Skip to content

Instantly share code, notes, and snippets.

#!/usr/bin/env python
import json
import pandas as pd
import sys
f = open(sys.argv[1]) # first arg is path to the activity json log
data = json.load(f)
f.close()

Proof of Concept: Azure Managed Identity && Federated Credentials for OpenShift Operators

In this proof of concept, we will configure an Azure based OpenShift cluster to generate bound service account tokens that can be trusted by and authenticate to Azure API services.

To begin, we need an existing Azure based OpenShift cluster.

We will then,

  • Extract the cluster's ServiceAccount public signing key which will be used to generate OIDC discovery and JSON Web Key Set (JWKS) documents.
  • Create an Azure blob storage container and upload the OIDC discovery and JWKS documents.
  • Configure cluster authentication with a serviceAccountIssuer of the publically available Azure blob container endpoint URL.
  • Create a User-Assigned Managed Identity (MI) for the cluster-ingress-operator.
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-operator
namespace: openshift-ingress-operator
annotations:
config.openshift.io/inject-proxy: ingress-operator
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
spec:
apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"machine.openshift.io/v1beta1","kind":"MachineSet","metadata":{"annotations":{},"name":"team-czcpt-worker-us-east-1a-2","namespace":"openshift-machine-api"},"spec":{"replicas":1,"selector":{"matchLabels":{"machine.openshift.io/cluster-api-cluster":"team-czcpt","machine.openshift.io/cluster-api-machineset":"team-czcpt-worker-us-east-1a-2"}},"template":{"metadata":{"labels":{"machine.openshift.io/cluster-api-cluster":"team-czcpt","machine.openshift.io/cluster-api-machine-role":"worker","machine.openshift.io/cluster-api-machine-type":"worker","machine.openshift.io/cluster-api-machineset":"team-czcpt-worker-us-east-1a-2"}},"spec":{"metadata":{},"providerSpec":{"value":{"ami":{"id":"ami-03d1c2cba04df838c"},"apiVersion":"machineapi.openshift.io/v1beta1","blockDevices":[{"ebs":{"encrypted":true,"iops":0,"kmsKey":{"arn":""},"volumeSize":120,"volumeType":"gp2"}}
time="2021-04-06T15:38:24.042Z" level=info msg="reconciling ClusterDeployment" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="Getting statefulset" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="Ensuring replicas is set" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="Getting uid for hashing" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="hexUID: 56db3ef7f5464778a0f642d5dd4ab79d" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="calculating replicas" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="determining who is assigned to sync this
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"hive-admin","ownerReferences":[{"apiVersion":"hive.openshift.io/v1","blockOwnerDeletion":true,"kind":"HiveConfig","name":"hive","uid":"026966f0-4da1-428a-a96c-5bc1da082e7d"}]},"rules":[{"apiGroups":["batch"],"resources":["jobs"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["pods","pods/log"],"verbs":["get","list","watch"]},{"apiGroups":["hive.openshift.io"],"resources":["clusterdeployments","clusterprovisions","dnszones","machinepools","machinepoolnameleases","selectorsyncidentityproviders","syncidentityproviders","syncsets","syncsetinstances","clusterdeprovisions","clusterdeprovisionrequests","clusterstates"],"verbs":["get","list","watch"]},{"apiGroups":["hive.openshift.io"],"resources":["clusterimagesets","hiveconfigs","selectorsyncsets","select
func TestAllSyncSetsAppliedDuration(t *testing.T) {
apis.AddToScheme(scheme.Scheme)
now := metav1.Now()
cd := testClusterDeployment()
cdInstalledTimestamp := metav1.NewTime(now.Add(-time.Hour * 1))
cd.Status.InstalledTimestamp = &cdInstalledTimestamp
ss := testMatchingSyncSet
diff --git pkg/clusterresource/ovirt.go pkg/clusterresource/ovirt.go
index f73ea05c..e4604d09 100644
--- pkg/clusterresource/ovirt.go
+++ pkg/clusterresource/ovirt.go
@@ -90,7 +90,17 @@ func (p *OvirtCloudBuilder) addClusterDeploymentPlatform(o *Builder, cd *hivev1.
}
func (p *OvirtCloudBuilder) addMachinePoolPlatform(o *Builder, mp *hivev1.MachinePool) {
- mp.Spec.Platform.Ovirt = &hivev1ovirt.MachinePool{}
+ mp.Spec.Platform.Ovirt = &hivev1ovirt.MachinePool{
hive (master)  make
gofmt -w -s pkg contrib
go vet -mod=vendor ./pkg/... ./cmd/... ./contrib/...
cd v1alpha1apiserver && go vet -mod=vendor ./cmd/... ./pkg/...
/home/abutcher/go/src/github.com/openshift/hive/v1alpha1apiserver
go install -mod=vendor k8s.io/code-generator/cmd/deepcopy-gen
go install -mod=vendor k8s.io/code-generator/cmd/conversion-gen
go install -mod=vendor k8s.io/code-generator/cmd/defaulter-gen
go install -mod=vendor k8s.io/code-generator/cmd/client-gen
go install -mod=vendor sigs.k8s.io/controller-tools/cmd/controller-gen
1a0d293a - (HEAD -> syncset-errors) vendor tmp (17 hours ago) <Andrew Butcher>
diff --git go.sum go.sum
index 104f1381..f1c9433b 100644
--- go.sum
+++ go.sum
@@ -71,7 +71,6 @@ github.com/Azure/go-autorest/autorest/date v0.2.0 h1:yW+Zlqf26583pE43KhfnhFcdmSW
github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g=
github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.3.0 h1:qJumjCaCudz+OcqE9/XtEPfvtOjOmKaui4EOpFI6zZc=