-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HOSTEDCP-1542: hcco: expose Azure federated token files #4010
base: main
Are you sure you want to change the base?
HOSTEDCP-1542: hcco: expose Azure federated token files #4010
Conversation
Expect components to use Azure workload identity, propagate those secrets from the HyperShift Operator to each individual HostedCluster namespace, then to the guest clusters themselves. Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
@stevekuznetsov: This pull request references HOSTEDCP-1542 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: stevekuznetsov The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
// +required | ||
Credentials corev1.LocalObjectReference `json:"credentials"` | ||
TenantID string `json:"tenantID,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW a quick review of the forums, etc, shows that this (and the subscription ID) are not secret values.
func AzureFederatedTokenCredentialSecretData(name, infraID string, config *hyperv1.AzurePlatformSpec) map[string][]byte { | ||
return map[string][]byte{ | ||
"azure_region": []byte(config.Location), | ||
"azure_resource_prefix": []byte(name + "-" + infraID), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The conversation here does not explicitly list the resource prefix and resource-group, but I can't imagine it will hurt?
// +kubebuilder:validation:Required | ||
// +immutable | ||
// +required | ||
IngressClientID string `json:"ingressClientID"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All of these we should be able to get super easily by using ccoctl
from the release payload, but the node-pool management and CPO are going to be something we need to figure out and encode into CredentialsRequests
ourselves.
@stevekuznetsov: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
/hold We should just use |
hcco: expose Azure federated token files
Expect components to use Azure workload identity, propagate those
secrets from the HyperShift Operator to each individual HostedCluster
namespace, then to the guest clusters themselves.
Signed-off-by: Steve Kuznetsov skuznets@redhat.com