-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MI/WI - Generate secrets for platform identities #3802
MI/WI - Generate secrets for platform identities #3802
Conversation
3874a34
to
49d7921
Compare
/azp run ci |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run ci |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run e2e |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run ci,e2e |
Azure Pipelines successfully started running 2 pipeline(s). |
LGTM, just a comment on additional manifests needed.
Can/Should we handle these two at the RP side and in the same PR? |
For the Authentication resource, if it's a static, single resource as it appears to be, I think it can be done with a similar pattern to what's done here. It doesn't need to happen directly in this PR, but I can include it if it helps move our dependent work items along. Do we need to update this resource during cluster update as well (can the OIDC issuer URL change)? For the CCO secret - I thought |
No OIDC issuer URL update is not in scope currently, but the ensure function for the same can help here?
Tried executing |
/azp run ci,e2e |
Azure Pipelines successfully started running 2 pipeline(s). |
/azp run ci,e2e |
LGTM, since it is dependent on #3619, whenever it is merged this can be rebased and unblocked. |
/azp run ci,e2e |
Azure Pipelines successfully started running 2 pipeline(s). |
/azp run ci,e2e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Asked for changes related to TypeMeta when returning manifests.
This is needed in order to easily serialize these resources to YAML, e.g. when setting them as string values in a Secret map for Hive to use as an install manifest. Not setting these values will result in them being omitted from the resulting JSON/YAML.
/azp run ci,e2e |
Azure Pipelines successfully started running 2 pipeline(s). |
* Add secret location to PlatformWorkloadIdentityRoleSet * Add generatePlatformWorkloadIdentitySecrets function * Add mutable:true validate:required struct tags to SecretLocation fields on admin api * Add functions for other required WI resources * Remove redundant UsesWorkloadIdentity check from generatePlatformWorkloadIdentitySecrets * Fix coordinates for static CCO secret; move static coordinate strings to const values * Return resources as map (w/ filename as key) instead of list * Explicitly set TypeMeta on workload identity resources This is needed in order to easily serialize these resources to YAML, e.g. when setting them as string values in a Secret map for Hive to use as an install manifest. Not setting these values will result in them being omitted from the resulting JSON/YAML.
Which issue this PR addresses:
Fixes ARO-9924
What this PR does / why we need it:
SecretLocation
coordinate toPlatformWorkloadIdentityRole
, that holds a NamespacedName reference to the default Secret location for each platform workload identity. These coordinates are intended for use internally, and will not be exposed on the public ARO API.generatePlatformWorkloadIdentitySecrets
to the cluster manager for eventual use during ARO cluster installation (to generate secrets to pass to the installer) and during ARO updates (to directly update secrets on-cluster). Note that the current implementation as-is is unused anywhere within the codebase, and will be used in eventual work items ARO-4518 (create) and ARO-4371 (update).Test plan for issue:
Is there any documentation that needs to be updated for this PR?
No
How do you know this will function as expected in production?
This implementation as-is goes unused in any production contexts. It will eventually be utilized in MIWI cluster installation and update flows (see above).