MI/WI - Generate secrets for platform identities #3802
Conversation
tsatam
changed the title
tsatam
added
chainsaw
tsatam
force-pushed
the
tsatam/hotfix-miwi-generate-secrets-for-platform-identities
branch
3 times, most recently
from
3874a34
to
49d7921
Compare
|
/azp run ci |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run ci |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run ci,e2e |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
LGTM, just a comment on additional manifests needed. Can/Should we handle these two at the RP side and in the same PR? |
For the Authentication resource, if it's a static, single resource as it appears to be, I think it can be done with a similar pattern to what's done here. It doesn't need to happen directly in this PR, but I can include it if it helps move our dependent work items along. Do we need to update this resource during cluster update as well (can the OIDC issuer URL change)? For the CCO secret - I thought |
No OIDC issuer URL update is not in scope currently, but the ensure function for the same can help here?
Tried executing |
|
/azp run ci,e2e |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
/azp run ci,e2e |
|
LGTM, since it is dependent on #3619, whenever it is merged this can be rebased and unblocked. |
|
/azp run ci,e2e |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
/azp run ci,e2e |
tsatam
requested review from
jharrington22,
cblecker,
UlrichSchlueter,
yjst2012,
jaitaiwan,
anshulvermapatel,
hlipsig,
tiguelu,
SrinivasAtmakuri,
mociarain,
kimorris27 and
bitoku
as code owners
This is needed in order to easily serialize these resources to YAML, e.g. when setting them as string values in a Secret map for Hive to use as an install manifest. Not setting these values will result in them being omitted from the resulting JSON/YAML.
|
/azp run ci,e2e |
|
Azure Pipelines successfully started running 2 pipeline(s). |
tsatam
deleted the
tsatam/hotfix-miwi-generate-secrets-for-platform-identities
branch
* Add secret location to PlatformWorkloadIdentityRoleSet * Add generatePlatformWorkloadIdentitySecrets function * Add mutable:true validate:required struct tags to SecretLocation fields on admin api * Add functions for other required WI resources * Remove redundant UsesWorkloadIdentity check from generatePlatformWorkloadIdentitySecrets * Fix coordinates for static CCO secret; move static coordinate strings to const values * Return resources as map (w/ filename as key) instead of list * Explicitly set TypeMeta on workload identity resources This is needed in order to easily serialize these resources to YAML, e.g. when setting them as string values in a Secret map for Hive to use as an install manifest. Not setting these values will result in them being omitted from the resulting JSON/YAML.
Which issue this PR addresses:
Fixes ARO-9924
What this PR does / why we need it:
SecretLocationcoordinate toPlatformWorkloadIdentityRole, that holds a NamespacedName reference to the default Secret location for each platform workload identity. These coordinates are intended for use internally, and will not be exposed on the public ARO API.generatePlatformWorkloadIdentitySecretsto the cluster manager for eventual use during ARO cluster installation (to generate secrets to pass to the installer) and during ARO updates (to directly update secrets on-cluster). Note that the current implementation as-is is unused anywhere within the codebase, and will be used in eventual work items ARO-4518 (create) and ARO-4371 (update).Test plan for issue:
Is there any documentation that needs to be updated for this PR?
No
How do you know this will function as expected in production?
This implementation as-is goes unused in any production contexts. It will eventually be utilized in MIWI cluster installation and update flows (see above).