Azure Workload Identity: serviceAccount labels/annotations

[thpham]

I'm trying to setup Azure Workload identity, I made it works, but I want to share a behavior that should be improved !

I'm using the cluster config:

apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
  name: cluster
spec:
  logLevel: Normal
  managementState: Managed
  observedConfig: null
  operatorLogLevel: Normal
  controllerConfig:
    overrideLabels:
      azure.workload.identity/use: "true"  # add required pod labels
  unsupportedConfigOverrides: null

But to make it works, I also need to patch the created serviceAccount: cert-manager with annotations and labels.

oc -n cert-manager patch sa cert-manager --type=merge --patch='{"metadata": { "labels": { "azure.workload.identity/use": "true" }, "annotations": { "azure.workload.identity/client-id": "XXX", "azure.workload.identity/tenant-id": "YYY"} }}'

The issue is that if the service account disappear or is reconciled, those annotations/labels will not be persistent.

And I didn't found a way to potentially patch it with unsupportedConfigOverrides or to use a custom self-managed serviceAccount.

I tried also with CredentialsRequest but without any success:

apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: cert-manager
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AzureProviderSpec
    roleBindings:
    - role: DNS Zone Contributor
  serviceAccountNames:
  - cert-manager
  secretRef:
    name: cloud-credentials
    namespace: cert-manager

Thank you for considering this feedback.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale