Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable workload identity on workload clusters #4462

Open
CecileRobertMichon opened this issue Jan 16, 2024 · 2 comments
Open

Enable workload identity on workload clusters #4462

CecileRobertMichon opened this issue Jan 16, 2024 · 2 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Comments

@CecileRobertMichon
Copy link
Contributor

/kind feature

Describe the solution you'd like
[A clear and concise description of what you want to happen.]

Today we allow users to configure workload identity on management clusters to be used by CAPZ to authenticate to Azure. The next step would be to automate configuring workload identity on workload clusters so it can be used by critical cluster components such as cloud-provider-azure.

Steps:

  • Enable cluster for workload identity
    • Create a storage account
    • Upload 2 documents: discovery doc and JWKS (public signing key) to storage account
    • Configure issuer URL in apiserver flags (need to figure out how to do this? Maybe make it deterministic? or read the URL from the user defined url)
  • Add the right FIC for cloud-provider to use (and storage drivers?)
  • Configure cloud-provider-azure to use Workload Identity

Notes:

  • If the issuer URL changes it might cause some pain to application developers
  • There should be a way to rotate the secret in the storage account
  • Users should use their own identity for workloads deployed to the cluster, NOT the cluster wide identity CAPZ creates for critical components

Environment:

  • cluster-api-provider-azure version:
  • Kubernetes version: (use kubectl version):
  • OS (e.g. from /etc/os-release):
@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 16, 2024
@dtzar dtzar added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Mar 9, 2024
@dtzar
Copy link
Contributor

dtzar commented May 30, 2024

Recommend we close this with some reference comment with #4763

@jackfrancis
Copy link
Contributor

I think the part about configuring cloud-provider-azure is still TODO. We could change the title to reflect that specific need and put this on the backlog.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
CAPZ Planning
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jackfrancis @dtzar @CecileRobertMichon @k8s-ci-robot