New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Console-3733: Add support for Azure Workload Identity / Federated Identity based installs in OperatorHub #13082
Console-3733: Add support for Azure Workload Identity / Federated Identity based installs in OperatorHub #13082
Conversation
@gallettilance: This pull request references Console-3733 which is a valid jira issue. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@gallettilance: This pull request references Console-3733 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
QE Approver Docs Approver: PX Approver: |
@gallettilance: This pull request references Console-3733 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
929b6e4
to
e88912d
Compare
/label px-approved |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
{isAzureWIFCluster(cloudCredentials, infrastructure, authentication) && | ||
showWarn && | ||
infraFeatures?.find((i) => i === InfraFeatures[shortLivedTokenAuth]) && ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible for both the AWS and Azure warnings to be shown side by side or are they mutually exclusive? If they can, then each needs it's own "show/hide" state or else dismissing one will dismiss both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the infraFeatures check is not necessary for either of these warnings. The isAzureWIFCluster
check is a prerequisite for the shortLivedTokenAuth infra feature to be included. Seen here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TheRealJon the warnings are mutually exclusive - an operator can support both AWS and Azure but the platform will only be one or the other.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shortLivedTokenAuth
is set to true when the operator supports the platform-specific short lived tokenized auth and the cluster is in that mode. So if anything it's the isAzureWIFCluster
or isAWSSTSCluster
that isn't required (I think) but I would like to display a warning custom to the platform (and shortLivedTokenAuth
doesn't tell me the platform type) so I need a way to detect the platform type which is why isAzure...
and isAWS...
were added.
currentItem.infrastructure, | ||
currentItem.authentication, | ||
) && | ||
currentItem.infraFeatures?.find((i) => i === InfraFeatures[shortLivedTokenAuth]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
currentItem.infraFeatures?.find((i) => i === InfraFeatures[shortLivedTokenAuth]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure I understand why - I need to know the operator claims support for the platform's specific short term auth method
The comments I made are just nits. You can address them or not. Just let me know if you make changes and I'll review again. |
/label docs-approved |
/hold until openshift/cloud-credential-operator#587 merges |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
cc: @jcaianirh |
@gallettilance I lauched a cluster against the pr, simulated a azure WI/FI configuration:
And prepared a operator with annotation: features.operators.openshift.io/token-auth-azure: 'true' |
54af6c4
to
f00b196
Compare
@yanpzhan thanks for catching that! You were right there was an issue with the new infraFeatures that I've fixed and it should all be working now |
/lgtm |
@gallettilance Thanks for your update, I could see the warning info on new cluster launched against the pr now.
|
Related bug: https://issues.redhat.com/browse/ocpbugs-24252 |
f00b196
to
37248d3
Compare
waiting on #13416 to merge first |
37248d3
to
4393c3d
Compare
const featuresAnnotationsObjects = [ | ||
{ key: InfraFeatures.Disconnected, value: disconnected }, | ||
{ key: InfraFeatures.FipsMode, value: fipsCompliant }, | ||
{ key: InfraFeatures.Proxy, value: proxyAware }, | ||
{ key: InfraFeatures.cnf, value: cnf }, | ||
{ key: InfraFeatures.cni, value: cni }, | ||
{ key: InfraFeatures.csi, value: csi }, | ||
{ key: InfraFeatures.TokenAuth, value: tokenAuthSupport }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My memory on this is fuzzy as it has been awhile and this has changed a bit. featuresAnnotationsObjects
really only exists in order to override legacy labels. Since tokenAuth*
s are new, I would not include them here. I would preserve the existing functionality where you push the value on to infrastructureFeatures
.
…stalls in OperatorHub
4393c3d
to
fef7451
Compare
/lgtm /hold for @gallettilance to finish testing |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gallettilance, rhamilto, TheRealJon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@gallettilance: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/hold cancel Adding these labels since QE will not be able to add them before branch date and this needs to be in before then and extensive testing has been done prior to today. |
/label qe-approved |
@gallettilance: This pull request references Console-3733 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.15." or "openshift-4.15.", but it targets "openshift-4.14" instead. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@gallettilance: This pull request references Console-3733 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Retested on cluster launched against the pr, the warning info show correctly and operator could be installed successfully. |
This PR adds the following:
/var/run/secrets/openshift/serviceaccount/token
and region is not a required configuration)Screencast.from.2023-08-08.11-52-54.webm