SDN-4773: Add support for Azure Managed Service Identity authentication

[kyrtapz]

Add support for Azure Managed Service Identity authentication.
The PR also reorganizes the requirements around the azure credentials fields.

TODO:
The federated token file is no longer defaulted to the hardcoded path allowing the fallback to MSI.
Need to figure out whether that default value was ever used, if so we need to add a different mechanism to distinguish between workload identity and managed identity.
One option would be to set the AZURE_FEDERATED_TOKEN_FILE env in the CNO for self-hosted clusters only. It would mean that self-hosted clusters default to workload identity and hypershift clusters default to managed identity.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

@kyrtapz: GitHub didn't allow me to request PR reviews from the following users: kyrtapz.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kyrtapz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kyrtapz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@kyrtapz: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	ba986f0	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@kyrtapz: This pull request references SDN-4773 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

Details

In response to this:

Add support for Azure Managed Service Identity authentication.
The PR also reorganizes the requirements around the azure credentials fields.

TODO:
The federated token file is no longer defaulted to the hardcoded path allowing the fallback to MSI.
Need to figure out whether that default value was ever used, if so we need to add a different mechanism to distinguish between workload identity and managed identity

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@kyrtapz: This pull request references SDN-4773 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

Details

In response to this:

Add support for Azure Managed Service Identity authentication.
The PR also reorganizes the requirements around the azure credentials fields.

TODO:
The federated token file is no longer defaulted to the hardcoded path allowing the fallback to MSI.
Need to figure out whether that default value was ever used, if so we need to add a different mechanism to distinguish between workload identity and managed identity

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@kyrtapz: This pull request references SDN-4773 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

Details

In response to this:

Add support for Azure Managed Service Identity authentication.
The PR also reorganizes the requirements around the azure credentials fields.

TODO:
The federated token file is no longer defaulted to the hardcoded path allowing the fallback to MSI.
Need to figure out whether that default value was ever used, if so we need to add a different mechanism to distinguish between workload identity and managed identity.
One option would be to set the AZURE_FEDERATED_TOKEN_FILE env in the CNO for self-hosted clusters only. It would mean that self-hosted clusters default to workload identity and hypershift clusters default to managed identity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kyrtapz]

/close
done in #151

[openshift-ci]

@kyrtapz: Closed this PR.

Details

In response to this:

/close
done in #151

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.