Skip to content

[DRAFT] [ARO-22413] Remove use of local FP Authorizer to fix int env#4582

Draft
mrWinston wants to merge 1 commit intomasterfrom
ARO-22413-int-env-changes
Draft

[DRAFT] [ARO-22413] Remove use of local FP Authorizer to fix int env#4582
mrWinston wants to merge 1 commit intomasterfrom
ARO-22413-int-env-changes

Conversation

@mrWinston
Copy link
Copy Markdown
Collaborator

@mrWinston mrWinston commented Feb 3, 2026
edited
Loading

Which issue this PR addresses:

Fixes ARO-22413

What this PR does / why we need it:

  • Bringing back int means we'll need to have the INT RP create clusters in a separate, RH-owned int subscription
  • This requires the use of a "mock" FP principal to grant the int RP access to the separate subscription.
  • The new "mock" FP principal however would node be able to access the RPs subscription, only the "remote" subscription where clusters are created
  • This means, we need to replace all uses of the FP credential in the local subscription with the MSI credentials which the RP already uses

Changes:

Test plan for issue:

  • Currently testing in int
  • will require canary deployment to make sure other environments are not affected by the change

Is there any documentation that needs to be updated for this PR?

  • tbd

How do you know this will function as expected in production?

  • tbd

@mrWinston mrWinston mentioned this pull request Feb 3, 2026
Closed
@github-actions github-actions Bot added the needs-rebase branch needs a rebase label Mar 2, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 2, 2026

Please rebase pull request.

tuxerrante
tuxerrante reviewed Apr 3, 2026
View reviewed changes
Comment thread pkg/env/prod.go

clusterKeyvaultURI := azsecrets.URI(p, ClusterKeyvaultSuffix, keyVaultPrefix)
clusterKeyvaultClient, err := azsecrets.NewClient(clusterKeyvaultURI, localFPKVCredential, p.Environment().AzureClientOptions())
clusterKeyvaultClient, err := azsecrets.NewClient(clusterKeyvaultURI, msiCredential, p.Environment().AzureClientOptions())
Copy link
Copy Markdown
Collaborator

@tuxerrante tuxerrante Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we confirm RP managed identity already has equivalent data-plane access on the cluster Key Vault (secrets + certificates)? This switches those clients from FP cert credentials to MSI, and missing KV permissions would show up as runtime 403s after deploy. Context:

ARO-RP/pkg/env/prod.go

Lines 168 to 176 in a518ae3

clusterKeyvaultURI := azsecrets.URI(p, ClusterKeyvaultSuffix, keyVaultPrefix)
clusterKeyvaultClient, err := azsecrets.NewClient(clusterKeyvaultURI, msiCredential, p.Environment().AzureClientOptions())
if err != nil {
return nil, fmt.Errorf("cannot create key vault secrets client: %w", err)
}
p.clusterKeyvault = clusterKeyvaultClient
clusterCertificatesClient, err := azcertificates.NewClient(clusterKeyvaultURI, msiCredential, p.Environment().AzureClientOptions())
if err != nil {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuxerrante tuxerrante tuxerrante left review comments

@bennerv bennerv Awaiting requested review from bennerv bennerv will be requested when the pull request is marked ready for review bennerv is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl will be requested when the pull request is marked ready for review hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas will be requested when the pull request is marked ready for review rogbas is a code owner

@cadenmarchese cadenmarchese Awaiting requested review from cadenmarchese cadenmarchese will be requested when the pull request is marked ready for review cadenmarchese is a code owner

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 will be requested when the pull request is marked ready for review yjst2012 is a code owner

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig will be requested when the pull request is marked ready for review hlipsig is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu will be requested when the pull request is marked ready for review tiguelu is a code owner

@mociarain mociarain Awaiting requested review from mociarain mociarain will be requested when the pull request is marked ready for review mociarain is a code owner

@kimorris27 kimorris27 Awaiting requested review from kimorris27 kimorris27 will be requested when the pull request is marked ready for review kimorris27 is a code owner

@tsatam tsatam Awaiting requested review from tsatam tsatam will be requested when the pull request is marked ready for review tsatam is a code owner

@sankur-codes sankur-codes Awaiting requested review from sankur-codes sankur-codes will be requested when the pull request is marked ready for review sankur-codes is a code owner

@wanghaoran1988 wanghaoran1988 Awaiting requested review from wanghaoran1988 wanghaoran1988 will be requested when the pull request is marked ready for review wanghaoran1988 is a code owner

@alcasim alcasim Awaiting requested review from alcasim alcasim will be requested when the pull request is marked ready for review alcasim is a code owner

@ventifus ventifus Awaiting requested review from ventifus ventifus will be requested when the pull request is marked ready for review ventifus is a code owner

@kevinobriendotca kevinobriendotca Awaiting requested review from kevinobriendotca kevinobriendotca will be requested when the pull request is marked ready for review kevinobriendotca is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs-rebase branch needs a rebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mrWinston @tuxerrante @aichanda-png