Skip to content

WIP: Add MSI Support for Azure HostedClusters #4484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
bryan-cox wants to merge 5 commits into from
Closed

WIP: Add MSI Support for Azure HostedClusters #4484

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5223fb9
Add MSI Support in Azure HC API
bryan-cox Aug 5, 2024
de2ac6a
Set Azure MSI override for cluster-image-registry
bryan-cox Aug 6, 2024
610fd23
Set Azure MSI override in cluster-ingress-operator
bryan-cox Aug 6, 2024
3d32cdd
Set Azure MSI override in cluster-storage-operator
bryan-cox Aug 6, 2024
e542a67
Set Azure MSI override in cluster-network-operator
bryan-cox Aug 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions api/hypershift/v1alpha1/hostedcluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1574,6 +1574,46 @@ type AzurePlatformSpec struct {
SubnetID string `json:"subnetID"`
SubscriptionID string `json:"subscriptionID"`
SecurityGroupID string `json:"securityGroupID"`

// MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane
// components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators.
//
// +optional
MSIClientIDs *ControlPlaneManagedServiceIdentities `json:"msiClientIDs,omitempty"`
}

type ControlPlaneManagedServiceIdentities struct {
// ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with
// the cluster-image-registry-operator. The managed identity will be in a different resource group other than
// ResourceGroupName.
//
// +kubebuilder:validation:Required
// +required
ImageRegistryMSIClientID string `json:"imageRegistryMSIClientID,omitempty"`
Copy link
Copy Markdown
Contributor

@muraee muraee Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

required fields should not have omitempty
same comment for the rest of the fields.


// IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with
// the cluster-ingress-operator. The managed identity will be in a different resource group other than
// ResourceGroupName.
//
// +kubebuilder:validation:Required
// +required
IngressMSIClientID string `json:"ingressMSIClientID,omitempty"`

// NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with
// the cluster-network-operator. The managed identity will be in a different resource group other than
// ResourceGroupName.
//
// +kubebuilder:validation:Required
// +required
NetworkMSIClientID string `json:"networkMSIClientID,omitempty"`

// StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with
// the cluster-storage-operator. The managed identity will be in a different resource group other than
// ResourceGroupName.
//
// +kubebuilder:validation:Required
// +required
StorageMSIClientID string `json:"storageMSIClientID,omitempty"`
}

// Release represents the metadata for an OCP release payload image.
Expand Down
22 changes: 21 additions & 1 deletion api/hypershift/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

43 changes: 42 additions & 1 deletion api/hypershift/v1beta1/hostedcluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,7 @@ const (
type HostedClusterSpec struct {
// Release specifies the desired OCP release payload for the hosted cluster.
//
//
// Updating this field will trigger a rollout of the control plane. The
// behavior of the rollout will be driven by the ControllerAvailabilityPolicy
// and InfrastructureAvailabilityPolicy.
Expand Down Expand Up @@ -1785,7 +1786,7 @@ type AzurePlatformSpec struct {
//
// Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/.
//
//Example: if your resource group ID is /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>, your
// Example: if your resource group ID is /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>, your
// ResourceGroupName is <resourceGroupName>.
//
// +kubebuilder:default:=default
Expand Down Expand Up @@ -1839,6 +1840,46 @@ type AzurePlatformSpec struct {
// +immutable
// +required
SecurityGroupID string `json:"securityGroupID,omitempty"`

// MSIClientIDs contains the client IDs related to the managed identities needed for the following control plane
// components: cluster-image-registry, cluster-ingress, cluster-storage, and cluster-network operators.
//
// +optional
MSIClientIDs *ControlPlaneManagedServiceIdentities `json:"msiClientIDs,omitempty"`
}

type ControlPlaneManagedServiceIdentities struct {
// ImageRegistryMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with
// the cluster-image-registry-operator. The managed identity will be in a different resource group other than
// ResourceGroupName.
//
// +kubebuilder:validation:Required
// +required
ImageRegistryMSIClientID string `json:"imageRegistryMSIClientID,omitempty"`

// IngressMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with
// the cluster-ingress-operator. The managed identity will be in a different resource group other than
// ResourceGroupName.
//
// +kubebuilder:validation:Required
// +required
IngressMSIClientID string `json:"ingressMSIClientID,omitempty"`

// NetworkMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with
// the cluster-network-operator. The managed identity will be in a different resource group other than
// ResourceGroupName.
//
// +kubebuilder:validation:Required
// +required
NetworkMSIClientID string `json:"networkMSIClientID,omitempty"`

// StorageMSIClientID is the client ID of a pre-existing managed identity ID of that will be associated with
// the cluster-storage-operator. The managed identity will be in a different resource group other than
// ResourceGroupName.
//
// +kubebuilder:validation:Required
// +required
StorageMSIClientID string `json:"storageMSIClientID,omitempty"`
}

// OpenStackPlatformSpec specifies configuration for clusters running on OpenStack.
Expand Down
22 changes: 21 additions & 1 deletion api/hypershift/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 17 additions & 8 deletions client/applyconfiguration/hypershift/v1alpha1/azureplatformspec.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

65 changes: 65 additions & 0 deletions client/applyconfiguration/hypershift/v1alpha1/controlplanemanagedserviceidentities.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 17 additions & 8 deletions client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading