Create and populate OIDC blob store for the cluster

[rajdeepc2792]

Which issue this PR addresses:

Jira issue :- ARO-4373
Related Docs:-
https://msazure.visualstudio.com/AzureRedHatOpenShift/_wiki/wikis/AzureRedHatOpenShift.wiki/603739/OIDC-Traffic-Flow
Similar Implementation:-
https://gitlab.cee.redhat.com/service/uhc-clusters-service/-/tree/master/pkg/aws/cloudcredentialbuilder

What this PR does / why we need it:

• The RP needs to generate a keypair
• The private key needs to be stored in cosmos, It needs to be encrypted if it's stored in cosmos
• The private key will be passed to the installer-aro-wrapper via a secret as part of the existing cluster document in CosmosDB(Not implemented here)
• Set / populate OIDC issuerURL in the internal API
• The RP should generate OIDC docs
• Should populate them in regional storage accounts
• The OIDC doc needs to be resolvable through the regional AFD instances and should follow a hashing pattern

Test plan for issue:

• Unit Tests
• CI
• CI e2e
• Local cluster installation
• INT Deployment / e2e

Is there any documentation that needs to be updated for this PR?

• Doc for setting up the full RP. (Part of the PR)

How do you know this will function as expected in production?

Testing the implementation in all the environments.

[rajdeepc2792]

/azp run ci,e2e

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[cadenmarchese]

not a full review, just a few questions as you're working through the draft and testing. looks great!

[github-actions]

Please rebase pull request.

[rajdeepc2792]

/azp run e2e

[azure-pipelines]

Pull request contains merge conflicts.

[bennerv]

we're not going to populate this on older clusters, correct? So this field should only be set on WI clusters?

[rajdeepc2792]

Yes this value will only be generated and populated for MIWI clusters as part of OIDC blob creations for the clusters.

[bennerv]

Do you want to make it a pointer then?

[rajdeepc2792]

Changed it SecureBytes now.

[bennerv]

is this the bit size & recommendation of OpenShift for SA private keys?

[rajdeepc2792]

Creation of jwks is mostly copied from Cloud-credential-operator same as ROSA STS

[niontive]

4096 should be ok for FIPS compliance as well: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf

[niontive]

Also - would it be possible to have the cloud credential operator folks publish functions for generating key pairs, so that way ROSA and ARO can consume those directly instead of repeating the same code?

[cadenmarchese]

@niontive they do actually: https://github.com/openshift/cloud-credential-operator/blob/master/docs/ccoctl.md#creating-rsa-keys-1 It's a CLI tool though, it's a bit different for us since we own the OIDC stuff.

[github-actions]

Please rebase pull request.

[rajdeepc2792]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[niontive]

My main concern is we'll have to maintain the storage account name in two separate places. Ex: https://msazure.visualstudio.com/AzureRedHatOpenShift/_git/ARO-Pipelines?path=/rp/oidc/Region/Templates/modules/storage.bicep

Would you be good if we:

• Define the storage account names in rp-config
• Have ARO-Pipelines and ARO-RP consume that name from rp-config

[niontive]

cc @gouthamMN

[rajdeepc2792]

Thanks Nic for raising this, I agree and back your idea for the consistency. It was hard anyways to get the container naming using the assumption present in the function.
Although I would like to get the consensus on the this.
cc: @cadenmarchese

[rajdeepc2792]

As per discussion, this is going to be handle as a separate issue after the PR is merged. I will post the Jira story for the same here when created.

[niontive]

Looks like Square deprecated this and it's maintained here now: https://github.com/go-jose/go-jose/blob/main/go.mod

[rajdeepc2792]

Avoided the direct dependency on square but the github.com/coreos/go-oidc still uses it indirectly.

[rajdeepc2792]

/azp run e2e

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[bennerv]

why pass sub & _env if they're both part of env?

[rajdeepc2792]

Changed it to rpBlob, err := azblob.NewManager(_env.Environment(), _env.SubscriptionID(), msiCredential)
Haven't passed _env directly as there can be a use case where different SubscriptionID is needed.

[github-actions]

Please rebase pull request.

[rajdeepc2792]

/azp run ci,e2e

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[kimorris27]

Nice work! I just made some small suggestions here and there.

[kimorris27]

Super nitpicky: avaialbility -> availability

[kimorris27]

I think you can simplify this by removing needToCreateBlobContainer and returning nil on this line.

[kimorris27]

Is this being used? I couldn't find any references to it. Could it be removed?

[kimorris27]

You could consider adding two more test cases:

• Fail to create OIDCBuilder
• OIDCBuilder fails to populate OIDC blob

[kimorris27]

I would reword this comment for clarity's sake. IIUC what's happening here is that the keypair has already been generated and you are simply putting the public key data into a byte array.

Suggested change

	// Generate public key from private keypair
	// Serialize public key into a byte array to prepare to store it in the OIDC storage blob

[kimorris27]

Suggested change

	return nil, nil, errors.Wrapf(err, "failed to generate public key from private")
	return nil, nil, errors.Wrapf(err, "failed to serialize public key")

See my comment a few lines above this for the reasoning behind this suggestion.

[kimorris27]

You could consider adding a few more test cases here to cover some other ways in which the code could fail:

• Public key is not of type RSA (the default case in the switch)
• Failed to fetch key ID from public key
• JSON encoding of web key set failed (if you can - I'm not sure if you can easily test this)