Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Authenticating with Azure with Certificates using Azure SDK for Go's Generic NewDefaultAzureCredential #1694

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Enable Authenticating with Azure with Certificates using Azure SDK for Go's Generic NewDefaultAzureCredential #1694

wants to merge 6 commits into from

Conversation

bryan-cox
Copy link
Member

@bryan-cox bryan-cox commented Oct 7, 2024
edited
Loading

This enhancement proposes enabling image registry, ingress, cloud network config, and storage operators(azure-file and azure-disk) to accept authenticating with Azure with certificates using Azure SDK for Go's generic function NewDefaultAzureCredential.

  1. Ingress - Refactor to use Azure SDK default cred chain
  2. Image Registry - Refactor to use Azure SDK default cred chain
  3. Cluster Network Operator PR
  4. Cloud Network Config - Refactor to use Azure SDK default cred chain
  5. Cluster Storage Operator PR
  6. CSI Operator - Separate Azure Authentication for Azure File and Disk - TBD adding the secrets CSI volume and volume mount for Azure file and disk

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 7, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@bryan-cox bryan-cox mentioned this pull request Oct 7, 2024
Closed
@bryan-cox
Initial enhancement
ed18676 
Signed-off-by: Bryan Cox <[email protected]>
bennerv
bennerv reviewed Oct 7, 2024
View reviewed changes
Copy link

@bennerv bennerv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also should capture AZURE_CLIENT_SEND_CERTIFICATE_CHAIN but you said there's be followup.

Otherwise lgtm

enhancements/hypershift/enable-azure-creds-via-cert.md Outdated Show resolved Hide resolved
bryan-cox and others added 2 commits October 7, 2024 16:34
@bryan-cox
Add note about SNI
facc698 
Signed-off-by: Bryan Cox <[email protected]>
@bryan-cox @bennerv
Commit Ben's suggestion
a5ef2d8 
Co-authored-by: Ben Vesel <[email protected]>
flavianmissi
flavianmissi reviewed Oct 8, 2024
View reviewed changes
Copy link
Member

@flavianmissi flavianmissi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a question about the image registry (operand). Looks good otherwise!

enhancements/hypershift/enable-azure-creds-via-cert.md Outdated
HyperShift would pass the following environment variables - AZURE_CLIENT_ID, AZURE_TENANT_ID, and
AZURE_CLIENT_CERTIFICATE_PATH - to its deployments of image registry, ingress, cloud network config, and storage
operators (azure-file and azure-disk) on the hosted control plane. Each of these components would then pass these
variables along to NewDefaultAzureCredential.
Copy link
Member

@flavianmissi flavianmissi Oct 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When configured with workload identity, the image registry operator will configure the image registry in a similar fashion to what's described in this EP (source).
Do we need to consider this when changing the operator code to use these env vars? In other words, do we also want the image registry (operand!) to authenticate using this proposed mechanism?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah probably so. On ARO HCP, on the HCP side image registry will authenticate with the cert method, while the operand would use workload identity.

@jsafrane jsafrane mentioned this pull request Oct 8, 2024
Merged
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 23, 2024

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/markdownlint c1e875c link true /test markdownlint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bennerv bennerv bennerv left review comments

@flavianmissi flavianmissi flavianmissi left review comments

@enxebre enxebre Awaiting requested review from enxebre

@sjenning sjenning Awaiting requested review from sjenning

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bryan-cox @flavianmissi @bennerv