openshift · bryan-cox · Sep 9, 2024 · Aug 5, 2024 · Sep 27, 2024 · Aug 16, 2024
diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go
@@ -1805,7 +1805,7 @@ type AzurePlatformSpec struct {
 	//
 	// Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/.
 	//
-	//Example: if your resource group ID is /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>, your
+	// Example: if your resource group ID is /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>, your
 	//          ResourceGroupName is <resourceGroupName>.
 	//
 	// +kubebuilder:default:=default
@@ -1857,8 +1857,98 @@ type AzurePlatformSpec struct {
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="SecurityGroupID is immutable"
 	// +kubebuilder:validation:Required
 	// +immutable
-	// +required
 	SecurityGroupID string `json:"securityGroupID,omitempty"`
+
+	// managedIdentities contains the client IDs related to the managed identities needed for HCP control plane
+	// and data plane components that authenticate with Azure's API.
+	//
+	// +kubebuilder:validation:Required
+	ManagedIdentities AzureResourceManagedIdentities `json:"managedIdentities,omitempty"`
+}
+
+// AzureResourceManagedIdentities contains the client IDs related to the managed identities needed for HCP control plane
+// and data plane components that authenticate with Azure's API.
+type AzureResourceManagedIdentities struct {
+	// ControlPlaneManagedIdentities contains the client IDs of all the managed identities on the HCP control plane needing to
+	// authenticate with Azure's API.
+	//
+	// +kubebuilder:validation:Required
+	ControlPlaneManagedIdentities ControlPlaneManagedIdentities `json:"controlPlaneManagedIdentities"`
+
+	// Future placeholder - DataPlaneMIs * DataPlaneManagedIdentities
+}
+
+// ManagedIdentityClientID is a client ID of a managed identity
+// +kubebuilder:validation:XValidation:rule="self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$')",message="the client ID of a managed identity must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12."
+type ManagedIdentityClientID string
+
+// ControlPlaneManagedIdentities contains the client IDs of all the managed identities on the HCP control plane needing
+// to authenticate with Azure's API.
+// Managed identity regex pattern is from Microsoft here - https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftmanagedidentity.
+// The format a managed identity should be `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managedIdentityName}`.
+type ControlPlaneManagedIdentities struct {
+	// azureCloudProviderManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with the azure
+	// cloud provider, aka ccm. The client ID of a managed identity must be a valid UUID. It should be 5 groups of
+	// hyphen separated hexadecimal characters in the form 8-4-4-4-12.
+	//
+	// +kubebuilder:validation:Required
+	AzureCloudProviderManagedIdentityClientID ManagedIdentityClientID `json:"azureCloudProviderManagedIdentityClientID"`
+
+	// clusterAPIAzureManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with cluster-api
+	// azure. The client ID of a managed identity must be a valid UUID. It should be 5 groups of hyphen separated
+	// hexadecimal characters in the form 8-4-4-4-12.
+	//
+	// +kubebuilder:validation:Required
+	ClusterAPIAzureManagedIdentityClientID ManagedIdentityClientID `json:"clusterAPIAzureManagedIdentityClientID"`
+
+	// controlPlaneManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with the control plane
+	// operator. The client ID of a managed identity must be a valid UUID. It should be 5 groups of hyphen separated
+	// hexadecimal characters in the form 8-4-4-4-12.
+	//
+	// +kubebuilder:validation:Required
+	ControlPlaneManagedIdentityClientID ManagedIdentityClientID `json:"controlPlaneManagedIdentityClientID"`
+
+	// azureKMSManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with Azure KMS. The client
+	// ID of a managed identity must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters
+	// in the form 8-4-4-4-12.
+	//
+	// +optional
+	AzureKMSManagedIdentityClientID ManagedIdentityClientID `json:"azureKMSManagedIdentityClientID,omitempty"`
+
+	// imageRegistryManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with the
+	// cluster-image-registry-operator. The client ID of a managed identity must be a valid UUID. It should be 5 groups
+	// of hyphen separated hexadecimal characters in the form 8-4-4-4-12.
+	//
+	// +kubebuilder:validation:Required
+	ImageRegistryManagedIdentityClientID ManagedIdentityClientID `json:"imageRegistryManagedIdentityClientID"`
+
+	// ingressManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with the
+	// cluster-ingress-operator. The client ID of a managed identity must be a valid UUID. It should be 5 groups of
+	// hyphen separated hexadecimal characters in the form 8-4-4-4-12.
+	//
+	// +kubebuilder:validation:Required
+	IngressManagedIdentityClientID ManagedIdentityClientID `json:"ingressManagedIdentityClientID"`
+
+	// networkManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with the
+	// cluster-network-operator. The client ID of a managed identity must be a valid UUID. It should be 5 groups of
+	// hyphen separated hexadecimal characters in the form 8-4-4-4-12.
+	//
+	// +kubebuilder:validation:Required
+	NetworkManagedIdentityClientID ManagedIdentityClientID `json:"networkManagedIdentityClientID"`
+
+	// azureDiskManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with the
+	// azure-disk-controller. The client ID of a managed identity must be a valid UUID. It should be 5 groups of hyphen
+	// separated hexadecimal characters in the form 8-4-4-4-12.
+	//
+	// +kubebuilder:validation:Required
+	AzureDiskManagedIdentityClientID ManagedIdentityClientID `json:"azureDiskManagedIdentityClientID"`
+
+	// azureFileManagedIdentityClientID is the client ID of a pre-existing managed identity ID associated with the
+	// azure-disk-controller. The client ID of a managed identity must be a valid UUID. It should be 5 groups of hyphen
+	// separated hexadecimal characters in the form 8-4-4-4-12.
+	//
+	// +kubebuilder:validation:Required
+	AzureFileManagedIdentityClientID ManagedIdentityClientID `json:"azureFileManagedIdentityClientID"`
 }
 
 // OpenStackPlatformSpec specifies configuration for clusters running on OpenStack.

diff --git a/api/hypershift/v1beta1/zz_generated.deepcopy.go b/api/hypershift/v1beta1/zz_generated.deepcopy.go
diff --git a/client/applyconfiguration/hypershift/v1beta1/azureresourcemanagedidentities.go b/client/applyconfiguration/hypershift/v1beta1/azureresourcemanagedidentities.go
diff --git a/client/applyconfiguration/hypershift/v1beta1/controlplanemanagedidentities.go b/client/applyconfiguration/hypershift/v1beta1/controlplanemanagedidentities.go
diff --git a/cmd/cluster/azure/create.go b/cmd/cluster/azure/create.go
@@ -201,6 +201,22 @@ func (o *CreateOptions) ApplyPlatformSpecifics(cluster *hyperv1.HostedCluster) e
 			VnetID:            o.infra.VNetID,
 			SubnetID:          o.infra.SubnetID,
 			SecurityGroupID:   o.infra.SecurityGroupID,
+			ManagedIdentities: hyperv1.AzureResourceManagedIdentities{
+				ControlPlaneManagedIdentities: hyperv1.ControlPlaneManagedIdentities{
+					// TODO these are initialized with the client ID of the Service Principal at the moment. Once the
+					// Microsoft Adapter sidecar containers support Managed Identities, the CLI will create a new
+					// managed identity for each of these fields.
+					AzureCloudProviderManagedIdentityClientID: hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+					ClusterAPIAzureManagedIdentityClientID:    hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+					AzureKMSManagedIdentityClientID:           hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+					ControlPlaneManagedIdentityClientID:       hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+					NetworkManagedIdentityClientID:            hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+					ImageRegistryManagedIdentityClientID:      hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+					IngressManagedIdentityClientID:            hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+					AzureFileManagedIdentityClientID:          hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+					AzureDiskManagedIdentityClientID:          hyperv1.ManagedIdentityClientID(o.creds.ClientID),
+				},
+			},
 		},
 	}