search

openshift / cloud-credential-operator

Manage cloud provider credentials as Kubernetes CRDs
Apache License 2.0
62 stars 143 forks source link

OCPBUGS-32948: Update documentation to restart pods when enabling workload identity #701

Closed dlom closed 4 months ago

dlom commented 4 months ago

xref: OCPBUGS-32948 /assign @jstuever

openshift-ci-robot commented 4 months ago

@dlom: This pull request references Jira Issue OCPBUGS-32948, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/701): >xref: OCPBUGS-32948 >/assign @jstuever Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
dlom commented 4 months ago

/jira refresh

openshift-ci-robot commented 4 months ago

@dlom: This pull request references Jira Issue OCPBUGS-32948, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.16.0) matches configured target version for branch (4.16.0) * bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @huangmingxia

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/701#issuecomment-2108217261): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci[bot] commented 4 months ago

@dlom: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
huangmingxia commented 4 months ago

LGTM.

Verified pass, that pod identity webhook is created and in running status.

[hmx@fedora Azure-arm]$ oc get po -n openshift-cloud-credential-operator
NAME                                         READY   STATUS    RESTARTS   AGE
cloud-credential-operator-7d5785958f-gbs75   2/2     Running   0          175m
pod-identity-webhook-7c774cb54b-gbq2l        1/1     Running   0          175m
pod-identity-webhook-7c774cb54b-m2x2f        1/1     Running   0          175m

After migration to Azure AD Workload Identity, verify that the OpenShift cluster does not have root credentials.

$ oc get secrets -n kube-system azure-credentials
Error from server (NotFound): secrets "azure-credentials" not found

Verify that components are assuming the azure_client_id specified in the secret manifests, instead of credentials passed through by the Cloud Credential Operator. 

[hmx@fedora Azure-arm]$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o jsonpath='{.data}' | jq
{
  "azure_client_id": "YTcwMTE5YzQtMDNiMS00Mj",
  "azure_federated_token_file": "L3Zhci9ydW4vc2VjcmV0",
  "azure_region": "ZdHVz",
  "azure_subscription_id": "NTNiOGY1NTEtZjBmY",
  "azure_tenant_id": "NjA0N2M3ZTkMzZjZiZTZhN2Vl"
}

[hmx@fedora Azure-arm]$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o jsonpath='{.data.azure_client_secret}'
jstuever commented 4 months ago

/label acknowledge-critical-fixes-only

openshift-ci[bot] commented 4 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/cloud-credential-operator/blob/master/OWNERS)~~ [dlom,jstuever] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci-robot commented 4 months ago

@dlom: Jira Issue OCPBUGS-32948: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-32948 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/701): >xref: OCPBUGS-32948 >/assign @jstuever Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-bot commented 4 months ago

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cloud-credential-operator-container-v4.17.0-202405151441.p0.g48b287d.assembly.stream.el9 for distgit ose-cloud-credential-operator. All builds following this will include this PR.