openshift · openshift-merge-robot · Feb 23, 2022 · Feb 9, 2022 · Feb 9, 2022 · Feb 10, 2022
diff --git a/README.md b/README.md
@@ -141,7 +141,7 @@ Pros:
 Cons:
   * Requires admin credential storage in a cluster kube-system secret. (however if a user has access to all secrets in your cluster, you are severely compromised regardless)
 
-Supported clouds: AWS, GCP, Azure
+Supported clouds: AWS, GCP
 
 ### 1.1 Mint Mode With Removal/Rotation Of Admin Credential
 
@@ -210,14 +210,16 @@ Future supported clouds: AWS
 Cloud | Mint | Mint + Remove Admin Cred | Passthrough | Manual | Token
 --- | --- | --- | --- | --- | ---
 AWS | Y | 4.4+ | Y | 4.3+ | 4.6+ (expected)
-Azure | Y | N | Y | Y | N
+Azure | N<sup>1</sup> | N | Y | Y | N
 GCP | Y | 4.7+ | Y | Y | N
 IBMCloud | N | N | N | Y | N
 KubeVirt | N | N | Y | N | N
 OpenStack | N | N | Y | N | N
 oVirt | N | N | Y | N | N
 VMWare | N | N | Y | N | N
 
+1 - Mint mode was previously supported, but with the sunsetting of the Azure Active Directory Graph API, Mint mode support on Azure has since been [removed](./docs/azure-mint-mode-removal.md).
+
 # Short lived Credentials with AWS Security Token Service
 
 OpenShift can be configured to use short lived credentials for different components with AWS Security Token Service. It also eliminates the need to have root credentials inside the cluster. This feature is still in development. For more information please refer [here](./docs/sts.md).

diff --git a/docs/azure-mint-mode-removal.md b/docs/azure-mint-mode-removal.md
@@ -0,0 +1,28 @@
+# Azure Mint Mode removal
+
+## Summary
+
+Azure is [removing support](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363) for the Azure Active Directory Graph API that is used to create App Registrations, Service Principals, role assignments, and credentials for supporting Mint mode in Azure. CCO will pivot existing clusters to switch away from Mint mode to Passthrough mode.
+
+## New installations
+
+For new cluster installations, Passthrough and Manual modes will be the only supported modes of operation.
+
+## Upgrades
+
+For a cluster previously installed/running in Mint mode, CCO will update existing Secrets containing the credentials of previously minted App Registrations/Service Principals with the contents of the Secret kube-system/azure-credentials (normally containing the credentials used during installation). It is required that the permissions associated with the credentials in this Secret be sufficient to be used by all in-cluster components needing to interact with Azure APIs.
+
+CCO will also try to clean up previously minted App Registrations/Service Principals while the Azure AD Graph API is still functional. If the cluster is upgraded to a version of OpenShift that no longer supports Mint mode after the Azure AD Graph API is sunset, CCO will set a condition (type "OrphanedCloudResource" with a message like "unable to clean up App Registration / Service Principal: APP-REGISTRATION-NAME-HERE") on the associated CredentialsRequest and will not treat the error as fatal. Cleanup after the Azure AD Graph API is sunset will require manual intervention using the Azure CLI tool or the Azure web console to remove the App Registrations/Service Principals that were unable to be cleaned up. Note that even after cleaning up the resource(s) manually, the condition will persist as CCO would no longer be able to verify that the cleanup has been performed.
+
+Example of finding and removing an orphaned App Registration:
+```bash
+$ az ad app list --filter "displayname eq 'APP-REGISTRATION-NAME-HERE'" --query '[].objectId'                                                         
+[                                
+  "038c2538-7c40-49f5-abe5-f59c59c29244"                                        
+]  
+$ az ad app delete --id 038c2538-7c40-49f5-abe5-f59c59c29244
+```
+
+## Future
+
+Rather than re-implement support for Mint mode using the new [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/sdks/create-requests?tabs=Go), the intention is to support Azure federated OpenID identities along with pod/workload identity as the preferred in-cluster credentials/authentication mode if/when Azure releases support for this feature.
diff --git a/go.mod b/go.mod
@@ -4,19 +4,16 @@ go 1.16
 
 require (
 	cloud.google.com/go v0.65.0
-	github.com/Azure/azure-sdk-for-go v31.1.0+incompatible
-	github.com/Azure/go-autorest/autorest v0.10.0
-	github.com/Azure/go-autorest/autorest/adal v0.8.3
-	github.com/Azure/go-autorest/autorest/azure/auth v0.4.2
-	github.com/Azure/go-autorest/autorest/date v0.2.0
-	github.com/Azure/go-autorest/autorest/to v0.3.0
+	github.com/Azure/azure-sdk-for-go v59.4.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.11.22
+	github.com/Azure/go-autorest/autorest/adal v0.9.17 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.9
+	github.com/Azure/go-autorest/autorest/to v0.4.0
 	github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect
 	github.com/aws/aws-sdk-go v1.37.14
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
 	github.com/go-logr/logr v0.2.1-0.20200730175230-ee2de8da5be6 // indirect
 	github.com/go-logr/zapr v0.2.0 // indirect
-	github.com/gofrs/uuid v4.0.0+incompatible
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/mock v1.4.4
@@ -25,7 +22,7 @@ require (
 	github.com/imdario/mergo v0.3.10 // indirect
 	github.com/onsi/ginkgo v1.14.0 // indirect
 	github.com/openshift/api v0.0.0-20201103184615-27004eede929
-	github.com/openshift/build-machinery-go v0.0.0-20210702090207-9c7b89e8633a
+	github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3
 	github.com/openshift/library-go v0.0.0-20200911100307-610c6e9e90b8
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.7.1