Azure Workload Identity: serviceAccount labels/annotations

[thpham]

I'm trying to setup Azure Workload identity, I made it works, but I want to share a behavior that should be improved !

I'm using the cluster config:

apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
  name: cluster
spec:
  logLevel: Normal
  managementState: Managed
  observedConfig: null
  operatorLogLevel: Normal
  controllerConfig:
    overrideLabels:
      azure.workload.identity/use: "true"  # add required pod labels
  unsupportedConfigOverrides: null

But to make it works, I also need to patch the created serviceAccount: cert-manager with annotations and labels.

oc -n cert-manager patch sa cert-manager --type=merge --patch='{"metadata": { "labels": { "azure.workload.identity/use": "true" }, "annotations": { "azure.workload.identity/client-id": "XXX", "azure.workload.identity/tenant-id": "YYY"} }}'

The issue is that if the service account disappear or is reconciled, those annotations/labels will not be persistent.

And I didn't found a way to potentially patch it with unsupportedConfigOverrides or to use a custom self-managed serviceAccount.

I tried also with CredentialsRequest but without any success:

apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: cert-manager
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AzureProviderSpec
    roleBindings:
    - role: DNS Zone Contributor
  serviceAccountNames:
  - cert-manager
  secretRef:
    name: cloud-credentials
    namespace: cert-manager

Thank you for considering this feedback.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[thpham]

Any comments !?

[bharath-b-rh]

Hi @thpham ,

Thank you for the feedback.

It is true, currently the overrideLabels are only added on the deployment resource and on no other resource managed by the operator.
Let me take it back to the team and check how this can be improved.

/remove-lifecycle stale

[lunarwhite]

Hi @thpham

The service account annotations azure.workload.identity/client-id or azure.workload.identity/tenant-id is not required; and the label azure.workload.identity/use has been deprecated in Azure AD Workload Identity. If you'd like granular configuration, you can try to set the value via managedIdentity.clientID and managedIdentity.tenantID: https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#configure-a-clusterissuer

I've got a chance to revisit the offical doc and update some outdated contents: https://github.com/cert-manager/website/pull/1991/files