cert-manager-operator icon indicating copy to clipboard operation
cert-manager-operator copied to clipboard

Published 20 hours ago verified publisher icon openshift

CM-262: Updates for Azure ambient credentials

Open swghosh opened this issue 1 year ago • 10 comments

  • Update docs/cloud_credentials.md for adding Azure Workload Identity steps.
  • Add ambient credentials support for Azure clusters without Workload Identity - allows cluster administrators to inject a specific (explicit) cloud credential secret for Azure clusters, similar to what we already do for AWS non-STS and GCP non-Workload Identity.

swghosh avatar Mar 04 '24 16:03 swghosh

@swghosh: This pull request explicitly references no jira issue.

In response to this:

Update docs/cloud_credentials.md for adding Azure Workload Identity steps.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 04 '24 16:03 openshift-ci-robot

/cc @snarayan-redhat

swghosh avatar Mar 04 '24 16:03 swghosh

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: swghosh Once this PR has been reviewed and has the lgtm label, please assign stlaz for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Mar 05 '24 21:03 openshift-ci[bot]

/cc @xingxingxia @lunarwhite

swghosh avatar Mar 05 '24 21:03 swghosh

@swghosh I had thought about non-workload-identy ambient support after testing Azure workload identity cluster and thus I created a "Test"-only Jira CM-262. But later I thought it might be not yet supported by our code, so we move it to To Do. I'm glad to see you also think of it and give support to it. Therefore, let's met retitle:

/retitle CM-262: Updates for Azure ambient credentials

xingxingxia avatar Mar 07 '24 02:03 xingxingxia

@swghosh: This pull request references CM-262 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

  • Update docs/cloud_credentials.md for adding Azure Workload Identity steps.
  • Add ambient credentials support for Azure clusters without Workload Identity - allows cluster administrators to inject a specific (explicit) cloud credential secret for Azure clusters, similar to what we already do for AWS non-STS and GCP non-Workload Identity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 07 '24 02:03 openshift-ci-robot

@swghosh: This pull request references CM-262 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

  • Update docs/cloud_credentials.md for adding Azure Workload Identity steps.
  • Add ambient credentials support for Azure clusters without Workload Identity - allows cluster administrators to inject a specific (explicit) cloud credential secret for Azure clusters, similar to what we already do for AWS non-STS and GCP non-Workload Identity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 07 '24 05:03 openshift-ci-robot

/hold for now, I've a security concern regarding exposing the Client Secret into the environment variable directly in the deployment. This would mean for a non-Workload Identity Azure cluster if someone gets access to the Deployment yaml, they'll get access to cloud-credentials secret values and as they're long-lived credentials it might not a good idea to do it this way.

I'll try looking for alternatives to instead use a secret mounted as a file, and still make it work, similar to what we do for AWS and GCP.

swghosh avatar Mar 07 '24 05:03 swghosh

/test fips-image-scan

swghosh avatar Jun 25 '24 14:06 swghosh

@swghosh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/fips-image-scan b2d8bb04aa2b2a4e33062e3cb50bc472c616d1f7 link true /test fips-image-scan

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Jun 25 '24 14:06 openshift-ci[bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Oct 14 '24 01:10 openshift-bot