OSDOCS#5126: Using an Azure managed identity as an alternative to a s…#62875
OSDOCS#5126: Using an Azure managed identity as an alternative to a s…#62875mjpytlak merged 1 commit intoopenshift:mainfrom
Conversation
|
🤖 Updated build preview is available at: Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/22675 |
openshift-ci
Bot
added
the
size/L
There was a problem hiding this comment.
@r4f4 We have two installation use cases where the guidance is to create the install-config.yaml file manually [1] . A private cluster and a cluster being installed into a government region. in these cases, I am wondering if we always had a doc gap from the perspective of how an admin would define a service principal, and with the introduction of managed identities, the client ID of a user-assigned managed identity. In these cases, would be explicitly have to tell users to make sure that an osServicePrincipal.json file was present on the machine where the installation program is being run? Or in these cases, when a user runs ./openshift-install create cluster -- dir <location of manually configured install config file> will the installer prompt for the missing service principal information?
Or by the very nature of these use cases, is a service principal not required?
| } | ||
| ---- | ||
|
|
||
| . Record the `tenantId` and `id` parameter values from the output. You need these values during the {product-title} installation. |
There was a problem hiding this comment.
As part of our demo this week @r4f4 , let's use part of the time to revisit this procedure. I am presently reusing existing content from the published docs [1], but even without access to an account and the Azure CLI, something does not feel correct about it. For example, steps 2a and 2b in the published output seem identical.
If possible, it would be good to tighten this writing up while we are here.
There was a problem hiding this comment.
I guess they are the same in this case because there is only one account/subscription involved. Here is an example output where 2a would return more than one result:
$ az account list
[
{
"cloudName": "WWT",
"id": "<Redacted Id1>",
"isDefault": true,
"name": "Redhat-2",
"state": "Enabled",
"tenantId": "<Redacted T1>",
"user": {
"name": "XXX@wwtatc.com",
"type": "user"
}
},
{
"cloudName": "WWT",
"id": "<Redacted Id2>",
"isDefault": false,
"name": "Redhat",
"state": "Enabled",
"tenantId": "<Redacted T1>",
"user": {
"name": "XXX@wwtatc.com",
"type": "user"
}
}
]
But 2b shows:
$ az account show
{
"environmentName": "WWT",
"id": "<Redacted Id1>",
"isDefault": true,
"name": "Redhat-2",
"state": "Enabled",
"tenantId": "<Redacted T1>",
"user": {
"name": "XXX@wwtatc.com",
"type": "user"
}
}
| ... Depending on the Azure identity you are using to deploy the cluster, do one of the following when prompted for the *azure service principal client secret*: | ||
| **** If you are using a service principal, enter its password. | ||
| **** If you are using a system-assigned managed identity, leave this value blank. | ||
| **** If you are using a user-assigned managed identity,leave this value blank. |
There was a problem hiding this comment.
Upon a closer look, I am not as concerned about the user experience as I was when I first reached out to you @r4f4 , but let's take a look at this to make sure I have it correct.
Those cases are not a problem since the Installer will always ask for authentication info if it cannot find |
mjpytlak
force-pushed
the
osdocs-5126
branch
2 times, most recently
from
1d71899 to
6a5ff5a
Compare
| .. Select the AWS region to deploy the cluster to. | ||
| .. Select the base domain for the Route 53 service that you configured for your cluster. | ||
| endif::aws[] | ||
| ifdef::azure,ash[] |
There was a problem hiding this comment.
Worth noting that I removed the ash attribute from this content as I incorrectly introduced it when documenting the ASH installation procedures [1]. ASH does not have an install use case where the installation program is being run without an install-config.yaml file. This specific set of content is used for use cases (typically default installation) where an admin runs the installation program without an install-config.yaml file.
[1] e12ad15#diff-86f98220fbab62878a702dcf4ce45ed0c5cd235192d0a79bd889cff480811d2eR244
| * If you are installing the cluster using a user-assigned managed identity, you have met these prerequisites: | ||
| ** You have its client ID. | ||
| ** You have assigned it to the virtual machine that you will run the installation program from. | ||
| endif::azure[] |
There was a problem hiding this comment.
Worth noting that #37275 previously added the service principal req specifically for Azure, but did not add the azure attribute. As a result, the req appeared in all install use cases using this module. I removed the nutanix attribute, as I incorrectly added it (instead of azure) when I wrote the Nutanix doc [1] Correcting this oversight now.
mjpytlak
force-pushed
the
osdocs-5126
branch
4 times, most recently
from
e7c14f1 to
da0abd5
Compare
|
@r4f4 Appreciate the help earlier this week. Docs are ready for SME review. |
r4f4
left a comment
r4f4
left a comment
There was a problem hiding this comment.
/lgtm
Thoroughly documented. I've just left a couple of nitpick comments.
| { | ||
| "cloudName": "AzureCloud", | ||
| "id": "9xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", | ||
| "isDefault": true, |
There was a problem hiding this comment.
Nit: I think only one can be the default.
| ... Depending on the Azure identity you are using to deploy the cluster, do one of the following when prompted for the *azure service principal client secret*: | ||
| **** If you are using a service principal, enter its password. | ||
| **** If you are using a system-assigned managed identity, leave this value blank. | ||
| **** If you are using a user-assigned managed identity,leave this value blank. |
There was a problem hiding this comment.
| **** If you are using a user-assigned managed identity,leave this value blank. | |
| **** If you are using a user-assigned managed identity, leave this value blank. |
|
@jinyunma Docs are ready for QE review. PTAL. Please keep in mind:
|
I don't think that installer with managed identity can be added in doc And this setting seems also not mentioned in other docs? |
You are absolutely right @jinyunma. Looks like I got carried away. Great catch. I am off today, but will update the docs on Monday. I will reach out when the update is ready to review.
Setting |
|
New changes are detected. LGTM label has been removed. |
|
@jinyunma I updated Installing a cluster quickly on Azure > Deploying the cluster to reflect that only a service principal can be used when deploying a cluster with the default configuration setting. PTAL. |
mjpytlak
added
the
peer-review-needed
bscott-rh
added
peer-review-in-progress
bscott-rh
left a comment
bscott-rh
left a comment
There was a problem hiding this comment.
Looks great. Left a few small comments for your consideration.
| The installation program requires an Azure identity to complete the installation. You can use a service principal. | ||
|
|
||
| Alternatively, you can use a managed identity. |
There was a problem hiding this comment.
| The installation program requires an Azure identity to complete the installation. You can use a service principal. | |
| Alternatively, you can use a managed identity. | |
| The installation program requires an Azure identity to complete the installation. You can use a service principal or a managed identity. |
minimalism suggestion
There was a problem hiding this comment.
@bscott-rh I struggled with this abstract a bit. Given these steps are for creating the service principal, I was going to go with your suggestion originally, but thought it odd to "directly" mention a managed identity. Maybe something along the lines of the following?
If you are unable to use a service principal, you can use a managed identity.
The goal here is to simply alert users to the other option if they land in this part of the docs, without reading Supported identities to access Azure resources.
There was a problem hiding this comment.
I think that's a great middle ground if we're "preferring" the service principal route.
| The installation program requires an Azure identity to complete the installation. You can use either a system-assigned or user-assigned managed identity. | ||
|
|
||
| Alternatively, you can use a service principal. |
There was a problem hiding this comment.
| The installation program requires an Azure identity to complete the installation. You can use either a system-assigned or user-assigned managed identity. | |
| Alternatively, you can use a service principal. | |
| The installation program requires an Azure identity to complete the installation. You can use a system-assigned managed identity, a user-assigned managed identity, or a service principal. |
minimalism suggestion
| = Required Azure permissions for installer-provisioned infrastructure | ||
|
|
||
| When you assign `Contributor` and `User Access Administrator` roles to the service principal, you automatically grant all the required permissions. | ||
| The installation program requires access to an Azure service principal or managed identity with the necessary permissions to deploy the the cluster and to maintain the daily operation of it. These permissions must be granted on the Azure subscription that is associated with the identity. |
There was a problem hiding this comment.
| The installation program requires access to an Azure service principal or managed identity with the necessary permissions to deploy the the cluster and to maintain the daily operation of it. These permissions must be granted on the Azure subscription that is associated with the identity. | |
| The installation program requires access to an Azure service principal or managed identity with the necessary permissions to deploy the the cluster and to maintain its daily operation. These permissions must be granted to the Azure subscription that is associated with the identity. |
Rewording suggestion
There was a problem hiding this comment.
Thanks and while I was here, I removed the repeated instance of the that shockingly your eagle-eye missed. 😄
| = Required Azure permissions for user-provisioned infrastructure | ||
|
|
||
| When you assign `Contributor` and `User Access Administrator` roles to the service principal, you automatically grant all the required permissions. | ||
| The installation program requires access to an Azure service principal or managed identity with the necessary permissions to deploy the the cluster and to maintain the daily operation of it. These permissions must be granted on the Azure subscription that is associated with the identity. |
There was a problem hiding this comment.
| The installation program requires access to an Azure service principal or managed identity with the necessary permissions to deploy the the cluster and to maintain the daily operation of it. These permissions must be granted on the Azure subscription that is associated with the identity. | |
| The installation program requires access to an Azure service principal or managed identity with the necessary permissions to deploy the the cluster and to maintain its daily operation. These permissions must be granted to the Azure subscription that is associated with the identity. |
Rewording suggestion
There was a problem hiding this comment.
Thanks. Took care of this one.
From OSDOCS-5128, seems it mostly talks about how to use ccoctl to generate workload managed identity for operators.
|
@jinyunma I should have provided additional details, and I referenced the wrong Jira issue (osdocs-5128) . @jeana-redhat and I have been working closely together on the docs strategy for this feature because it involves updates to both the installer-specific docs (me) and using the CCO utility to create the required manifests (Jeana). We determined that the logical point to break the installer-specific content was what is included in this PR. As detailed in https://issues.redhat.com/browse/OSDOCS-6135, the plan is to include all of the additional CCO steps, including that of setting With the latter in mind, Jeana is going to tag you as part of QE review for their work. |
|
@jinyunma With the latter in mind, did you have any additional feedback or are the draft docs good to go? I would like to get this merged, so Jeana can pick up my work. |
|
@mjpytlak thanks for your detailed explanation. |
mjpytlak
force-pushed
the
osdocs-5126
branch
2 times, most recently
from
539cef4 to
f09f2de
Compare
bscott-rh
added
peer-review-done
|
/cherrypick enterprise-4.14 |
|
@mjpytlak: new pull request created: #63910 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
Version(s):
4.14+
Issue:
This issues addresses osdocs-5126.
Link to docs preview:
IPI
UPI
QE review:
Additional information:
This is is 1 of 2 doc PRs covering how to deploy an Azure cluster using a managed identity. This PR addresses the concepts and procedures associated with meeting the minimum required Azure permissions to install the cluster, the ability to use either a service principal or managed identity to complete the installation, and how to interact with the installation program survey when using a system-assigned managed identity or a user-assigned managed identity.
The concepts and procedures associated with using the CCO to install a cluster using a managed identity will be addressed by the second PR. @jeana-redhat is covering the latter work.
[1] This section of the documentation represents a default installation. In this use case, an admin can use the installation program to deploy a cluster using the default values -- without explicitly creating an
install-config.yamlfile. It is at this point of the installation that an admin must account for a service principal or managed identity.[2] This section of the documentation appears in 3 other installation use cases (assemblies). In this use case, an admin can use the installation program to create the
install-config.yamlfile. It is at this point in the installation that an admin must account for a service principal or managed identity.[3] This section of the documentation appears in 1 other installation use case (assembly). In this use case, an admin must manually create the
install-config.yamlfile and reference it when running the installation program. Because the installation configuration file was manually created, it is at this point during the installation process that an admin must account for a service principal or managed identity.