-
Notifications
You must be signed in to change notification settings - Fork 474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ARO HCP MSI Enablement Enhancement #1659
Conversation
553fe13
to
8bf76be
Compare
LGTM from the image registry side. This EP doesn't cover implementation. For the record, I left an overview of my investigation for MSI support in the registry in IR-460 |
@flavianmissi - I think there would be minor changes to image registry, please see this discussion |
For ARO HCP, we need to override the authentication type to be MSI. For more information please see openshift/enhancements#1659.
For ARO HCP, we be able to override the authentication type to be MSI. For more information please see openshift/enhancements#1659.
The overall idea LGTM from storage side. Passing env. var from control-plane-operator to cluster-storage-operator and from cluster-storage-operator to azure-disk / azure-file-csi-driver-operator is straightforward. It gets quite blurry in the azure-*-csi-driver-operator - it needs to generate the right secret + env vars + whatnot for the driver and we don't have much experience and test env. there. We (storage) expect hypershift to do that. |
/lgtm |
New changes are detected. LGTM label has been removed. |
The proposal LGTM from the Network Edge (ingress) side. |
For ARO HCP, we be able to override the authentication type to be MSI. For more information please see openshift/enhancements#1659.
For ARO HCP, we need to be able to override the authentication type to be MSI. For more information please see openshift/enhancements#1659.
For ARO HCP, we be able to override the authentication type to be MSI. For more information please see openshift/enhancements#1659.
For ARO HCP, we need to be able to override the authentication type to be MSI. For more information please see openshift/enhancements#1659.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we missing MSI support for other HCP management components?
- KMS pod, capi provider, etc?
### API Extensions | ||
|
||
N/A |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not correspond to https://github.com/openshift/hypershift/pull/4484/files#diff-4189d32544d44da5947597ddd941129f67cf3ca329f8fa8abf5da86490ece944R1616
How are operators supposed to read StorageMSIClientID
? That looks like an API extension to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will pass in the client ID through an env var to the operator deployments.
Inactive enhancement proposals go stale after 28d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle stale |
Stale enhancement proposals rot after 7d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle rotten |
We received the sidecar containers last week and have started integrating them. I updated the enhancement to rename the override variable. Originally, we thought we did not need to set a client ID when creating a new managed identity credential due to the code documentation here - https://github.com/Azure/azure-sdk-for-go/blob/bd891cb0615f6148f9884be97bff7a3e2598bcc6/sdk/azidentity/managed_identity_credential.go#L128. This is not the case and a valid client ID will need to be passed to the operators. |
/remove-lifecycle rotten. |
We (HyperShift) fully control the deployments for CPO, CAPZ, KMS, and Azure CCM so we don't need to pass an env var to those deployments like we do with the other operators mentioned in the enhancement. |
Rotten enhancement proposals close after 7d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Reopen the proposal by commenting /close |
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/reopen |
@bryan-cox: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Rotten enhancement proposals close after 7d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Reopen the proposal by commenting /close |
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/reopen |
@bryan-cox: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Originally, we thought we did not need to set a client ID when creating a new managed identity credential due to the code documentation here - https://github.com/Azure/azure-sdk-for-go/blob/bd891cb0615f6148f9884be97bff7a3e2598bcc6/sdk/azidentity/managed_identity_credential.go#L128. This is not the case and a valid client ID will need to be passed to the operators. Signed-off-by: Bryan Cox <[email protected]>
0e1d9c5
to
e050c0d
Compare
/close Superseded by #1694 |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@bryan-cox: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This enhancement proposes introducing an environment variable in the image registry, ingress, cloud network config,
and storage operators. This variable would allow overriding the Azure authentication strategy used by these operators to
leverage Azure managed service identity (MSI), regardless of the underlying cloud configuration.
In Azure Red Hat OpenShift (ARO) Hosted Control Plane (HCP), operators running in the control plane need to
authenticate using Azure managed service identities to communicate with cloud services.