Generate Federated Identity Credentials for MIWI Cluster #3847
Conversation
gouthamMN
requested review from
jewzaam,
bennerv,
hawkowl,
rogbas,
petrkotas,
jharrington22,
cblecker,
cadenmarchese,
UlrichSchlueter,
SudoBrendan,
yjst2012,
jaitaiwan,
anshulvermapatel,
hlipsig,
tiguelu,
SrinivasAtmakuri,
mociarain,
kimorris27,
tsatam and
bitoku
as code owners
gouthamMN
added
go
|
Please rebase pull request. |
github-actions
bot
added
needs-rebase
|
Please rebase pull request. |
kimorris27
force-pushed
the
gniranjan/generateFedCred
branch
from
821562f to
89ef266
Compare
There was a problem hiding this comment.
I pushed a few small changes after trying this out locally, since @gouthamMN 's still blocked from running a local dev RP. The main change I pushed was moving fed cred deletion to be before cluster MSI cert deletion because we need to use the MSI to delete the fed creds.
I think we need to revisit the discussion about whether to error out on fed cred deletion failures though. I went back and looked at @cadenmarchese 's comment here, and I think you all may have misunderstood what I said earlier in the conversation.
I wasn't suggesting we log the error and continue for any error that occurs during the process of trying to delete the federated credentials; I was only suggesting we do that in the case where we can't initialize the federated credentials client because the cx deleted their MSI. In other cases where the error is the service's fault (ex: the MI RP returns an internal server error while we're trying to delete a fed cred), I think we should still error out.
I left my thoughts here rather than directly making the changes so that others can confirm that that's the route we want to go. Once we have a consensus, I'm happy to make the changes and test out locally if needed.
bring in more changes from master typos add len check for federated Identity naming don't return cluster ID when OIDC issuer is nil skip RBAC on CSP for WI cluster check for invalid object ID before RBAC template creation single qoute when passing resource Name check for nil clusterMsiFederatedIdentityCredentials remove unused controller ensure the case folding of cluster MSI resourceID Fed Cred name logic update calls to fetch fed cred name No RBAC for Cluster MSI update getPlatformWorkloadIdentityFederatedCredName fix WI RG RBAC define constants to imporve readability correct the call to resourceGroupRoleAssignmentWithDetails Move fed cred deletion to be before cluster MSI cert deletion and add a log statement for fed cred deletion Rename function for clarity and to match name of unit test function Nitpick test case names for clarity and test data for correctness
gouthamMN
force-pushed
the
gniranjan/generateFedCred
branch
from
7396b81 to
820270c
Compare
rebased |
…yment; should be resolved in #3847 before it merges
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
/azp run ci |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Yup, I think once we come to a conclusion about how the Fed Cred Deletion we should work that under a new JIRA item. |
|
/azp run ci |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Which issue this PR addresses:
Fixes: https://issues.redhat.com/browse/ARO-4375
What this PR does / why we need it:
This PR perform the followings:
PlatformWorkloadIdentityRoleSetProperties.PlatformWorkloadIdentityRole.RoleDefinitionID.FederatedIdentityCredentialsfor each customer provided Platform Workload Identities during cluster install/create for each Service accounts inPlatformWorkloadIdentityRoleSetProperties.PlatformWorkloadIdentityRole.ServiceAccounts.FederatedIdentityCredentialsfor each customer provided Platform Workload Identities that were created during cluster delete.Test plan for issue:
Is there any documentation that needs to be updated for this PR?
No
How do you know this will function as expected in production?