Closed vsawant1608 closed 4 months ago
I believe for ARO the documentation is here.
Specifically:
export SERVICE_ACCOUNT_ISSUER=
oc get authentication cluster -o jsonpath --template='{ .spec.serviceAccountIssuer }'
@matthchr
export SERVICE_ACCOUNT_ISSUER=
oc get authentication cluster -o jsonpath --template='{ .spec.serviceAccountIssuer }'
This didn't return any output. Is there any additional information needed for command to work, or perhaps a different approach to retrive OIDC url of ARO cluster.
I checked with an ARO expert internally and it sounds like there isn't yet ARO support for OIDC-issuer + WorkloadIdentity via ARO, so you may need to wait a bit until that feature is implemented (they are working on it).
In the meantime it sounds like you might need to use SP-based authentication on ARO clusters until such time as they support Workload Identity.
Thanks for the confirmation @matthchr . We will proceed with SP approach on SRO.
Looks like they are tracking this here: https://github.com/Azure/OpenShift/projects/1, specifically this issue: https://github.com/Azure/OpenShift/issues/249
As per steps below we need SERVICE_ACCOUNT_ISSUER
https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#azure-workload-identity.
Document only mentions about steps for AKS cluster. Any help on Azure Redhat Openshift cluster would be appreciated.