilarasu S
            0 Vote for this issue
            6 Start watching this issue