diff --git a/enhancements/hypershift/enable-azure-creds-via-cert.md b/enhancements/hypershift/enable-azure-creds-via-cert.md index e992d193ca..5afaaaa93f 100644 --- a/enhancements/hypershift/enable-azure-creds-via-cert.md +++ b/enhancements/hypershift/enable-azure-creds-via-cert.md @@ -32,45 +32,46 @@ superseded-by: ## Summary -This enhancement proposes introducing an environment variable in the image registry, ingress, cloud network config, -and storage operators. This variable would allow overriding the Azure authentication strategy used by these operators to -leverage Azure managed service identity (MSI), regardless of the underlying cloud configuration. +This enhancement proposes enabling image registry, ingress, cloud network config, and storage operators(azure-file and +azure-disk) to accept authenticating with Azure with certificates using Azure SDK for Go's generic function +[NewDefaultAzureCredential](https://github.com/Azure/azure-sdk-for-go/blob/4ebe2fa68c8f9f0a0737d4569810525b4ac45834/sdk/azidentity/default_azure_credential.go#L63). ## Motivation -In Azure Red Hat OpenShift (ARO) Hosted Control Plane (HCP), operators running in the control plane need to -authenticate using Azure managed service identities to communicate with cloud services. In contrast, the same operators -running on the data plane/guest cluster side use workload identity authentication. +In production, Azure Red Hat OpenShift (ARO) Hosted Control Plane (HCP), operators running in the control plane need to +authenticate using Azure managed identities, backed by certificates, to communicate with cloud services. In the +meantime, ARO HCP will use Service Principal, backed by certificates, for development and testing. + +In contrast, the same operators running on the data plane/guest cluster side use workload identity authentication. ### User Stories -* [Support MSI authentication in cluster-ingress-operator](https://issues.redhat.com/browse/NE-1504) -* [Support MSI authentication in cloud-network-config-controller](https://issues.redhat.com/browse/SDN-4450) -* [Support MSI authentication in cluster-storage-operator](https://issues.redhat.com/browse/STOR-1748) -* [Support MSI authentication in image-registry](https://issues.redhat.com/browse/IR-460) +* [Explore enable getting AzureCreds via cert using generic NewDefaultAzureCredential](https://issues.redhat.com/browse/HOSTEDCP-1994) ### Goals -* Agreement from ingress, image registry, network, and storage representatives on a standard approach to authenticate with MSI for ARO HCP. +* Agreement from ingress, image registry, network, and storage representatives on a standard approach to authenticate with Azure for ARO HCP. ### Non-Goals -* Implementing MSI for image registry, ingress, cloud network config, and storage operators outside the override. +N/A ## Proposal -We propose setting an environment variable, ARO_HCP_MI_CLIENT_ID, upon deployment of image registry, ingress, cloud -network config, and storage operators in the control plane of an ARO HCP cluster. This variable will be checked by each -operator; if set, it will override the default authentication mechanism, using a managed identity to authenticate with -Azure cloud services instead. ARO_HCP_MI_CLIENT_ID will contain the client ID to create the new managed identity. +We propose updating the Azure API authentication methods in image registry, ingress, cloud network config, and storage +operators to use the using Azure SDK for Go's generic function [NewDefaultAzureCredential](https://github.com/Azure/azure-sdk-for-go/blob/4ebe2fa68c8f9f0a0737d4569810525b4ac45834/sdk/azidentity/default_azure_credential.go#L63). +This function walks through creating a valid Azure credential chain used to authenticate with Azure API based on what +environment variables are set up. -For operators with operands that they manage in the control plane, the operator would be responsible for propagating the -environment variable to those operands (if the operands need cloud access). +HyperShift would pass the following environment variables - AZURE_CLIENT_ID, AZURE_TENANT_ID, and +AZURE_CLIENT_CERTIFICATE_PATH - to its deployments of image registry, ingress, cloud network config, and storage +operators (azure-file and azure-disk) on the hosted control plane. Each of these components would then pass these +variables along to NewDefaultAzureCredential. ### Workflow Description -* HostedCluster control plane operator will set ARO_HCP_MI_CLIENT_ID on deployment of image registry, ingress, cluster network operator (which will pass the value to cloud network config), and storage operators -* When each operator is configuring the Azure authentication type, if the ARO_HCP_MI_CLIENT_ID is set, the operator will ignore any other Azure cloud configuration and use Managed Identity with the client ID being set to the value in ARO_HCP_MI_CLIENT_ID +* HostedCluster control plane operator will set AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_CERTIFICATE_PATH on deployment of image registry, ingress, cluster network operator (which will pass the value to cloud network config), and storage operators (which will pass the values to azure-file and azure disk) +* When each operator is configuring the Azure authentication type, it will call Azure SDK for Go's generic function NewDefaultAzureCredential ### API Extensions