[DNM] [ARO-22664] use RP managed identity instead of local fp service principal for az clients in cluster creation #4510
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mrWinston
requested review from
bennerv,
cadenmarchese,
hawkowl,
hlipsig,
jharrington22,
kimorris27,
mociarain,
pepedocs,
rogbas,
sankur-codes,
tiguelu,
tsatam,
wanghaoran1988 and
yjst2012
as code owners
- and rename m.ch to a more descriptive name
mrWinston
force-pushed
the
ARO-22664-use-managed-identity-for-cert-creation
branch
from
b9873b9 to
9772634
Compare
mociarain
reviewed
Jan 5, 2026
Contributor
mociarain
left a comment
mociarain
left a comment
There was a problem hiding this comment.
LGTM. Added DNM until the testing is complete
mociarain
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue this PR addresses:
Fixes ARO-22664
What this PR does / why we need it:
This PR modifies the cluster Keyvault and Certificate clients to use the RPs Managed identity instead of the first party credentials. This is needed as part of the epic to bring our INT environment back.
The INT RP needs to use "fake" FP credentials, meaning we'll create an azure application to fill the same role. Due to security restrictions however, those "fake" credentials can't be used across multiple subscriptions. And because the new int setup will have the RP live in a different subscription than the clusters it creates, we can't use the same "fake" FP credential in both the cluster subscription and the RP subscription.
But we don't need to anyway, as we can just remove any usage of the FP credential in the RP subscription and use the RPs managed identity for that.
There's an accompanying RP in sdp-pipelines to give RP MSI the missing permissions: https://msazure.visualstudio.com/AzureRedHatOpenShift/_git/sdp-pipelines/pullrequest/14222081
Test plan for issue: