Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2784

Allow the definition of jwks_uri using Authentication Operator

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Major
    • None
    • None
    • Auth
    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

    Description

      1. Proposed title of this feature request

      Allow the definition of jwks_uri using Authentication Operator

      2. What is the nature and description of the request?

      Customer needs to enable the Workload Identity with Azure. This means that the OIDC discovery documents of the OpenShift cluster should expose publicly available URLs.

      • The service account issuer exposed by the kube-apiserver can be modified via the spec.serviceAccountIssuer field of the Authentication object as per our documentation [1]
      • after changing the serviceAccountIssuer the OIDC discovery document uses the control plane IP address into the jwks_uri field and is not possible to change it

      The request is to expose a spec field into the Authentication object to define the jwks_uri (that should be reflected into the _ --service-account-jwks-uri_ of the kube-apiserver )

      Documentation from MS: https://azure.github.io/azure-workload-identity/docs/introduction.html

      3. Why does the customer need this? (List the business requirements here)

      Integration of their cluster with Azure applications

      4. List any affected packages or components.

      Authentication

      [1] https://docs.openshift.com/container-platform/4.9/authentication/bound-service-account-tokens.html#bound-sa-tokens-about_bound-service-account-tokens

      Attachments

        Issue Links

          account is impacted by

          Feature Request - Feature requests from customers and/or users RFE-3157 Azure Workload Identity Federation

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Accepted
          impacts account

          Feature Request - Feature requests from customers and/or users RFE-3157 Azure Workload Identity Federation

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Accepted

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-979 Bring Your Own OIDC keys feature is not documented

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • ASSIGNED

          Activity

            People

              atelang@redhat.com Anjali Telang
              rhn-support-gvillani Gianluca Villani (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: