Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable Authenticating with Azure with Certificates using Azure SDK for Go's Generic NewDefaultAzureCredential #1694

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

bryan-cox
Copy link
Member

@bryan-cox bryan-cox commented Oct 7, 2024

This enhancement proposes enabling image registry, ingress, cloud network config, and storage operators(azure-file and azure-disk) to accept authenticating with Azure with certificates using Azure SDK for Go's generic function NewDefaultAzureCredential.

  1. Ingress - Refactor to use Azure SDK default cred chain
  2. Image Registry - Refactor to use Azure SDK default cred chain
  3. Cluster Network Operator PR
  4. Cloud Network Config - Refactor to use Azure SDK default cred chain
  5. Cluster Storage Operator PR
  6. CSI Operator - Separate Azure Authentication for Azure File and Disk - TBD adding the secrets CSI volume and volume mount for Azure file and disk

Copy link
Contributor

openshift-ci bot commented Oct 7, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Signed-off-by: Bryan Cox <[email protected]>
Copy link

@bennerv bennerv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also should capture AZURE_CLIENT_SEND_CERTIFICATE_CHAIN but you said there's be followup.

Otherwise lgtm

enhancements/hypershift/enable-azure-creds-via-cert.md Outdated Show resolved Hide resolved
bryan-cox and others added 2 commits October 7, 2024 16:34
Signed-off-by: Bryan Cox <[email protected]>
Co-authored-by: Ben Vesel <[email protected]>
Copy link
Member

@flavianmissi flavianmissi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a question about the image registry (operand). Looks good otherwise!

HyperShift would pass the following environment variables - AZURE_CLIENT_ID, AZURE_TENANT_ID, and
AZURE_CLIENT_CERTIFICATE_PATH - to its deployments of image registry, ingress, cloud network config, and storage
operators (azure-file and azure-disk) on the hosted control plane. Each of these components would then pass these
variables along to NewDefaultAzureCredential.
Copy link
Member

@flavianmissi flavianmissi Oct 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When configured with workload identity, the image registry operator will configure the image registry in a similar fashion to what's described in this EP (source).
Do we need to consider this when changing the operator code to use these env vars? In other words, do we also want the image registry (operand!) to authenticate using this proposed mechanism?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah probably so. On ARO HCP, on the HCP side image registry will authenticate with the cert method, while the operand would use workload identity.

Copy link
Contributor

openshift-ci bot commented Oct 23, 2024

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/markdownlint c1e875c link true /test markdownlint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-bot
Copy link

Inactive enhancement proposals go stale after 28d of inactivity.

See https://github.com/openshift/enhancements#life-cycle for details.

Mark the proposal as fresh by commenting /remove-lifecycle stale.
Stale proposals rot after an additional 7d of inactivity and eventually close.
Exclude this proposal from closing by commenting /lifecycle frozen.

If this proposal is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants