From 5223fb948b7d0af09ecb0d054ed7fc7bb1ab1f66 Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Mon, 5 Aug 2024 09:30:34 -0400 Subject: [PATCH 1/5] Add MSI Support in Azure HC API Adds fields in the Azure HostedCluster API for the client IDs related to the managed service identities used for the following control plane components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators Signed-off-by: Bryan Cox --- .../v1alpha1/hostedcluster_types.go | 40 ++++++ .../v1alpha1/zz_generated.deepcopy.go | 22 +++- api/hypershift/v1beta1/hostedcluster_types.go | 43 ++++++- .../v1beta1/zz_generated.deepcopy.go | 22 +++- .../hypershift/v1alpha1/azureplatformspec.go | 25 ++-- .../controlplanemanagedserviceidentities.go | 65 ++++++++++ .../hypershift/v1beta1/azureplatformspec.go | 25 ++-- .../controlplanemanagedserviceidentities.go | 65 ++++++++++ client/applyconfiguration/utils.go | 4 + ...ypershift.openshift.io_hostedclusters.yaml | 60 +++++++++ ...hift.openshift.io_hostedcontrolplanes.yaml | 60 +++++++++ docs/content/reference/api.md | 84 ++++++++++++ hack/app-sre/saas_template.yaml | 120 ++++++++++++++++++ 13 files changed, 616 insertions(+), 19 deletions(-) create mode 100644 client/applyconfiguration/hypershift/v1alpha1/controlplanemanagedserviceidentities.go create mode 100644 client/applyconfiguration/hypershift/v1beta1/controlplanemanagedserviceidentities.go diff --git a/api/hypershift/v1alpha1/hostedcluster_types.go b/api/hypershift/v1alpha1/hostedcluster_types.go index 3f7adbef522..9c549c4d4ac 100644 --- a/api/hypershift/v1alpha1/hostedcluster_types.go +++ b/api/hypershift/v1alpha1/hostedcluster_types.go @@ -1574,6 +1574,46 @@ type AzurePlatformSpec struct { SubnetID string `json:"subnetID"` SubscriptionID string `json:"subscriptionID"` SecurityGroupID string `json:"securityGroupID"` + + // MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + // components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + // + // +optional + MSIClientIDs *ControlPlaneManagedServiceIdentities `json:"msiClientIDs,omitempty"` +} + +type ControlPlaneManagedServiceIdentities struct { + // ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-image-registry-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + ImageRegistryMSIClientID string `json:"imageRegistryMSIClientID,omitempty"` + + // IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-ingress-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + IngressMSIClientID string `json:"ingressMSIClientID,omitempty"` + + // NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-network-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + NetworkMSIClientID string `json:"networkMSIClientID,omitempty"` + + // StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-storage-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + StorageMSIClientID string `json:"storageMSIClientID,omitempty"` } // Release represents the metadata for an OCP release payload image. diff --git a/api/hypershift/v1alpha1/zz_generated.deepcopy.go b/api/hypershift/v1alpha1/zz_generated.deepcopy.go index b0a76b14204..a4939dff1c9 100644 --- a/api/hypershift/v1alpha1/zz_generated.deepcopy.go +++ b/api/hypershift/v1alpha1/zz_generated.deepcopy.go @@ -552,6 +552,11 @@ func (in *AzureNodePoolPlatform) DeepCopy() *AzureNodePoolPlatform { func (in *AzurePlatformSpec) DeepCopyInto(out *AzurePlatformSpec) { *out = *in out.Credentials = in.Credentials + if in.MSIClientIDs != nil { + in, out := &in.MSIClientIDs, &out.MSIClientIDs + *out = new(ControlPlaneManagedServiceIdentities) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzurePlatformSpec. @@ -770,6 +775,21 @@ func (in *ClusterVersionStatus) DeepCopy() *ClusterVersionStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ControlPlaneManagedServiceIdentities) DeepCopyInto(out *ControlPlaneManagedServiceIdentities) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControlPlaneManagedServiceIdentities. +func (in *ControlPlaneManagedServiceIdentities) DeepCopy() *ControlPlaneManagedServiceIdentities { + if in == nil { + return nil + } + out := new(ControlPlaneManagedServiceIdentities) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DNSSpec) DeepCopyInto(out *DNSSpec) { *out = *in @@ -2250,7 +2270,7 @@ func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { if in.Azure != nil { in, out := &in.Azure, &out.Azure *out = new(AzurePlatformSpec) - **out = **in + (*in).DeepCopyInto(*out) } if in.PowerVS != nil { in, out := &in.PowerVS, &out.PowerVS diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go index a5f1e1585b1..25349043a10 100644 --- a/api/hypershift/v1beta1/hostedcluster_types.go +++ b/api/hypershift/v1beta1/hostedcluster_types.go @@ -330,6 +330,7 @@ const ( type HostedClusterSpec struct { // Release specifies the desired OCP release payload for the hosted cluster. // + // // Updating this field will trigger a rollout of the control plane. The // behavior of the rollout will be driven by the ControllerAvailabilityPolicy // and InfrastructureAvailabilityPolicy. @@ -1785,7 +1786,7 @@ type AzurePlatformSpec struct { // // Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. // - //Example: if your resource group ID is /subscriptions//resourceGroups/, your + // Example: if your resource group ID is /subscriptions//resourceGroups/, your // ResourceGroupName is . // // +kubebuilder:default:=default @@ -1839,6 +1840,46 @@ type AzurePlatformSpec struct { // +immutable // +required SecurityGroupID string `json:"securityGroupID,omitempty"` + + // MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + // components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + // + // +optional + MSIClientIDs *ControlPlaneManagedServiceIdentities `json:"msiClientIDs,omitempty"` +} + +type ControlPlaneManagedServiceIdentities struct { + // ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-image-registry-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + ImageRegistryMSIClientID string `json:"imageRegistryMSIClientID,omitempty"` + + // IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-ingress-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + IngressMSIClientID string `json:"ingressMSIClientID,omitempty"` + + // NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-network-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + NetworkMSIClientID string `json:"networkMSIClientID,omitempty"` + + // StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + // the cluster-storage-operator. The managed identity will be in a different resource group other than + // ResourceGroupName. + // + // +kubebuilder:validation:Required + // +required + StorageMSIClientID string `json:"storageMSIClientID,omitempty"` } // OpenStackPlatformSpec specifies configuration for clusters running on OpenStack. diff --git a/api/hypershift/v1beta1/zz_generated.deepcopy.go b/api/hypershift/v1beta1/zz_generated.deepcopy.go index 83ae4c62b3a..15940bad61e 100644 --- a/api/hypershift/v1beta1/zz_generated.deepcopy.go +++ b/api/hypershift/v1beta1/zz_generated.deepcopy.go @@ -558,6 +558,11 @@ func (in *AzureNodePoolPlatform) DeepCopy() *AzureNodePoolPlatform { func (in *AzurePlatformSpec) DeepCopyInto(out *AzurePlatformSpec) { *out = *in out.Credentials = in.Credentials + if in.MSIClientIDs != nil { + in, out := &in.MSIClientIDs, &out.MSIClientIDs + *out = new(ControlPlaneManagedServiceIdentities) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzurePlatformSpec. @@ -848,6 +853,21 @@ func (in *ClusterVersionStatus) DeepCopy() *ClusterVersionStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ControlPlaneManagedServiceIdentities) DeepCopyInto(out *ControlPlaneManagedServiceIdentities) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControlPlaneManagedServiceIdentities. +func (in *ControlPlaneManagedServiceIdentities) DeepCopy() *ControlPlaneManagedServiceIdentities { + if in == nil { + return nil + } + out := new(ControlPlaneManagedServiceIdentities) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DNSSpec) DeepCopyInto(out *DNSSpec) { *out = *in @@ -2479,7 +2499,7 @@ func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { if in.Azure != nil { in, out := &in.Azure, &out.Azure *out = new(AzurePlatformSpec) - **out = **in + (*in).DeepCopyInto(*out) } if in.PowerVS != nil { in, out := &in.PowerVS, &out.PowerVS diff --git a/client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go b/client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go index e65cec89d0b..e57bee7d634 100644 --- a/client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go +++ b/client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go @@ -24,14 +24,15 @@ import ( // AzurePlatformSpecApplyConfiguration represents an declarative configuration of the AzurePlatformSpec type for use // with apply. type AzurePlatformSpecApplyConfiguration struct { - Credentials *v1.LocalObjectReference `json:"credentials,omitempty"` - Cloud *string `json:"cloud,omitempty"` - Location *string `json:"location,omitempty"` - ResourceGroupName *string `json:"resourceGroup,omitempty"` - VnetID *string `json:"vnetID,omitempty"` - SubnetID *string `json:"subnetID,omitempty"` - SubscriptionID *string `json:"subscriptionID,omitempty"` - SecurityGroupID *string `json:"securityGroupID,omitempty"` + Credentials *v1.LocalObjectReference `json:"credentials,omitempty"` + Cloud *string `json:"cloud,omitempty"` + Location *string `json:"location,omitempty"` + ResourceGroupName *string `json:"resourceGroup,omitempty"` + VnetID *string `json:"vnetID,omitempty"` + SubnetID *string `json:"subnetID,omitempty"` + SubscriptionID *string `json:"subscriptionID,omitempty"` + SecurityGroupID *string `json:"securityGroupID,omitempty"` + MSIClientIDs *ControlPlaneManagedServiceIdentitiesApplyConfiguration `json:"msiClientIDs,omitempty"` } // AzurePlatformSpecApplyConfiguration constructs an declarative configuration of the AzurePlatformSpec type for use with @@ -103,3 +104,11 @@ func (b *AzurePlatformSpecApplyConfiguration) WithSecurityGroupID(value string) b.SecurityGroupID = &value return b } + +// WithMSIClientIDs sets the MSIClientIDs field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the MSIClientIDs field is set to the value of the last call. +func (b *AzurePlatformSpecApplyConfiguration) WithMSIClientIDs(value *ControlPlaneManagedServiceIdentitiesApplyConfiguration) *AzurePlatformSpecApplyConfiguration { + b.MSIClientIDs = value + return b +} diff --git a/client/applyconfiguration/hypershift/v1alpha1/controlplanemanagedserviceidentities.go b/client/applyconfiguration/hypershift/v1alpha1/controlplanemanagedserviceidentities.go new file mode 100644 index 00000000000..27b8d3af65b --- /dev/null +++ b/client/applyconfiguration/hypershift/v1alpha1/controlplanemanagedserviceidentities.go @@ -0,0 +1,65 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// ControlPlaneManagedServiceIdentitiesApplyConfiguration represents an declarative configuration of the ControlPlaneManagedServiceIdentities type for use +// with apply. +type ControlPlaneManagedServiceIdentitiesApplyConfiguration struct { + ImageRegistryMSIClientID *string `json:"imageRegistryMSIClientID,omitempty"` + IngressMSIClientID *string `json:"ingressMSIClientID,omitempty"` + NetworkMSIClientID *string `json:"networkMSIClientID,omitempty"` + StorageMSIClientID *string `json:"storageMSIClientID,omitempty"` +} + +// ControlPlaneManagedServiceIdentitiesApplyConfiguration constructs an declarative configuration of the ControlPlaneManagedServiceIdentities type for use with +// apply. +func ControlPlaneManagedServiceIdentities() *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + return &ControlPlaneManagedServiceIdentitiesApplyConfiguration{} +} + +// WithImageRegistryMSIClientID sets the ImageRegistryMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ImageRegistryMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithImageRegistryMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.ImageRegistryMSIClientID = &value + return b +} + +// WithIngressMSIClientID sets the IngressMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IngressMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithIngressMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.IngressMSIClientID = &value + return b +} + +// WithNetworkMSIClientID sets the NetworkMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NetworkMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithNetworkMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.NetworkMSIClientID = &value + return b +} + +// WithStorageMSIClientID sets the StorageMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the StorageMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithStorageMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.StorageMSIClientID = &value + return b +} diff --git a/client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go b/client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go index 0dd6518daf1..9adeebd1f19 100644 --- a/client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go +++ b/client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go @@ -24,14 +24,15 @@ import ( // AzurePlatformSpecApplyConfiguration represents an declarative configuration of the AzurePlatformSpec type for use // with apply. type AzurePlatformSpecApplyConfiguration struct { - Credentials *v1.LocalObjectReference `json:"credentials,omitempty"` - Cloud *string `json:"cloud,omitempty"` - Location *string `json:"location,omitempty"` - ResourceGroupName *string `json:"resourceGroup,omitempty"` - VnetID *string `json:"vnetID,omitempty"` - SubnetID *string `json:"subnetID,omitempty"` - SubscriptionID *string `json:"subscriptionID,omitempty"` - SecurityGroupID *string `json:"securityGroupID,omitempty"` + Credentials *v1.LocalObjectReference `json:"credentials,omitempty"` + Cloud *string `json:"cloud,omitempty"` + Location *string `json:"location,omitempty"` + ResourceGroupName *string `json:"resourceGroup,omitempty"` + VnetID *string `json:"vnetID,omitempty"` + SubnetID *string `json:"subnetID,omitempty"` + SubscriptionID *string `json:"subscriptionID,omitempty"` + SecurityGroupID *string `json:"securityGroupID,omitempty"` + MSIClientIDs *ControlPlaneManagedServiceIdentitiesApplyConfiguration `json:"msiClientIDs,omitempty"` } // AzurePlatformSpecApplyConfiguration constructs an declarative configuration of the AzurePlatformSpec type for use with @@ -103,3 +104,11 @@ func (b *AzurePlatformSpecApplyConfiguration) WithSecurityGroupID(value string) b.SecurityGroupID = &value return b } + +// WithMSIClientIDs sets the MSIClientIDs field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the MSIClientIDs field is set to the value of the last call. +func (b *AzurePlatformSpecApplyConfiguration) WithMSIClientIDs(value *ControlPlaneManagedServiceIdentitiesApplyConfiguration) *AzurePlatformSpecApplyConfiguration { + b.MSIClientIDs = value + return b +} diff --git a/client/applyconfiguration/hypershift/v1beta1/controlplanemanagedserviceidentities.go b/client/applyconfiguration/hypershift/v1beta1/controlplanemanagedserviceidentities.go new file mode 100644 index 00000000000..835c49dfb31 --- /dev/null +++ b/client/applyconfiguration/hypershift/v1beta1/controlplanemanagedserviceidentities.go @@ -0,0 +1,65 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1beta1 + +// ControlPlaneManagedServiceIdentitiesApplyConfiguration represents an declarative configuration of the ControlPlaneManagedServiceIdentities type for use +// with apply. +type ControlPlaneManagedServiceIdentitiesApplyConfiguration struct { + ImageRegistryMSIClientID *string `json:"imageRegistryMSIClientID,omitempty"` + IngressMSIClientID *string `json:"ingressMSIClientID,omitempty"` + NetworkMSIClientID *string `json:"networkMSIClientID,omitempty"` + StorageMSIClientID *string `json:"storageMSIClientID,omitempty"` +} + +// ControlPlaneManagedServiceIdentitiesApplyConfiguration constructs an declarative configuration of the ControlPlaneManagedServiceIdentities type for use with +// apply. +func ControlPlaneManagedServiceIdentities() *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + return &ControlPlaneManagedServiceIdentitiesApplyConfiguration{} +} + +// WithImageRegistryMSIClientID sets the ImageRegistryMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ImageRegistryMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithImageRegistryMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.ImageRegistryMSIClientID = &value + return b +} + +// WithIngressMSIClientID sets the IngressMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IngressMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithIngressMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.IngressMSIClientID = &value + return b +} + +// WithNetworkMSIClientID sets the NetworkMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NetworkMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithNetworkMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.NetworkMSIClientID = &value + return b +} + +// WithStorageMSIClientID sets the StorageMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the StorageMSIClientID field is set to the value of the last call. +func (b *ControlPlaneManagedServiceIdentitiesApplyConfiguration) WithStorageMSIClientID(value string) *ControlPlaneManagedServiceIdentitiesApplyConfiguration { + b.StorageMSIClientID = &value + return b +} diff --git a/client/applyconfiguration/utils.go b/client/applyconfiguration/utils.go index b05e1df7d4f..13e560efb4a 100644 --- a/client/applyconfiguration/utils.go +++ b/client/applyconfiguration/utils.go @@ -96,6 +96,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &applyconfigurationhypershiftv1alpha1.ClusterNetworkingApplyConfiguration{} case hypershiftv1alpha1.SchemeGroupVersion.WithKind("ClusterVersionStatus"): return &applyconfigurationhypershiftv1alpha1.ClusterVersionStatusApplyConfiguration{} + case hypershiftv1alpha1.SchemeGroupVersion.WithKind("ControlPlaneManagedServiceIdentities"): + return &applyconfigurationhypershiftv1alpha1.ControlPlaneManagedServiceIdentitiesApplyConfiguration{} case hypershiftv1alpha1.SchemeGroupVersion.WithKind("Diagnostics"): return &applyconfigurationhypershiftv1alpha1.DiagnosticsApplyConfiguration{} case hypershiftv1alpha1.SchemeGroupVersion.WithKind("DNSSpec"): @@ -280,6 +282,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &hypershiftv1beta1.ClusterNetworkingApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("ClusterVersionStatus"): return &hypershiftv1beta1.ClusterVersionStatusApplyConfiguration{} + case v1beta1.SchemeGroupVersion.WithKind("ControlPlaneManagedServiceIdentities"): + return &hypershiftv1beta1.ControlPlaneManagedServiceIdentitiesApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("Diagnostics"): return &hypershiftv1beta1.DiagnosticsApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("DNSSpec"): diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml index 493022c721e..569dac99eac 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml @@ -3472,6 +3472,36 @@ spec: x-kubernetes-map-type: atomic location: type: string + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: type: string securityGroupID: @@ -8251,6 +8281,36 @@ spec: x-kubernetes-validations: - message: Location is immutable rule: self == oldSelf + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: default: default description: |- diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml index ec121352c2f..03c758a4e50 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml @@ -3458,6 +3458,36 @@ spec: x-kubernetes-map-type: atomic location: type: string + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: type: string securityGroupID: @@ -8215,6 +8245,36 @@ spec: x-kubernetes-validations: - message: Location is immutable rule: self == oldSelf + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: default: default description: |- diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md index 46dc8e60e7e..a88842e0646 100644 --- a/docs/content/reference/api.md +++ b/docs/content/reference/api.md @@ -2680,6 +2680,21 @@ configuration for the Azure cloud provider, aka Azure cloud controller manager ( expected to exist under the same subscription as SubscriptionID.

+ + +msiClientIDs
+ + +ControlPlaneManagedServiceIdentities + + + + +(Optional) +

MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane +components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators.

+ + ###CIDRBlock { #hypershift.openshift.io/v1beta1.CIDRBlock } @@ -3400,6 +3415,75 @@ and reports missing images if any.

+###ControlPlaneManagedServiceIdentities { #hypershift.openshift.io/v1beta1.ControlPlaneManagedServiceIdentities } +

+(Appears on: +AzurePlatformSpec) +

+

+

+ + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+imageRegistryMSIClientID
+ +string + +		 +

ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with +the cluster-image-registry-operator. The managed identity will be in a different resource group other than +ResourceGroupName.

+
+ingressMSIClientID
+ +string + +		 +

IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with +the cluster-ingress-operator. The managed identity will be in a different resource group other than +ResourceGroupName.

+
+networkMSIClientID
+ +string + +		 +

NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with +the cluster-network-operator. The managed identity will be in a different resource group other than +ResourceGroupName.

+
+storageMSIClientID
+ +string + +		 +

StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with +the cluster-storage-operator. The managed identity will be in a different resource group other than +ResourceGroupName.

+
###DNSSpec { #hypershift.openshift.io/v1beta1.DNSSpec }

(Appears on: diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml index 37398f076b2..936539c2a7f 100644 --- a/hack/app-sre/saas_template.yaml +++ b/hack/app-sre/saas_template.yaml @@ -49379,6 +49379,36 @@ objects: x-kubernetes-map-type: atomic location: type: string + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: type: string securityGroupID: @@ -54175,6 +54205,36 @@ objects: x-kubernetes-validations: - message: Location is immutable rule: self == oldSelf + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: default: default description: |- @@ -59667,6 +59727,36 @@ objects: x-kubernetes-map-type: atomic location: type: string + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: type: string securityGroupID: @@ -64441,6 +64531,36 @@ objects: x-kubernetes-validations: - message: Location is immutable rule: self == oldSelf + msiClientIDs: + description: |- + MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane + components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators. + properties: + imageRegistryMSIClientID: + description: |- + ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-image-registry-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + ingressMSIClientID: + description: |- + IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-ingress-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + networkMSIClientID: + description: |- + NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-network-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + storageMSIClientID: + description: |- + StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with + the cluster-storage-operator. The managed identity will be in a different resource group other than + ResourceGroupName. + type: string + type: object resourceGroup: default: default description: |- From de2ac6a2c6760fd822958c62941a737db1d0f095 Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Tue, 6 Aug 2024 10:46:49 -0400 Subject: [PATCH 2/5] Set Azure MSI override for cluster-image-registry Set the Azure MSI override for the cluster-image-registry-operator deployment through an environment variable. Signed-off-by: Bryan Cox --- .../registryoperator/reconcile.go | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/control-plane-operator/controllers/hostedcontrolplane/registryoperator/reconcile.go b/control-plane-operator/controllers/hostedcontrolplane/registryoperator/reconcile.go index 31f1a347447..0fd3ef8d2b0 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/registryoperator/reconcile.go +++ b/control-plane-operator/controllers/hostedcontrolplane/registryoperator/reconcile.go @@ -97,17 +97,19 @@ var ( ) type Params struct { - operatorImage string - tokenMinterImage string - platform hyperv1.PlatformType - issuerURL string - releaseVersion string - registryImage string - prunerImage string - deploymentConfig config.DeploymentConfig + operatorImage string + tokenMinterImage string + platform hyperv1.PlatformType + issuerURL string + releaseVersion string + registryImage string + prunerImage string + deploymentConfig config.DeploymentConfig + ImageRegistryClientIdExists bool } func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProvider *imageprovider.ReleaseImageProvider, userReleaseImageProvider *imageprovider.ReleaseImageProvider, setDefaultSecurityContext bool) Params { + imageRegistryClientIdExists := hcp.Spec.Platform.Type == hyperv1.AzurePlatform && hcp.Spec.Platform.Azure.MSIClientIDs != nil && len(hcp.Spec.Platform.Azure.MSIClientIDs.ImageRegistryMSIClientID) > 0 params := Params{ operatorImage: releaseImageProvider.GetImage("cluster-image-registry-operator"), tokenMinterImage: releaseImageProvider.GetImage("token-minter"), @@ -142,7 +144,9 @@ func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProv }, }, }, + ImageRegistryClientIdExists: imageRegistryClientIdExists, } + params.deploymentConfig.SetRestartAnnotation(hcp.ObjectMeta) if hcp.Annotations[hyperv1.ControlPlanePriorityClass] != "" { params.deploymentConfig.Scheduling.PriorityClass = hcp.Annotations[hyperv1.ControlPlanePriorityClass] @@ -192,6 +196,14 @@ func ReconcileDeployment(deployment *appsv1.Deployment, params Params) error { MountPath: "/var/run/secrets/openshift/serviceaccount", }, ) + case hyperv1.AzurePlatform: + if params.ImageRegistryClientIdExists { + deployment.Spec.Template.Spec.Containers[0].Env = append(deployment.Spec.Template.Spec.Containers[0].Env, + corev1.EnvVar{ + Name: "AZURE_MSI_AUTHENTICATION", + Value: "true", + }) + } } params.deploymentConfig.ApplyTo(deployment) From 610fd23497b5fe916896e4c91b803231a0304371 Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Tue, 6 Aug 2024 10:53:09 -0400 Subject: [PATCH 3/5] Set Azure MSI override in cluster-ingress-operator Set the Azure MSI override in the cluster-ingress-operator deployment through an environment variable. Signed-off-by: Bryan Cox --- .../ingressoperator/ingressoperator.go | 54 +++++++++++-------- 1 file changed, 33 insertions(+), 21 deletions(-) diff --git a/control-plane-operator/controllers/hostedcontrolplane/ingressoperator/ingressoperator.go b/control-plane-operator/controllers/hostedcontrolplane/ingressoperator/ingressoperator.go index 39d0442f6d5..a22fc00352f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/ingressoperator/ingressoperator.go +++ b/control-plane-operator/controllers/hostedcontrolplane/ingressoperator/ingressoperator.go @@ -31,30 +31,33 @@ const ( ) type Params struct { - IngressOperatorImage string - IngressCanaryImage string - HAProxyRouterImage string - KubeRBACProxyImage string - ReleaseVersion string - TokenMinterImage string - AvailabilityProberImage string - ProxyImage string - Platform hyperv1.PlatformType - DeploymentConfig config.DeploymentConfig - ProxyConfig *configv1.ProxySpec - NoProxy string + IngressOperatorImage string + IngressCanaryImage string + HAProxyRouterImage string + KubeRBACProxyImage string + ReleaseVersion string + TokenMinterImage string + AvailabilityProberImage string + ProxyImage string + Platform hyperv1.PlatformType + DeploymentConfig config.DeploymentConfig + ProxyConfig *configv1.ProxySpec + NoProxy string + IngressMSIClientIdExists bool } func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProvider *imageprovider.ReleaseImageProvider, userReleaseImageProvider *imageprovider.ReleaseImageProvider, setDefaultSecurityContext bool, platform hyperv1.PlatformType) Params { + ingressMSIClientIdExists := platform == hyperv1.AzurePlatform && hcp.Spec.Platform.Azure.MSIClientIDs != nil && len(hcp.Spec.Platform.Azure.MSIClientIDs.IngressMSIClientID) > 0 p := Params{ - IngressOperatorImage: releaseImageProvider.GetImage("cluster-ingress-operator"), - IngressCanaryImage: userReleaseImageProvider.GetImage("cluster-ingress-operator"), - HAProxyRouterImage: userReleaseImageProvider.GetImage("haproxy-router"), - ReleaseVersion: version, - TokenMinterImage: releaseImageProvider.GetImage("token-minter"), - ProxyImage: releaseImageProvider.GetImage(util.CPOImageName), - AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), - Platform: platform, + IngressOperatorImage: releaseImageProvider.GetImage("cluster-ingress-operator"), + IngressCanaryImage: userReleaseImageProvider.GetImage("cluster-ingress-operator"), + HAProxyRouterImage: userReleaseImageProvider.GetImage("haproxy-router"), + ReleaseVersion: version, + TokenMinterImage: releaseImageProvider.GetImage("token-minter"), + ProxyImage: releaseImageProvider.GetImage(util.CPOImageName), + AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), + Platform: platform, + IngressMSIClientIdExists: ingressMSIClientIdExists, } if hcp.Spec.Configuration != nil { p.ProxyConfig = hcp.Spec.Configuration.Proxy @@ -152,7 +155,8 @@ func ReconcileDeployment(dep *appsv1.Deployment, params Params, platformType hyp {Name: "konnectivity-proxy-ca", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: manifests.KonnectivityCAConfigMap("").Name}, DefaultMode: ptr.To[int32](0640)}}}, } - if params.Platform == hyperv1.AWSPlatform { + switch params.Platform { + case hyperv1.AWSPlatform: dep.Spec.Template.Spec.Containers[0].VolumeMounts = append(dep.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{Name: "serviceaccount-token", MountPath: "/var/run/secrets/openshift/serviceaccount"}, ) @@ -185,6 +189,14 @@ func ReconcileDeployment(dep *appsv1.Deployment, params Params, platformType hyp }) dep.Spec.Template.Spec.Volumes = append(dep.Spec.Template.Spec.Volumes, corev1.Volume{Name: "serviceaccount-token", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}}) + case hyperv1.AzurePlatform: + if params.IngressMSIClientIdExists { + dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env, + corev1.EnvVar{ + Name: "AZURE_MSI_AUTHENTICATION", + Value: "true", + }) + } } util.AvailabilityProber( From 3d32cdd991b4c0a94212d00bdc46753bc466d5d1 Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Tue, 6 Aug 2024 11:04:51 -0400 Subject: [PATCH 4/5] Set Azure MSI override in cluster-storage-operator Set the Azure MSI override for the cluster-storage-operator deployment through an environment variable. Signed-off-by: Bryan Cox --- .../hostedcontrolplane/storage/operator.go | 8 +++++++ .../hostedcontrolplane/storage/params.go | 21 ++++++++++++------- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/control-plane-operator/controllers/hostedcontrolplane/storage/operator.go b/control-plane-operator/controllers/hostedcontrolplane/storage/operator.go index 03f559846de..c71d0a85f81 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/storage/operator.go +++ b/control-plane-operator/controllers/hostedcontrolplane/storage/operator.go @@ -31,6 +31,14 @@ func ReconcileOperatorDeployment( case "cluster-storage-operator": deployment.Spec.Template.Spec.Containers[i].Image = params.StorageOperatorImage params.ImageReplacer.replaceEnvVars(deployment.Spec.Template.Spec.Containers[i].Env) + + if params.platform == hyperv1.AzurePlatform && params.StorageMSIClientIdExists { + deployment.Spec.Template.Spec.Containers[i].Env = append(deployment.Spec.Template.Spec.Containers[i].Env, + corev1.EnvVar{ + Name: "AZURE_MSI_AUTHENTICATION", + Value: "true", + }) + } } } diff --git a/control-plane-operator/controllers/hostedcontrolplane/storage/params.go b/control-plane-operator/controllers/hostedcontrolplane/storage/params.go index be4c3c6615d..e2d1ee0d080 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/storage/params.go +++ b/control-plane-operator/controllers/hostedcontrolplane/storage/params.go @@ -13,11 +13,13 @@ const ( ) type Params struct { - OwnerRef config.OwnerRef - StorageOperatorImage string - ImageReplacer *environmentReplacer + StorageMSIClientIdExists bool + StorageOperatorImage string + AvailabilityProberImage string + OwnerRef config.OwnerRef + ImageReplacer *environmentReplacer + platform hyperv1.PlatformType - AvailabilityProberImage string config.DeploymentConfig } @@ -32,11 +34,14 @@ func NewParams( ir.setVersions(version) ir.setOperatorImageReferences(releaseImageProvider.ComponentImages(), userReleaseImageProvider.ComponentImages()) + storageMSIClientIdExists := hcp.Spec.Platform.Type == hyperv1.AzurePlatform && hcp.Spec.Platform.Azure.MSIClientIDs != nil && len(hcp.Spec.Platform.Azure.MSIClientIDs.StorageMSIClientID) > 0 params := Params{ - OwnerRef: config.OwnerRefFrom(hcp), - StorageOperatorImage: releaseImageProvider.GetImage(storageOperatorImageName), - AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), - ImageReplacer: ir, + OwnerRef: config.OwnerRefFrom(hcp), + StorageOperatorImage: releaseImageProvider.GetImage(storageOperatorImageName), + AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), + ImageReplacer: ir, + StorageMSIClientIdExists: storageMSIClientIdExists, + platform: hcp.Spec.Platform.Type, } params.DeploymentConfig = config.DeploymentConfig{ AdditionalLabels: map[string]string{ From e542a67646cb0c5c77d0c31ff8a98c24ed74f636 Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Tue, 6 Aug 2024 11:10:50 -0400 Subject: [PATCH 5/5] Set Azure MSI override in cluster-network-operator Set the Azure MSI override for the cluster-network-operator deployment through an environment variable. Signed-off-by: Bryan Cox --- .../cno/clusternetworkoperator.go | 58 ++++++++++++------- 1 file changed, 36 insertions(+), 22 deletions(-) diff --git a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go index 3f7506a295a..47253308fd4 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go +++ b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go @@ -60,22 +60,25 @@ type Images struct { } type Params struct { - ReleaseVersion string - AvailabilityProberImage string - HostedClusterName string - CAConfigMap string - CAConfigMapKey string - APIServerAddress string - APIServerPort int32 - TokenAudience string - Images Images - OwnerRef config.OwnerRef - DeploymentConfig config.DeploymentConfig - IsPrivate bool - DefaultIngressDomain string + ReleaseVersion string + AvailabilityProberImage string + HostedClusterName string + CAConfigMap string + CAConfigMapKey string + APIServerAddress string + APIServerPort int32 + TokenAudience string + Images Images + OwnerRef config.OwnerRef + DeploymentConfig config.DeploymentConfig + platform hyperv1.PlatformType + IsPrivate bool + DefaultIngressDomain string + NetworkMSIClientIdExists bool } func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProvider *imageprovider.ReleaseImageProvider, userReleaseImageProvider *imageprovider.ReleaseImageProvider, setDefaultSecurityContext bool, defaultIngressDomain string) Params { + networkMSIClientIdExists := hcp.Spec.Platform.Type == hyperv1.AzurePlatform && hcp.Spec.Platform.Azure.MSIClientIDs != nil && len(hcp.Spec.Platform.Azure.MSIClientIDs.NetworkMSIClientID) > 0 p := Params{ Images: Images{ NetworkOperator: releaseImageProvider.GetImage("cluster-network-operator"), @@ -99,15 +102,17 @@ func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProv CLI: releaseImageProvider.GetImage("cli"), Socks5Proxy: releaseImageProvider.GetImage("socks5-proxy"), }, - ReleaseVersion: version, - AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), - OwnerRef: config.OwnerRefFrom(hcp), - IsPrivate: util.IsPrivateHCP(hcp), - HostedClusterName: hcp.Name, - TokenAudience: hcp.Spec.IssuerURL, - DefaultIngressDomain: defaultIngressDomain, - CAConfigMap: caConfigMap, - CAConfigMapKey: caConfigMapKey, + ReleaseVersion: version, + AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName), + OwnerRef: config.OwnerRefFrom(hcp), + IsPrivate: util.IsPrivateHCP(hcp), + HostedClusterName: hcp.Name, + TokenAudience: hcp.Spec.IssuerURL, + DefaultIngressDomain: defaultIngressDomain, + CAConfigMap: caConfigMap, + CAConfigMapKey: caConfigMapKey, + platform: hcp.Spec.Platform.Type, + NetworkMSIClientIdExists: networkMSIClientIdExists, } p.DeploymentConfig.AdditionalLabels = map[string]string{ @@ -566,6 +571,15 @@ if [[ -n $sc ]]; then kubectl --kubeconfig $kc delete --ignore-not-found validat } o.WaitForInfrastructureResource = true }) + + if params.NetworkMSIClientIdExists { + dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env, + corev1.EnvVar{ + Name: "AZURE_MSI_AUTHENTICATION", + Value: "true", + }) + } + return nil }