Skip to content

Instantly share code, notes, and snippets.

Avatar

Andrew Butcher abutcher

  • Red Hat
  • Raleigh, NC
View GitHub Profile
View azure-managed-identity-poc.md

Proof of Concept: Azure Managed Identity && Federated Credentials for OpenShift Operators

In this proof of concept, we will configure an Azure based OpenShift cluster to generate bound service account tokens that can be trusted by and authenticate to Azure API services.

To begin, we need an existing Azure based OpenShift cluster.

We will then,

  • Extract the cluster's ServiceAccount public signing key which will be used to generate OIDC discovery and JSON Web Key Set (JWKS) documents.
  • Create an Azure blob storage container and upload the OIDC discovery and JWKS documents.
  • Configure cluster authentication with a serviceAccountIssuer of the publically available Azure blob container endpoint URL.
  • Create a User-Assigned Managed Identity (MI) for the cluster-ingress-operator.
View 02-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-operator
namespace: openshift-ingress-operator
annotations:
config.openshift.io/inject-proxy: ingress-operator
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
spec:
View team-czcpt-worker-us-east-1a-2 with machineapi.openshift.io v1beta1
apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"machine.openshift.io/v1beta1","kind":"MachineSet","metadata":{"annotations":{},"name":"team-czcpt-worker-us-east-1a-2","namespace":"openshift-machine-api"},"spec":{"replicas":1,"selector":{"matchLabels":{"machine.openshift.io/cluster-api-cluster":"team-czcpt","machine.openshift.io/cluster-api-machineset":"team-czcpt-worker-us-east-1a-2"}},"template":{"metadata":{"labels":{"machine.openshift.io/cluster-api-cluster":"team-czcpt","machine.openshift.io/cluster-api-machine-role":"worker","machine.openshift.io/cluster-api-machine-type":"worker","machine.openshift.io/cluster-api-machineset":"team-czcpt-worker-us-east-1a-2"}},"spec":{"metadata":{},"providerSpec":{"value":{"ami":{"id":"ami-03d1c2cba04df838c"},"apiVersion":"machineapi.openshift.io/v1beta1","blockDevices":[{"ebs":{"encrypted":true,"iops":0,"kmsKey":{"arn":""},"volumeSize":120,"volumeType":"gp2"}}
View clustersync.log
time="2021-04-06T15:38:24.042Z" level=info msg="reconciling ClusterDeployment" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="Getting statefulset" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="Ensuring replicas is set" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="Getting uid for hashing" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="hexUID: 56db3ef7f5464778a0f642d5dd4ab79d" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="calculating replicas" clusterDeployment=default/abutcher controller=clustersync reconcileID=dm7tqk2s
time="2021-04-06T15:38:24.043Z" level=debug msg="determining who is assigned to sync this
View gist:955c0bfb9d0617a81daf1e05bb416337
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"hive-admin","ownerReferences":[{"apiVersion":"hive.openshift.io/v1","blockOwnerDeletion":true,"kind":"HiveConfig","name":"hive","uid":"026966f0-4da1-428a-a96c-5bc1da082e7d"}]},"rules":[{"apiGroups":["batch"],"resources":["jobs"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["pods","pods/log"],"verbs":["get","list","watch"]},{"apiGroups":["hive.openshift.io"],"resources":["clusterdeployments","clusterprovisions","dnszones","machinepools","machinepoolnameleases","selectorsyncidentityproviders","syncidentityproviders","syncsets","syncsetinstances","clusterdeprovisions","clusterdeprovisionrequests","clusterstates"],"verbs":["get","list","watch"]},{"apiGroups":["hive.openshift.io"],"resources":["clusterimagesets","hiveconfigs","selectorsyncsets","select
View test.go
func TestAllSyncSetsAppliedDuration(t *testing.T) {
apis.AddToScheme(scheme.Scheme)
now := metav1.Now()
cd := testClusterDeployment()
cdInstalledTimestamp := metav1.NewTime(now.Add(-time.Hour * 1))
cd.Status.InstalledTimestamp = &cdInstalledTimestamp
ss := testMatchingSyncSet
View ovirt.diff
diff --git pkg/clusterresource/ovirt.go pkg/clusterresource/ovirt.go
index f73ea05c..e4604d09 100644
--- pkg/clusterresource/ovirt.go
+++ pkg/clusterresource/ovirt.go
@@ -90,7 +90,17 @@ func (p *OvirtCloudBuilder) addClusterDeploymentPlatform(o *Builder, cd *hivev1.
}
func (p *OvirtCloudBuilder) addMachinePoolPlatform(o *Builder, mp *hivev1.MachinePool) {
- mp.Spec.Platform.Ovirt = &hivev1ovirt.MachinePool{}
+ mp.Spec.Platform.Ovirt = &hivev1ovirt.MachinePool{
View make
hive (master)  make
gofmt -w -s pkg contrib
go vet -mod=vendor ./pkg/... ./cmd/... ./contrib/...
cd v1alpha1apiserver && go vet -mod=vendor ./cmd/... ./pkg/...
/home/abutcher/go/src/github.com/openshift/hive/v1alpha1apiserver
go install -mod=vendor k8s.io/code-generator/cmd/deepcopy-gen
go install -mod=vendor k8s.io/code-generator/cmd/conversion-gen
go install -mod=vendor k8s.io/code-generator/cmd/defaulter-gen
go install -mod=vendor k8s.io/code-generator/cmd/client-gen
go install -mod=vendor sigs.k8s.io/controller-tools/cmd/controller-gen
View nonsense.diff
1a0d293a - (HEAD -> syncset-errors) vendor tmp (17 hours ago) <Andrew Butcher>
diff --git go.sum go.sum
index 104f1381..f1c9433b 100644
--- go.sum
+++ go.sum
@@ -71,7 +71,6 @@ github.com/Azure/go-autorest/autorest/date v0.2.0 h1:yW+Zlqf26583pE43KhfnhFcdmSW
github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g=
github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.3.0 h1:qJumjCaCudz+OcqE9/XtEPfvtOjOmKaui4EOpFI6zZc=
View gist:387ed348524a1576449bd35fa3895b06
➜ hive (syncset-errors) ✗ make test
go install -mod=vendor k8s.io/code-generator/cmd/deepcopy-gen
go install -mod=vendor k8s.io/code-generator/cmd/conversion-gen
go install -mod=vendor k8s.io/code-generator/cmd/defaulter-gen
go install -mod=vendor k8s.io/code-generator/cmd/client-gen
go install -mod=vendor sigs.k8s.io/controller-tools/cmd/controller-gen
go install -mod=vendor github.com/jteeuwen/go-bindata/go-bindata
go install -mod=vendor github.com/golang/mock/mockgen
go install -mod=vendor golang.org/x/lint/golint
go install -mod=vendor github.com/golangci/golangci-lint/cmd/golangci-lint