Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HOSTEDCP-1542: hcco: expose Azure federated token files #4010

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

stevekuznetsov
Copy link
Contributor

hcco: expose Azure federated token files

Expect components to use Azure workload identity, propagate those
secrets from the HyperShift Operator to each individual HostedCluster
namespace, then to the guest clusters themselves.

Signed-off-by: Steve Kuznetsov skuznets@redhat.com


Expect components to use Azure workload identity, propagate those
secrets from the HyperShift Operator to each individual HostedCluster
namespace, then to the guest clusters themselves.

Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 9, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 9, 2024

@stevekuznetsov: This pull request references HOSTEDCP-1542 which is a valid jira issue.

In response to this:

hcco: expose Azure federated token files

Expect components to use Azure workload identity, propagate those
secrets from the HyperShift Operator to each individual HostedCluster
namespace, then to the guest clusters themselves.

Signed-off-by: Steve Kuznetsov skuznets@redhat.com


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from enxebre and sjenning May 9, 2024 17:43
@openshift-ci openshift-ci bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release and removed do-not-merge/needs-area labels May 9, 2024
Copy link
Contributor

openshift-ci bot commented May 9, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: stevekuznetsov
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

// +required
Credentials corev1.LocalObjectReference `json:"credentials"`
TenantID string `json:"tenantID,omitempty"`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW a quick review of the forums, etc, shows that this (and the subscription ID) are not secret values.

func AzureFederatedTokenCredentialSecretData(name, infraID string, config *hyperv1.AzurePlatformSpec) map[string][]byte {
return map[string][]byte{
"azure_region": []byte(config.Location),
"azure_resource_prefix": []byte(name + "-" + infraID),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The conversation here does not explicitly list the resource prefix and resource-group, but I can't imagine it will hurt?

// +kubebuilder:validation:Required
// +immutable
// +required
IngressClientID string `json:"ingressClientID"`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of these we should be able to get super easily by using ccoctl from the release payload, but the node-pool management and CPO are going to be something we need to figure out and encode into CredentialsRequests ourselves.

Copy link
Contributor

openshift-ci bot commented May 9, 2024

@stevekuznetsov: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure 1efdba4 link false /test e2e-azure
ci/prow/unit 1efdba4 link true /test unit
ci/prow/verify 1efdba4 link true /test verify
ci/prow/e2e-ibmcloud-roks 1efdba4 link false /test e2e-ibmcloud-roks
ci/prow/e2e-ibmcloud-iks 1efdba4 link false /test e2e-ibmcloud-iks
ci/prow/e2e-aws 1efdba4 link true /test e2e-aws
ci/prow/e2e-kubevirt-aws-ovn 1efdba4 link true /test e2e-kubevirt-aws-ovn
ci/prow/images 1efdba4 link true /test images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@stevekuznetsov
Copy link
Contributor Author

/hold

We should just use ccoctl and not do this.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants