Azure passthrough docs #435
Conversation
openshift-ci
bot
added
the
approved
|
wait for #433 to merge |
openshift-ci
bot
added
the
do-not-merge/hold
|
LGTM! /label docs-approved |
|
oops I think my approval might need to be on a new line? |
openshift-ci
bot
added
the
docs-approved
docs/azure-mint-mod-removal.md
Outdated
|
|
||
| For a cluster previously installed/running in Mint mode, CCO will update existing Secrets containing the credentials of previously minted App Registrations/Service Principals with the contents of the Secret kube-system/azure-credentials (normally containing the credentials used during installation). It is required that the permissions associated with the credentials in this Secret be sufficient to be used by all in-cluster components needing to interact with Azure APIs. | ||
|
|
||
| CCO will also try to clean up previously minted App Registrations/Service Principals while the Azure AD Graph API is still functional. If the cluster is upgraded to a version of OpenShift that no longer supports Mint mode after the Azure AD Graph API is sunset, CCO will set a condition on the associated CredentialsRequest and will not treat the error as fatal. Cleanup after the Azure AD Graph API is sunset will require manual intervention to remove the App Registrations/Service Principals that are no longer necessary. |
There was a problem hiding this comment.
Do we want to mention the name of the condition that CCO will set?
There was a problem hiding this comment.
That would be nice esp. if it could help troubleshoot/manual clean up if needed (not sure if that's the case)
There was a problem hiding this comment.
I put the name of the condition and an example of the kind of message that would be associated with that condition.
docs/azure-mint-mod-removal.md
Outdated
|
|
||
| ## Future | ||
|
|
||
| Rather than re-implement support for Mint mode using the new [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/sdks/create-requests?tabs=Go), the intention is to support Azure federated OpenID identities along with pod/workload identity as the prefered in-cluster credentials/authentication mode if/when Azure releases support for this feature. |
There was a problem hiding this comment.
| Rather than re-implement support for Mint mode using the new [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/sdks/create-requests?tabs=Go), the intention is to support Azure federated OpenID identities along with pod/workload identity as the prefered in-cluster credentials/authentication mode if/when Azure releases support for this feature. | |
| Rather than re-implement support for Mint mode using the new [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/sdks/create-requests?tabs=Go), the intention is to support Azure federated OpenID identities along with pod/workload identity as the preferred in-cluster credentials/authentication mode if/when Azure releases support for this feature. |
joelddiaz
force-pushed
the
azure-passthrough-docs
branch
from
0979707 to
081cc80
Compare
Codecov Report
@@ Coverage Diff @@
## master #435 +/- ##
=======================================
Coverage 46.17% 46.17%
=======================================
Files 91 91
Lines 9236 9236
=======================================
Hits 4265 4265
Misses 4455 4455
Partials 516 516 |
|
#433 merged |
openshift-ci
bot
removed
the
do-not-merge/hold
joelddiaz
force-pushed
the
azure-passthrough-docs
branch
from
081cc80 to
5eebd6d
Compare
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
joelddiaz
force-pushed
the
azure-passthrough-docs
branch
from
5eebd6d to
78b398f
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akhil-rane, joelddiaz The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
4 similar comments
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
19 similar comments
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/override e2e-azure-upgrade |
|
@joelddiaz: /override requires a failed status context or a job name to operate on.
Only the following contexts were expected:
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/override ci/prow/e2e-azure-upgrade |
|
@joelddiaz: Overrode contexts on behalf of joelddiaz: ci/prow/e2e-azure-upgrade DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@joelddiaz: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/label px-approved |
openshift-ci
bot
added
the
px-approved
Azure passthrough docs
7 participants
Update docs to reflect removed support for Azure Mint mode
xref: https://issues.redhat.com/browse/CCO-173