diff --git a/api/hypershift/v1alpha1/hostedcluster_types.go b/api/hypershift/v1alpha1/hostedcluster_types.go index 3f7adbef522..9c549c4d4ac 100644 --- a/api/hypershift/v1alpha1/hostedcluster_types.go +++ b/api/hypershift/v1alpha1/hostedcluster_types.go @@ -1574,6 +1574,46 @@ type AzurePlatformSpec struct { SubnetID string `json:"subnetID"` SubscriptionID string `json:"subscriptionID"` SecurityGroupID string `json:"securityGroupID"` + + // MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + // components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + // + // +optional + MSIClientIDs *ControlPlaneManagedServiceIdentities `json:"msiClientIDs,omitempty"` +} + +type ControlPlaneManagedServiceIdentities struct { + // ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-image-registry-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + ImageRegistryMSIClientID string `json:"imageRegistryMSIClientID,omitempty"` + + // IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-ingress-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + IngressMSIClientID string `json:"ingressMSIClientID,omitempty"` + + // NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-network-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + NetworkMSIClientID string `json:"networkMSIClientID,omitempty"` + + // StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-storage-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + StorageMSIClientID string `json:"storageMSIClientID,omitempty"` } // Release represents the metadata for an OCP release payload image. diff --git a/api/hypershift/v1alpha1/zz_generated.deepcopy.go b/api/hypershift/v1alpha1/zz_generated.deepcopy.go index b0a76b14204..a4939dff1c9 100644 --- a/api/hypershift/v1alpha1/zz_generated.deepcopy.go +++ b/api/hypershift/v1alpha1/zz_generated.deepcopy.go @@ -552,6 +552,11 @@ func (in *AzureNodePoolPlatform) DeepCopy() *AzureNodePoolPlatform { func (in *AzurePlatformSpec) DeepCopyInto(out *AzurePlatformSpec) { *out = *in out.Credentials = in.Credentials + if in.MSIClientIDs != nil { + in, out := &in.MSIClientIDs, &out.MSIClientIDs + *out = new(ControlPlaneManagedServiceIdentities) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzurePlatformSpec. @@ -770,6 +775,21 @@ func (in *ClusterVersionStatus) DeepCopy() *ClusterVersionStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ControlPlaneManagedServiceIdentities) DeepCopyInto(out *ControlPlaneManagedServiceIdentities) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControlPlaneManagedServiceIdentities. +func (in *ControlPlaneManagedServiceIdentities) DeepCopy() *ControlPlaneManagedServiceIdentities { + if in == nil { + return nil + } + out := new(ControlPlaneManagedServiceIdentities) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DNSSpec) DeepCopyInto(out *DNSSpec) { *out = *in @@ -2250,7 +2270,7 @@ func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { if in.Azure != nil { in, out := &in.Azure, &out.Azure *out = new(AzurePlatformSpec) - **out = **in + (*in).DeepCopyInto(*out) } if in.PowerVS != nil { in, out := &in.PowerVS, &out.PowerVS diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go index a5f1e1585b1..25349043a10 100644 --- a/api/hypershift/v1beta1/hostedcluster_types.go +++ b/api/hypershift/v1beta1/hostedcluster_types.go @@ -330,6 +330,7 @@ const ( type HostedClusterSpec struct { // Release specifies the desired OCP release payload for the hosted cluster. // + // // Updating this field will trigger a rollout of the control plane. The // behavior of the rollout will be driven by the ControllerAvailabilityPolicy // and InfrastructureAvailabilityPolicy. @@ -1785,7 +1786,7 @@ type AzurePlatformSpec struct { // // Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. // - //Example: if your resource group ID is /subscriptions//resourceGroups/, your + // Example: if your resource group ID is /subscriptions//resourceGroups/, your // ResourceGroupName is . // // +kubebuilder:default:=default @@ -1839,6 +1840,46 @@ type AzurePlatformSpec struct { // +immutable // +required SecurityGroupID string `json:"securityGroupID,omitempty"` + + // MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + // components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + // + // +optional + MSIClientIDs *ControlPlaneManagedServiceIdentities `json:"msiClientIDs,omitempty"` +} + +type ControlPlaneManagedServiceIdentities struct { + // ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-image-registry-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + ImageRegistryMSIClientID string `json:"imageRegistryMSIClientID,omitempty"` + + // IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-ingress-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + IngressMSIClientID string `json:"ingressMSIClientID,omitempty"` + + // NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-network-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + NetworkMSIClientID string `json:"networkMSIClientID,omitempty"` + + // StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-storage-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + StorageMSIClientID string `json:"storageMSIClientID,omitempty"` } // OpenStackPlatformSpec specifies configuration for clusters running on OpenStack. diff --git a/api/hypershift/v1beta1/zz_generated.deepcopy.go b/api/hypershift/v1beta1/zz_generated.deepcopy.go index 83ae4c62b3a..15940bad61e 100644 --- a/api/hypershift/v1beta1/zz_generated.deepcopy.go +++ b/api/hypershift/v1beta1/zz_generated.deepcopy.go @@ -558,6 +558,11 @@ func (in *AzureNodePoolPlatform) DeepCopy() *AzureNodePoolPlatform { func (in *AzurePlatformSpec) DeepCopyInto(out *AzurePlatformSpec) { *out = *in out.Credentials = in.Credentials + if in.MSIClientIDs != nil { + in, out := &in.MSIClientIDs, &out.MSIClientIDs + *out = new(ControlPlaneManagedServiceIdentities) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzurePlatformSpec. @@ -848,6 +853,21 @@ func (in *ClusterVersionStatus) DeepCopy() *ClusterVersionStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ControlPlaneManagedServiceIdentities) DeepCopyInto(out *ControlPlaneManagedServiceIdentities) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControlPlaneManagedServiceIdentities. +func (in *ControlPlaneManagedServiceIdentities) DeepCopy() *ControlPlaneManagedServiceIdentities { + if in == nil { + return nil + } + out := new(ControlPlaneManagedServiceIdentities) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DNSSpec) DeepCopyInto(out *DNSSpec) { *out = *in @@ -2479,7 +2499,7 @@ func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { if in.Azure != nil { in, out := &in.Azure, &out.Azure *out = new(AzurePlatformSpec) - **out = **in + (*in).DeepCopyInto(*out) } if in.PowerVS != nil { in, out := &in.PowerVS, &out.PowerVS diff --git a/client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go b/client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go index e65cec89d0b..e57bee7d634 100644 --- a/client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go +++ b/client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go @@ -24,14 +24,15 @@ import ( // AzurePlatformSpecApplyConfiguration represents an declarative configuration of the AzurePlatformSpec type for use // with apply. type AzurePlatformSpecApplyConfiguration struct { - Credentials *v1.LocalObjectReference `json:"credentials,omitempty"` - Cloud *string `json:"cloud,omitempty"` - Location *string `json:"location,omitempty"` - ResourceGroupName *string `json:"resourceGroup,omitempty"` - VnetID *string `json:"vnetID,omitempty"` - SubnetID *string `json:"subnetID,omitempty"` - SubscriptionID *string `json:"subscriptionID,omitempty"` - SecurityGroupID *string `json:"securityGroupID,omitempty"` + Credentials *v1.LocalObjectReference `json:"credentials,omitempty"` + Cloud *string `json:"cloud,omitempty"` + Location *string `json:"location,omitempty"` + ResourceGroupName *string `json:"resourceGroup,omitempty"` + VnetID *string `json:"vnetID,omitempty"` + SubnetID *string `json:"subnetID,omitempty"` + SubscriptionID *string `json:"subscriptionID,omitempty"` + SecurityGroupID *string `json:"securityGroupID,omitempty"` + MSIClientIDs *ControlPlaneManagedServiceIdentitiesApplyConfiguration `json:"msiClientIDs,omitempty"` } // AzurePlatformSpecApplyConfiguration constructs an declarative configuration of the AzurePlatformSpec type for use with @@ -103,3 +104,11 @@ func (b *AzurePlatformSpecApplyConfiguration) WithSecurityGroupID(value string) b.SecurityGroupID = &value return b } + +// WithMSIClientIDs sets the MSIClientIDs field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the MSIClientIDs field is set to the value of the last call. +func (b *AzurePlatformSpecApplyConfiguration) WithMSIClientIDs(value *ControlPlaneManagedServiceIdentitiesApplyConfiguration) *AzurePlatformSpecApplyConfiguration { + b.MSIClientIDs = value + return b +} diff --git a/client/applyconfiguration/hypershift/v1alpha1/controlplanemanagedserviceidentities.go b/client/applyconfiguration/hypershift/v1alpha1/controlplanemanagedserviceidentities.go new file mode 100644 index 00000000000..27b8d3af65b --- /dev/null +++ b/client/applyconfiguration/hypershift/v1alpha1/controlplanemanagedserviceidentities.go @@ -0,0 +1,65 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// ControlPlaneManagedServiceIdentitiesApplyConfiguration represents an declarative configuration of the ControlPlaneManagedServiceIdentities type for use +// with apply. +type ControlPlaneManagedServiceIdentitiesApplyConfiguration struct { + ImageRegistryMSIClientID *string `json:"imageRegistryMSIClientID,omitempty"` + IngressMSIClientID *string `json:"ingressMSIClientID,omitempty"` + NetworkMSIClientID *string `json:"networkMSIClientID,omitempty"` + StorageMSIClientID *string `json:"storageMSIClientID,omitempty"` +} + +// ControlPlaneManagedServiceIdentitiesApplyConfiguration constructs an declarative configuration of the ControlPlaneManagedServiceIdentities type for use with +// apply. +func ControlPlaneManagedServiceIdentities() *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + return &ControlPlaneManagedServiceIdentitiesApplyConfiguration{} +} + +// WithImageRegistryMSIClientID sets the ImageRegistryMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ImageRegistryMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithImageRegistryMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.ImageRegistryMSIClientID = &value + return b +} + +// WithIngressMSIClientID sets the IngressMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IngressMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithIngressMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.IngressMSIClientID = &value + return b +} + +// WithNetworkMSIClientID sets the NetworkMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NetworkMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithNetworkMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.NetworkMSIClientID = &value + return b +} + +// WithStorageMSIClientID sets the StorageMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the StorageMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithStorageMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.StorageMSIClientID = &value + return b +} diff --git a/client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go b/client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go index 0dd6518daf1..9adeebd1f19 100644 --- a/client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go +++ b/client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go @@ -24,14 +24,15 @@ import ( // AzurePlatformSpecApplyConfiguration represents an declarative configuration of the AzurePlatformSpec type for use // with apply. type AzurePlatformSpecApplyConfiguration struct { - Credentials *v1.LocalObjectReference `json:"credentials,omitempty"` - Cloud *string `json:"cloud,omitempty"` - Location *string `json:"location,omitempty"` - ResourceGroupName *string `json:"resourceGroup,omitempty"` - VnetID *string `json:"vnetID,omitempty"` - SubnetID *string `json:"subnetID,omitempty"` - SubscriptionID *string `json:"subscriptionID,omitempty"` - SecurityGroupID *string `json:"securityGroupID,omitempty"` + Credentials *v1.LocalObjectReference `json:"credentials,omitempty"` + Cloud *string `json:"cloud,omitempty"` + Location *string `json:"location,omitempty"` + ResourceGroupName *string `json:"resourceGroup,omitempty"` + VnetID *string `json:"vnetID,omitempty"` + SubnetID *string `json:"subnetID,omitempty"` + SubscriptionID *string `json:"subscriptionID,omitempty"` + SecurityGroupID *string `json:"securityGroupID,omitempty"` + MSIClientIDs *ControlPlaneManagedServiceIdentitiesApplyConfiguration `json:"msiClientIDs,omitempty"` } // AzurePlatformSpecApplyConfiguration constructs an declarative configuration of the AzurePlatformSpec type for use with @@ -103,3 +104,11 @@ func (b *AzurePlatformSpecApplyConfiguration) WithSecurityGroupID(value string) b.SecurityGroupID = &value return b } + +// WithMSIClientIDs sets the MSIClientIDs field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the MSIClientIDs field is set to the value of the last call. +func (b *AzurePlatformSpecApplyConfiguration) WithMSIClientIDs(value *ControlPlaneManagedServiceIdentitiesApplyConfiguration) *AzurePlatformSpecApplyConfiguration { + b.MSIClientIDs = value + return b +} diff --git a/client/applyconfiguration/hypershift/v1beta1/controlplanemanagedserviceidentities.go b/client/applyconfiguration/hypershift/v1beta1/controlplanemanagedserviceidentities.go new file mode 100644 index 00000000000..835c49dfb31 --- /dev/null +++ b/client/applyconfiguration/hypershift/v1beta1/controlplanemanagedserviceidentities.go @@ -0,0 +1,65 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1beta1 + +// ControlPlaneManagedServiceIdentitiesApplyConfiguration represents an declarative configuration of the ControlPlaneManagedServiceIdentities type for use +// with apply. +type ControlPlaneManagedServiceIdentitiesApplyConfiguration struct { + ImageRegistryMSIClientID *string `json:"imageRegistryMSIClientID,omitempty"` + IngressMSIClientID *string `json:"ingressMSIClientID,omitempty"` + NetworkMSIClientID *string `json:"networkMSIClientID,omitempty"` + StorageMSIClientID *string `json:"storageMSIClientID,omitempty"` +} + +// ControlPlaneManagedServiceIdentitiesApplyConfiguration constructs an declarative configuration of the ControlPlaneManagedServiceIdentities type for use with +// apply. +func ControlPlaneManagedServiceIdentities() *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + return &ControlPlaneManagedServiceIdentitiesApplyConfiguration{} +} + +// WithImageRegistryMSIClientID sets the ImageRegistryMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ImageRegistryMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithImageRegistryMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.ImageRegistryMSIClientID = &value + return b +} + +// WithIngressMSIClientID sets the IngressMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IngressMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithIngressMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.IngressMSIClientID = &value + return b +} + +// WithNetworkMSIClientID sets the NetworkMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NetworkMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithNetworkMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.NetworkMSIClientID = &value + return b +} + +// WithStorageMSIClientID sets the StorageMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the StorageMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithStorageMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.StorageMSIClientID = &value + return b +} diff --git a/client/applyconfiguration/utils.go b/client/applyconfiguration/utils.go index b05e1df7d4f..13e560efb4a 100644 --- a/client/applyconfiguration/utils.go +++ b/client/applyconfiguration/utils.go @@ -96,6 +96,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &applyconfigurationhypershiftv1alpha1.ClusterNetworkingApplyConfiguration{} case hypershiftv1alpha1.SchemeGroupVersion.WithKind("ClusterVersionStatus"): return &applyconfigurationhypershiftv1alpha1.ClusterVersionStatusApplyConfiguration{} + case hypershiftv1alpha1.SchemeGroupVersion.WithKind("ControlPlaneManagedServiceIdentities"): + return &applyconfigurationhypershiftv1alpha1.ControlPlaneManagedServiceIdentitiesApplyConfiguration{} case hypershiftv1alpha1.SchemeGroupVersion.WithKind("Diagnostics"): return &applyconfigurationhypershiftv1alpha1.DiagnosticsApplyConfiguration{} case hypershiftv1alpha1.SchemeGroupVersion.WithKind("DNSSpec"): @@ -280,6 +282,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &hypershiftv1beta1.ClusterNetworkingApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("ClusterVersionStatus"): return &hypershiftv1beta1.ClusterVersionStatusApplyConfiguration{} + case v1beta1.SchemeGroupVersion.WithKind("ControlPlaneManagedServiceIdentities"): + return &hypershiftv1beta1.ControlPlaneManagedServiceIdentitiesApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("Diagnostics"): return &hypershiftv1beta1.DiagnosticsApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("DNSSpec"): diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml index 493022c721e..569dac99eac 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml @@ -3472,6 +3472,36 @@ spec: x-kubernetes-map-type: atomic location: type: string + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: type: string securityGroupID: @@ -8251,6 +8281,36 @@ spec: x-kubernetes-validations: - message: Location is immutable rule: self == oldSelf + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: default: default description: |- diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml index ec121352c2f..03c758a4e50 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml @@ -3458,6 +3458,36 @@ spec: x-kubernetes-map-type: atomic location: type: string + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: type: string securityGroupID: @@ -8215,6 +8245,36 @@ spec: x-kubernetes-validations: - message: Location is immutable rule: self == oldSelf + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: default: default description: |- diff --git a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go index 3f7506a295a..47253308fd4 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go +++ b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go @@ -60,22 +60,25 @@ type Images struct { } type Params struct { - ReleaseVersion string - AvailabilityProberImage string - HostedClusterName string - CAConfigMap string - CAConfigMapKey string - APIServerAddress string - APIServerPort int32 - TokenAudience string - Images Images - OwnerRef config.OwnerRef - DeploymentConfig config.DeploymentConfig - IsPrivate bool - DefaultIngressDomain string + ReleaseVersion string + AvailabilityProberImage string + HostedClusterName string + CAConfigMap string + CAConfigMapKey string + APIServerAddress string + APIServerPort int32 + TokenAudience string + Images Images + OwnerRef config.OwnerRef + DeploymentConfig config.DeploymentConfig + platform hyperv1.PlatformType + IsPrivate bool + DefaultIngressDomain string + NetworkMSIClientIdExists bool } func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProvider *imageprovider.ReleaseImageProvider, userReleaseImageProvider *imageprovider.ReleaseImageProvider, setDefaultSecurityContext bool, defaultIngressDomain string) Params { + networkMSIClientIdExists := hcp.Spec.Platform.Type == hyperv1.AzurePlatform && hcp.Spec.Platform.Azure.MSIClientIDs != nil && len(hcp.Spec.Platform.Azure.MSIClientIDs.NetworkMSIClientID) > 0 p := Params{ Images: Images{ NetworkOperator: releaseImageProvider.GetImage("cluster-network-operator"), @@ -99,15 +102,17 @@ func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProv CLI: releaseImageProvider.GetImage("cli"), Socks5Proxy: releaseImageProvider.GetImage("socks5-proxy"), }, - ReleaseVersion: version, - AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), - OwnerRef: config.OwnerRefFrom(hcp), - IsPrivate: util.IsPrivateHCP(hcp), - HostedClusterName: hcp.Name, - TokenAudience: hcp.Spec.IssuerURL, - DefaultIngressDomain: defaultIngressDomain, - CAConfigMap: caConfigMap, - CAConfigMapKey: caConfigMapKey, + ReleaseVersion: version, + AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), + OwnerRef: config.OwnerRefFrom(hcp), + IsPrivate: util.IsPrivateHCP(hcp), + HostedClusterName: hcp.Name, + TokenAudience: hcp.Spec.IssuerURL, + DefaultIngressDomain: defaultIngressDomain, + CAConfigMap: caConfigMap, + CAConfigMapKey: caConfigMapKey, + platform: hcp.Spec.Platform.Type, + NetworkMSIClientIdExists: networkMSIClientIdExists, } p.DeploymentConfig.AdditionalLabels = map[string]string{ @@ -566,6 +571,15 @@ if [[ -n $sc ]]; then kubectl --kubeconfig $kc delete --ignore-not-found validat } o.WaitForInfrastructureResource = true }) + + if params.NetworkMSIClientIdExists { + dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env, + corev1.EnvVar{ + Name: "AZURE_MSI_AUTHENTICATION", + Value: "true", + }) + } + return nil } diff --git a/control-plane-operator/controllers/hostedcontrolplane/ingressoperator/ingressoperator.go b/control-plane-operator/controllers/hostedcontrolplane/ingressoperator/ingressoperator.go index 39d0442f6d5..a22fc00352f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/ingressoperator/ingressoperator.go +++ b/control-plane-operator/controllers/hostedcontrolplane/ingressoperator/ingressoperator.go @@ -31,30 +31,33 @@ const ( ) type Params struct { - IngressOperatorImage string - IngressCanaryImage string - HAProxyRouterImage string - KubeRBACProxyImage string - ReleaseVersion string - TokenMinterImage string - AvailabilityProberImage string - ProxyImage string - Platform hyperv1.PlatformType - DeploymentConfig config.DeploymentConfig - ProxyConfig *configv1.ProxySpec - NoProxy string + IngressOperatorImage string + IngressCanaryImage string + HAProxyRouterImage string + KubeRBACProxyImage string + ReleaseVersion string + TokenMinterImage string + AvailabilityProberImage string + ProxyImage string + Platform hyperv1.PlatformType + DeploymentConfig config.DeploymentConfig + ProxyConfig *configv1.ProxySpec + NoProxy string + IngressMSIClientIdExists bool } func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProvider *imageprovider.ReleaseImageProvider, userReleaseImageProvider *imageprovider.ReleaseImageProvider, setDefaultSecurityContext bool, platform hyperv1.PlatformType) Params { + ingressMSIClientIdExists := platform == hyperv1.AzurePlatform && hcp.Spec.Platform.Azure.MSIClientIDs != nil && len(hcp.Spec.Platform.Azure.MSIClientIDs.IngressMSIClientID) > 0 p := Params{ - IngressOperatorImage: releaseImageProvider.GetImage("cluster-ingress-operator"), - IngressCanaryImage: userReleaseImageProvider.GetImage("cluster-ingress-operator"), - HAProxyRouterImage: userReleaseImageProvider.GetImage("haproxy-router"), - ReleaseVersion: version, - TokenMinterImage: releaseImageProvider.GetImage("token-minter"), - ProxyImage: releaseImageProvider.GetImage(util.CPOImageName), - AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), - Platform: platform, + IngressOperatorImage: releaseImageProvider.GetImage("cluster-ingress-operator"), + IngressCanaryImage: userReleaseImageProvider.GetImage("cluster-ingress-operator"), + HAProxyRouterImage: userReleaseImageProvider.GetImage("haproxy-router"), + ReleaseVersion: version, + TokenMinterImage: releaseImageProvider.GetImage("token-minter"), + ProxyImage: releaseImageProvider.GetImage(util.CPOImageName), + AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), + Platform: platform, + IngressMSIClientIdExists: ingressMSIClientIdExists, } if hcp.Spec.Configuration != nil { p.ProxyConfig = hcp.Spec.Configuration.Proxy @@ -152,7 +155,8 @@ func ReconcileDeployment(dep *appsv1.Deployment, params Params, platformType hyp {Name: "konnectivity-proxy-ca", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: manifests.KonnectivityCAConfigMap("").Name}, DefaultMode: ptr.To[int32](0640)}}}, } - if params.Platform == hyperv1.AWSPlatform { + switch params.Platform { + case hyperv1.AWSPlatform: dep.Spec.Template.Spec.Containers[0].VolumeMounts = append(dep.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{Name: "serviceaccount-token", MountPath: "/var/run/secrets/openshift/serviceaccount"}, ) @@ -185,6 +189,14 @@ func ReconcileDeployment(dep *appsv1.Deployment, params Params, platformType hyp }) dep.Spec.Template.Spec.Volumes = append(dep.Spec.Template.Spec.Volumes, corev1.Volume{Name: "serviceaccount-token", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}}) + case hyperv1.AzurePlatform: + if params.IngressMSIClientIdExists { + dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env, + corev1.EnvVar{ + Name: "AZURE_MSI_AUTHENTICATION", + Value: "true", + }) + } } util.AvailabilityProber( diff --git a/control-plane-operator/controllers/hostedcontrolplane/registryoperator/reconcile.go b/control-plane-operator/controllers/hostedcontrolplane/registryoperator/reconcile.go index 31f1a347447..0fd3ef8d2b0 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/registryoperator/reconcile.go +++ b/control-plane-operator/controllers/hostedcontrolplane/registryoperator/reconcile.go @@ -97,17 +97,19 @@ var ( ) type Params struct { - operatorImage string - tokenMinterImage string - platform hyperv1.PlatformType - issuerURL string - releaseVersion string - registryImage string - prunerImage string - deploymentConfig config.DeploymentConfig + operatorImage string + tokenMinterImage string + platform hyperv1.PlatformType + issuerURL string + releaseVersion string + registryImage string + prunerImage string + deploymentConfig config.DeploymentConfig + ImageRegistryClientIdExists bool } func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProvider *imageprovider.ReleaseImageProvider, userReleaseImageProvider *imageprovider.ReleaseImageProvider, setDefaultSecurityContext bool) Params { + imageRegistryClientIdExists := hcp.Spec.Platform.Type == hyperv1.AzurePlatform && hcp.Spec.Platform.Azure.MSIClientIDs != nil && len(hcp.Spec.Platform.Azure.MSIClientIDs.ImageRegistryMSIClientID) > 0 params := Params{ operatorImage: releaseImageProvider.GetImage("cluster-image-registry-operator"), tokenMinterImage: releaseImageProvider.GetImage("token-minter"), @@ -142,7 +144,9 @@ func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProv }, }, }, + ImageRegistryClientIdExists: imageRegistryClientIdExists, } + params.deploymentConfig.SetRestartAnnotation(hcp.ObjectMeta) if hcp.Annotations[hyperv1.ControlPlanePriorityClass] != "" { params.deploymentConfig.Scheduling.PriorityClass = hcp.Annotations[hyperv1.ControlPlanePriorityClass] @@ -192,6 +196,14 @@ func ReconcileDeployment(deployment *appsv1.Deployment, params Params) error { MountPath: "/var/run/secrets/openshift/serviceaccount", }, ) + case hyperv1.AzurePlatform: + if params.ImageRegistryClientIdExists { + deployment.Spec.Template.Spec.Containers[0].Env = append(deployment.Spec.Template.Spec.Containers[0].Env, + corev1.EnvVar{ + Name: "AZURE_MSI_AUTHENTICATION", + Value: "true", + }) + } } params.deploymentConfig.ApplyTo(deployment) diff --git a/control-plane-operator/controllers/hostedcontrolplane/storage/operator.go b/control-plane-operator/controllers/hostedcontrolplane/storage/operator.go index 03f559846de..c71d0a85f81 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/storage/operator.go +++ b/control-plane-operator/controllers/hostedcontrolplane/storage/operator.go @@ -31,6 +31,14 @@ func ReconcileOperatorDeployment( case "cluster-storage-operator": deployment.Spec.Template.Spec.Containers[i].Image = params.StorageOperatorImage params.ImageReplacer.replaceEnvVars(deployment.Spec.Template.Spec.Containers[i].Env) + + if params.platform == hyperv1.AzurePlatform && params.StorageMSIClientIdExists { + deployment.Spec.Template.Spec.Containers[i].Env = append(deployment.Spec.Template.Spec.Containers[i].Env, + corev1.EnvVar{ + Name: "AZURE_MSI_AUTHENTICATION", + Value: "true", + }) + } } } diff --git a/control-plane-operator/controllers/hostedcontrolplane/storage/params.go b/control-plane-operator/controllers/hostedcontrolplane/storage/params.go index be4c3c6615d..e2d1ee0d080 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/storage/params.go +++ b/control-plane-operator/controllers/hostedcontrolplane/storage/params.go @@ -13,11 +13,13 @@ const ( ) type Params struct { - OwnerRef config.OwnerRef - StorageOperatorImage string - ImageReplacer *environmentReplacer + StorageMSIClientIdExists bool + StorageOperatorImage string + AvailabilityProberImage string + OwnerRef config.OwnerRef + ImageReplacer *environmentReplacer + platform hyperv1.PlatformType - AvailabilityProberImage string config.DeploymentConfig } @@ -32,11 +34,14 @@ func NewParams( ir.setVersions(version) ir.setOperatorImageReferences(releaseImageProvider.ComponentImages(), userReleaseImageProvider.ComponentImages()) + storageMSIClientIdExists := hcp.Spec.Platform.Type == hyperv1.AzurePlatform && hcp.Spec.Platform.Azure.MSIClientIDs != nil && len(hcp.Spec.Platform.Azure.MSIClientIDs.StorageMSIClientID) > 0 params := Params{ - OwnerRef: config.OwnerRefFrom(hcp), - StorageOperatorImage: releaseImageProvider.GetImage(storageOperatorImageName), - AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), - ImageReplacer: ir, + OwnerRef: config.OwnerRefFrom(hcp), + StorageOperatorImage: releaseImageProvider.GetImage(storageOperatorImageName), + AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), + ImageReplacer: ir, + StorageMSIClientIdExists: storageMSIClientIdExists, + platform: hcp.Spec.Platform.Type, } params.DeploymentConfig = config.DeploymentConfig{ AdditionalLabels: map[string]string{ diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md index 46dc8e60e7e..a88842e0646 100644 --- a/docs/content/reference/api.md +++ b/docs/content/reference/api.md @@ -2680,6 +2680,21 @@ configuration for the Azure cloud provider, aka Azure cloud controller manager ( expected to exist under the same subscription as SubscriptionID.

+ + +msiClientIDs
+ + +ControlPlaneManagedServiceIdentities + + + + +(Optional) +

MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane +components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators.

+ + ###CIDRBlock { #hypershift.openshift.io/v1beta1.CIDRBlock } @@ -3400,6 +3415,75 @@ and reports missing images if any.

+###ControlPlaneManagedServiceIdentities { #hypershift.openshift.io/v1beta1.ControlPlaneManagedServiceIdentities } +

+(Appears on: +AzurePlatformSpec) +

+

+

+ + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+imageRegistryMSIClientID
+ +string + +		 +

ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with +the cluster-image-registry-operator. The managed identity will be in a different resource group other than +ResourceGroupName.

+
+ingressMSIClientID
+ +string + +		 +

IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with +the cluster-ingress-operator. The managed identity will be in a different resource group other than +ResourceGroupName.

+
+networkMSIClientID
+ +string + +		 +

NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with +the cluster-network-operator. The managed identity will be in a different resource group other than +ResourceGroupName.

+
+storageMSIClientID
+ +string + +		 +

StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with +the cluster-storage-operator. The managed identity will be in a different resource group other than +ResourceGroupName.

+
###DNSSpec { #hypershift.openshift.io/v1beta1.DNSSpec }

(Appears on: diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml index 37398f076b2..936539c2a7f 100644 --- a/hack/app-sre/saas_template.yaml +++ b/hack/app-sre/saas_template.yaml @@ -49379,6 +49379,36 @@ objects: x-kubernetes-map-type: atomic location: type: string + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: type: string securityGroupID: @@ -54175,6 +54205,36 @@ objects: x-kubernetes-validations: - message: Location is immutable rule: self == oldSelf + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: default: default description: |- @@ -59667,6 +59727,36 @@ objects: x-kubernetes-map-type: atomic location: type: string + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: type: string securityGroupID: @@ -64441,6 +64531,36 @@ objects: x-kubernetes-validations: - message: Location is immutable rule: self == oldSelf + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: default: default description: |-