[release-4.19] OCPBUGS-56567: default Azure to create VM user-assigned identities #9731
Conversation
openshift#9538 switched the installer to not create user-assigned identities for VMs, and exposed an API for users to bring-their-own identities and attach them to nodes. OCPBUGS-56008 shows that the kubelet still depends on the node identity to pull images from Azure Container Registry (ACR). To resolve this issue, this commit sets the default back to using an installer-generated identity attached to the node. The API is still exposed in the install config, so users who do not utilize ACR can set the identity type to None and install with less privileged credentials. When upstream work lands to allow these credentials to be managed via credentialsrequests, we can go set the default identity to None and remove the logic for creating identities. The upstream work is tracked here and looks like it should be available in the next release: kubernetes/enhancements#4412
This restores code removed in c26d2bb for creating a user-assigned identity to attach to nodes. The code has been moved to its own file and is wrapped in a conditional so that the identity is only created when needed.
This commit conditionally sets fields in the cloud provider config to indicate that the the VM identity should be used to authenticate the ACR credential provider. If the installer is creating the identity then we set the cloud config to use that attached identity. This has been the behavior for openshif in all previous releases.
This revendors the azure packages that are needed to create a user-assigned identity.
|
@openshift-cherrypick-robot: Jira Issue OCPBUGS-56008 has been cloned as Jira Issue OCPBUGS-56567. Will retitle bug to link to clone. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
changed the title
openshift-ci-robot
added
jira/severity-important
|
@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-56567, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold This has issues with azurestack |
openshift-ci
bot
added
the
do-not-merge/hold
|
/close in favor of #9735 |
|
@patrickdillon: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-56567. The bug has been updated to no longer refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@openshift-cherrypick-robot: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This is an automated cherry-pick of #9718
/assign patrickdillon