CCO-318: Enable Azure Workload Identity authentication. #906
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
jstuever
force-pushed
the
CCO-318
branch
3 times, most recently
from
8c1e78d to
97d0dbd
Compare
jstuever
changed the title
|
@jstuever: This pull request references CCO-318 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
jira/valid-reference
|
@jstuever: This pull request references CCO-318 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@jstuever: This pull request references CCO-318 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
|
@jstuever: This pull request references CCO-318 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jstuever
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
pkg/dns/azure/client/auth.go
Outdated
| var ( | ||
| cred azcore.TokenCredential | ||
| err error | ||
| ) | ||
| if config.AzureWorkloadIdentityEnabled && strings.TrimSpace(config.ClientSecret) == "" { | ||
| options := azidentity.WorkloadIdentityCredentialOptions{ | ||
| ClientOptions: azcore.ClientOptions{ | ||
| Cloud: cloudConfig, | ||
| }, | ||
| ClientID: config.ClientID, | ||
| TenantID: config.TenantID, | ||
| TokenFilePath: config.FederatedTokenFile, | ||
| } | ||
| cred, err = azidentity.NewWorkloadIdentityCredential(&options) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| } else { | ||
| options := azidentity.ClientSecretCredentialOptions{ | ||
| ClientOptions: azcore.ClientOptions{ | ||
| Cloud: cloudConfig, | ||
| }, | ||
| } | ||
| cred, err = azidentity.NewClientSecretCredential(config.TenantID, config.ClientID, config.ClientSecret, &options) |
There was a problem hiding this comment.
Is there a reason to declare err in the outer scope?
| var ( | |
| cred azcore.TokenCredential | |
| err error | |
| ) | |
| if config.AzureWorkloadIdentityEnabled && strings.TrimSpace(config.ClientSecret) == "" { | |
| options := azidentity.WorkloadIdentityCredentialOptions{ | |
| ClientOptions: azcore.ClientOptions{ | |
| Cloud: cloudConfig, | |
| }, | |
| ClientID: config.ClientID, | |
| TenantID: config.TenantID, | |
| TokenFilePath: config.FederatedTokenFile, | |
| } | |
| cred, err = azidentity.NewWorkloadIdentityCredential(&options) | |
| if err != nil { | |
| return nil, err | |
| } | |
| } else { | |
| options := azidentity.ClientSecretCredentialOptions{ | |
| ClientOptions: azcore.ClientOptions{ | |
| Cloud: cloudConfig, | |
| }, | |
| } | |
| cred, err = azidentity.NewClientSecretCredential(config.TenantID, config.ClientID, config.ClientSecret, &options) | |
| var cred azcore.TokenCredential | |
| if config.AzureWorkloadIdentityEnabled && strings.TrimSpace(config.ClientSecret) == "" { | |
| options := azidentity.WorkloadIdentityCredentialOptions{ | |
| ClientOptions: azcore.ClientOptions{ | |
| Cloud: cloudConfig, | |
| }, | |
| ClientID: config.ClientID, | |
| TenantID: config.TenantID, | |
| TokenFilePath: config.FederatedTokenFile, | |
| } | |
| var err error | |
| cred, err = azidentity.NewWorkloadIdentityCredential(&options) | |
| if err != nil { | |
| return nil, err | |
| } | |
| } else { | |
| options := azidentity.ClientSecretCredentialOptions{ | |
| ClientOptions: azcore.ClientOptions{ | |
| Cloud: cloudConfig, | |
| }, | |
| } | |
| var err error | |
| cred, err = azidentity.NewClientSecretCredential(config.TenantID, config.ClientID, config.ClientSecret, &options) |
There was a problem hiding this comment.
No reason, was just blindly following the enhancement.
Updated.
There was a problem hiding this comment.
Did you mean to delete config.AzureWorkloadIdentityEnabled && in https://github.com/openshift/cluster-ingress-operator/compare/02a3c1434367c4ce82e84f3a42b393de92765541..d8c1cafad42eff9f781248a166e6e591a203ff24?
There was a problem hiding this comment.
No, I did not. I must have fumbled it during a rebase. Fixed. Thanks!
pkg/dns/azure/client/client.go
Outdated
| Environment azure.Environment | ||
| SubscriptionID string | ||
| ClientID string | ||
| ClientSecret string | ||
| FederatedTokenFile string | ||
| TenantID string | ||
| AzureWorkloadIdentityEnabled bool |
There was a problem hiding this comment.
Would you mind adding godoc for these fields? In particular, it's getting confusing which fields are used in what situations. Looks like SubscriptionID, ClientID, and TenantID are always required; FederatedTokenFile is required when using workload identity; and ClientSecret is required when not using workload identity. Is that correct? Following is my attempt at describing these fields—please check for errors and discard or modify as necessary:
| Environment azure.Environment | |
| SubscriptionID string | |
| ClientID string | |
| ClientSecret string | |
| FederatedTokenFile string | |
| TenantID string | |
| AzureWorkloadIdentityEnabled bool | |
| // Environment describes the Azure environment: ChinaCloud, | |
| // USGovernmentCloud, PublicCloud, or AzureStackCloud. If empty, | |
| // AzureStackCloud is assumed. | |
| Environment azure.Environment | |
| // SubscriptionID is the subscription id for the Azure identity. | |
| SubscriptionID string | |
| // ClientID is an Azure application client id. | |
| ClientID string | |
| // ClientSecret is an Azure application client secret. It is required | |
| // if Azure workload identity is not used. | |
| ClientSecret string | |
| // FederatedTokenFile is the path to a file containing a workload | |
| // identity token. If FederatedTokenFile is specified and | |
| // AzureWorkloadIdentityEnabled is true, then Azure workload identity is | |
| // used instead of using a client secret. | |
| FederatedTokenFile string | |
| // TenantID is the Azure tenant ID. | |
| TenantID string | |
| // AzureWorkloadIdentityEnabled indicates whether the | |
| // "AzureWorkloadIdentity" feature gate is enabled. | |
| AzureWorkloadIdentityEnabled bool |
pkg/operator/operator.go
Outdated
| // example of future featuregate read and usage to set a variable to pass to a controller | ||
| AzureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity) |
There was a problem hiding this comment.
The comment can be removed (I missed that 3d26626 removed the _ = sets.New[configv1.FeatureGateName](enabled...).Has("AzureWorkloadIdentity") line that the comment described). Uppercase AzureWorkloadIdentityEnabled looks funny for a function-local variable.
| // example of future featuregate read and usage to set a variable to pass to a controller | |
| AzureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity) | |
| azureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest-required |
|
/retest |
1 similar comment
|
/retest |
|
/label docs-approved |
openshift-ci
bot
added
the
docs-approved
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
Adding px-approved per a conversation with cfields. /label px-approved |
openshift-ci
bot
added
the
px-approved
Authenticate with an Azure Workload Identity (AZWI) serviceaccount token when client secret is absent from auth config.
|
Rebased to resolve merge conflicts in go.mod and related module files. |
|
/lgtm |
|
/retest |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
e2e-gcp-operator failed because |
|
@Miciah: Overrode contexts on behalf of Miciah: ci/prow/e2e-gcp-operator In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@jstuever: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/label jira/valid-bug |
openshift-ci
bot
added
the
jira/valid-bug
Authenticate with an Azure Workload Identity (AZWI) serviceaccount token when client secret is absent from auth config.
https://issues.redhat.com/browse/CCO-318