New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CCO-372: Azure Workload Identity info in CredsRequests creates a Secret #587
Conversation
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Skipping CI for Draft Pull Request. |
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #587 +/- ##
==========================================
+ Coverage 47.90% 47.96% +0.06%
==========================================
Files 96 96
Lines 11680 11737 +57
==========================================
+ Hits 5595 5630 +35
- Misses 5465 5483 +18
- Partials 620 624 +4
|
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest e2e-hypershift |
@bentito: The
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-hypershift |
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-hypershift |
1 similar comment
/test e2e-hypershift |
/test e2e-azure-manual-oidc |
@bentito: This pull request references CCO-372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-azure-manual-oidc |
@abutcher we're running into trouble here with Azure that we didn't see on AWS: cloud-credential-operator/pkg/operator/credentialsrequest/credentialsrequest_controller.go Line 683 in 973abf9
With the error at runtime looking like:
There is certainly more logic in the non-STSDetected flow after the |
833a769
to
b5372ca
Compare
/test e2e-upgrade |
/test e2e-aws-ovn |
cred-req-secret-creationdeletion.webm@jstuever here is a demo of the secret being created and deleted |
/test e2e-azure e2e-azure-upgrade |
c39d244
to
1465460
Compare
cred-req-workload-identity.webmUpdate based on our convo @jstuever
|
69854e3
to
32cc88b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some notes for reviewers
return err | ||
} | ||
if credentialsMode == operatorv1.CloudCredentialsModeManual { | ||
logger.Debug("running delete in manual mode") | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers: the delete works because of the annotation on the secret
return true, err | ||
} | ||
if credentialsMode == operatorv1.CloudCredentialsModeManual { | ||
return true, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers: what's in the credReq should be the source of truth propagated down to the secret.
} | ||
// Check for old Manual Mode where all 4 fields are empty - defaulting to old behavior | ||
// where CCO exists and the secret is created manually | ||
if azureProviderSpec.AzureClientID == "" && azureProviderSpec.AzureTenantID == "" && azureProviderSpec.AzureSubscriptionID == "" && azureProviderSpec.AzureRegion == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers: if none of the fields are provided, we assume the creator of the credReq is intending to use the old manual mode where the secrets are created by the ccoctl tool and CCO doesn't do anything (as is the case with openshift operators today).
if azureProviderSpec.AzureClientID == "" && azureProviderSpec.AzureTenantID == "" && azureProviderSpec.AzureSubscriptionID == "" && azureProviderSpec.AzureRegion == "" { | ||
return nil | ||
} | ||
err = validateAzureProviderSpec(*azureProviderSpec) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers: if some but not all fields required for this new manual mode workload identity workflow are set then we should error
@@ -391,16 +460,24 @@ func (a *Actuator) syncCredentialSecrets(ctx context.Context, cr *minterv1.Crede | |||
secret.Annotations = map[string]string{} | |||
} | |||
secret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name) | |||
if desiredSecret.Data == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers: this if statement checks that the desiredSecret is from the new manual mode workload identity workflow since it does not set the Data field
@@ -463,9 +509,31 @@ func TestActuator(t *testing.T) { | |||
}, | |||
{ | |||
name: "Mint annotation", | |||
expectedErr: fmt.Errorf("error determining whether a credentials update is needed"), | |||
expectedErr: fmt.Errorf("unexpected value or missing cloudcredential.openshift.io/mode annotation on admin credentials Secret"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers: this change is a result of erroring earlier in the process as a result of checking for the cloudcredentials mode.
AzureResourcePrefix = "azure_resource_prefix" | ||
AzureSubscriptionID = "azure_subscription_id" | ||
AzureTenantID = "azure_tenant_id" | ||
AzureFederatedTokenFile = "azure_federated_token_file" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers: just adding the AzureFederatedTokenFile
/test e2e-azure e2e-azure-upgrade |
pkg/azure/actuator.go
Outdated
return true, nil | ||
} | ||
if credentialsMode == operatorv1.CloudCredentialsModeMint { | ||
return true, errors.New("mint mode is invalid") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this return false
?
return true, err | ||
} | ||
if credentialsMode == operatorv1.CloudCredentialsModeManual { | ||
return true, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, we would actually check if the secret differs from the source of truth similar to AWS mint mode. However, this can be taken away as tech debt.
32cc88b
to
7c970c7
Compare
/test e2e-azure |
/test e2e-hypershift |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bentito, jstuever The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@bentito: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
[ART PR BUILD NOTIFIER] This PR has been included in build ose-cloud-credential-operator-container-v4.15.0-202311300249.p0.ge295bb2.assembly.stream for distgit ose-cloud-credential-operator. |
/cherry-pick release-4.14 |
@gallettilance: new pull request created: #643 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.
pkg/azure/actuator_test.go
should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.Known issues:
Still need to verify OCPBUGS filed againstthe AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.* Reviewed the several bug fix PRs against the AWS STS work, most fixes were in credentialsrequest_controller so their all present for this Azure branch as well, just OCPBUGS-16684 had an actuator change that seemed to be needed here.
release
which actually calls the new Make target:test-e2e-azident
with thee2e-azure-manual-oidc
workflow* PR to add calling make target to azure e2e is here: Add cmd make test-e2e-azident to e2e-azure-manual-oidc release#42126