In this proof of concept, we will configure an Azure based OpenShift cluster to generate bound service account tokens that can be trusted by and authenticate to Azure API services.
To begin, we need an existing Azure based OpenShift cluster.
We will then,
- Extract the cluster's ServiceAccount public signing key which will be used to generate OIDC discovery and JSON Web Key Set (JWKS) documents.
- Create an Azure blob storage container and upload the OIDC discovery and JWKS documents.
- Configure cluster authentication with a
serviceAccountIssuer
of the publically available Azure blob container endpoint URL. - Create a User-Assigned Managed Identity (MI) for the cluster-ingress-operator.