Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disable storage account shared key access for miwi and use sas policy for cluster storage account #3894

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

disable storage account shared key access for miwi and use sas policy for cluster storage account #3894

wants to merge 3 commits into from
+70 −5

Conversation

rajdeepc2792
Copy link
Collaborator

@rajdeepc2792 rajdeepc2792 commented Oct 9, 2024
edited
Loading

Which issue this PR addresses:

Fixes https://issues.redhat.com/browse/ARO-9712 in combination with installer-wrapper PR:- openshift/installer-aro-wrapper#186

What this PR does / why we need it:

For MIWI:

  • The storage accounts(Cluster and ImageRegistry) should have the shared access keys disabled

For MIWI + Cluster Storage Account:

  • Set SAS policy such that all the SAS tokens on the Storage Account expires in 1hr.

Test plan for issue:

[x] CI
[x] e2e
[x] Test the flow of cluster install such that the Shared Access Keys are disabled.
[x] Test the flow of cluster install such that the Cluster Service Principal Cluster are created correctly.

Is there any documentation that needs to be updated for this PR?

No

How do you know this will function as expected in production?

  • For non-MIWI cluster there's no functionality change
  • For MIWI cluster the flow has been tested by reversing the usesWorkloadIdentity function. The whole flow can be tested once the feature is tested.

@rajdeepc2792 rajdeepc2792 mentioned this pull request Oct 10, 2024
Open
@rajdeepc2792
Copy link
Collaborator Author

/azp run ci,e2e

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@rajdeepc2792 rajdeepc2792 added ready-for-review chainsaw Pull requests or issues owned by Team Chainsaw hold Hold and removed work-in-progress labels Oct 10, 2024
@rajdeepc2792
Copy link
Collaborator Author

Putting a hold as #3878 and openshift/installer-aro-wrapper#175 should get merge first.

@github-actions GitHub Actions
Copy link

Please rebase pull request.

@github-actions github-actions bot added the needs-rebase branch needs a rebase label Oct 16, 2024
@rajdeepc2792 rajdeepc2792 force-pushed the rajdeepc2792/ARO-9712-disable-storage-account-shared-key-access-for-miwi branch from 2c81bda to 3eb641a Compare October 18, 2024 16:41
@github-actions github-actions bot removed the needs-rebase branch needs a rebase label Oct 18, 2024
@rajdeepc2792
Copy link
Collaborator Author

/azp run ci,e2e

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@rajdeepc2792 rajdeepc2792 force-pushed the rajdeepc2792/ARO-9712-disable-storage-account-shared-key-access-for-miwi branch from 3eb641a to 6a7b56d Compare October 18, 2024 19:55
@cadenmarchese
Copy link
Collaborator

/azp run ci,e2e

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@github-actions GitHub Actions
Copy link

Please rebase pull request.

@github-actions github-actions bot added the needs-rebase branch needs a rebase label Oct 22, 2024
@rajdeepc2792 rajdeepc2792 force-pushed the rajdeepc2792/ARO-9712-disable-storage-account-shared-key-access-for-miwi branch from e9e1b6b to 275afd9 Compare October 22, 2024 20:41
@github-actions github-actions bot removed the needs-rebase branch needs a rebase label Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jewzaam jewzaam Awaiting requested review from jewzaam jewzaam is a code owner

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@petrkotas petrkotas Awaiting requested review from petrkotas petrkotas is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cblecker cblecker Awaiting requested review from cblecker cblecker is a code owner

@cadenmarchese cadenmarchese Awaiting requested review from cadenmarchese cadenmarchese is a code owner

@UlrichSchlueter UlrichSchlueter Awaiting requested review from UlrichSchlueter UlrichSchlueter is a code owner

@SudoBrendan SudoBrendan Awaiting requested review from SudoBrendan SudoBrendan is a code owner

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@jaitaiwan jaitaiwan Awaiting requested review from jaitaiwan jaitaiwan is a code owner

@anshulvermapatel anshulvermapatel Awaiting requested review from anshulvermapatel anshulvermapatel is a code owner

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu is a code owner

@SrinivasAtmakuri SrinivasAtmakuri Awaiting requested review from SrinivasAtmakuri SrinivasAtmakuri is a code owner

@mociarain mociarain Awaiting requested review from mociarain mociarain is a code owner

@kimorris27 kimorris27 Awaiting requested review from kimorris27 kimorris27 is a code owner

@tsatam tsatam Awaiting requested review from tsatam tsatam is a code owner

@bitoku bitoku Awaiting requested review from bitoku bitoku is a code owner

@fahlmant fahlmant Awaiting requested review from fahlmant fahlmant is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
chainsaw Pull requests or issues owned by Team Chainsaw hold Hold
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rajdeepc2792 @cadenmarchese