Azure Workload Identity: serviceAccount labels/annotations #328
Description
I'm trying to setup Azure Workload identity, I made it works, but I want to share a behavior that should be improved !
I'm using the cluster config:
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
name: cluster
spec:
logLevel: Normal
managementState: Managed
observedConfig: null
operatorLogLevel: Normal
controllerConfig:
overrideLabels:
azure.workload.identity/use: "true" # add required pod labels
unsupportedConfigOverrides: nullBut to make it works, I also need to patch the created serviceAccount: cert-manager with annotations and labels.
oc -n cert-manager patch sa cert-manager --type=merge --patch='{"metadata": { "labels": { "azure.workload.identity/use": "true" }, "annotations": { "azure.workload.identity/client-id": "XXX", "azure.workload.identity/tenant-id": "YYY"} }}'The issue is that if the service account disappear or is reconciled, those annotations/labels will not be persistent.
And I didn't found a way to potentially patch it with unsupportedConfigOverrides or to use a custom self-managed serviceAccount.
I tried also with CredentialsRequest but without any success:
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: cert-manager
namespace: openshift-cloud-credential-operator
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AzureProviderSpec
roleBindings:
- role: DNS Zone Contributor
serviceAccountNames:
- cert-manager
secretRef:
name: cloud-credentials
namespace: cert-manager
Thank you for considering this feedback.