From 87af101c9b4a4ea8042f53e9055a693099690bcd Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Fri, 11 Oct 2024 12:07:47 -0400 Subject: [PATCH] Reconcile SecretProvider for CNCC on ARO HCP Reconcile the SecretProviderClass for the cloud network config controller (CNCC) for ARO HCP deployments. The SecretProviderClass is used by the Secrets Store CSI driver to mount a certificate to a volume in the CNCC pod deployment. Signed-off-by: Bryan Cox --- .../cno/clusternetworkoperator.go | 36 +++++++++++++++---- .../hostedcontrolplane_controller.go | 18 ++++++++++ 2 files changed, 48 insertions(+), 6 deletions(-) diff --git a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go index aab94d80ff5..663c2653263 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go +++ b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go @@ -8,19 +8,18 @@ import ( "strconv" "text/template" - "github.com/openshift/hypershift/support/proxy" - "github.com/openshift/hypershift/support/rhobsmonitoring" - "sigs.k8s.io/controller-runtime/pkg/client" - - "github.com/blang/semver" - routev1 "github.com/openshift/api/route/v1" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/common" "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/imageprovider" "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/kas" "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/manifests" + "github.com/openshift/hypershift/support/azureutil" "github.com/openshift/hypershift/support/config" + "github.com/openshift/hypershift/support/proxy" + "github.com/openshift/hypershift/support/rhobsmonitoring" "github.com/openshift/hypershift/support/util" + + routev1 "github.com/openshift/api/route/v1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -29,6 +28,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/blang/semver" ) const ( @@ -113,6 +115,9 @@ type Params struct { DeploymentConfig config.DeploymentConfig IsPrivate bool DefaultIngressDomain string + AzureClientID string + AzureTenantID string + AzureCertificateName string } func init() { @@ -161,6 +166,11 @@ func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProv CAConfigMapKey: caConfigMapKey, } + if azureutil.IsAroHCP() { + p.AzureClientID = hcp.Spec.Platform.Azure.ManagedIdentities.ControlPlane.Network.ClientID + p.AzureCertificateName = hcp.Spec.Platform.Azure.ManagedIdentities.ControlPlane.Network.CertificateName + } + p.DeploymentConfig.AdditionalLabels = map[string]string{ config.NeedManagementKASAccessLabel: "true", } @@ -608,6 +618,20 @@ if [[ -n $sc ]]; then kubectl --kubeconfig $kc delete --ignore-not-found validat {Name: "ca-bundle", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: manifests.RootCASecret("").Name, DefaultMode: ptr.To[int32](0640)}}}, } + // For ARO HCP deployments, we pass the env variable for the SecretProviderClass for the Secrets Store CSI driver + // to use on the CNCC deployment. + if azureutil.IsAroHCP() { + dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env, + azureutil.CreateEnvVarsForAzureManagedIdentity(params.AzureClientID, params.AzureTenantID, params.AzureCertificateName)...) + + dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env, + corev1.EnvVar{ + Name: "ARO_HCP_SECRET_PROVIDER_CLASS", + Value: config.ManagedAzureNetworkSecretStoreProviderClassName, + }, + ) + } + params.DeploymentConfig.ApplyTo(dep) util.AvailabilityProber(kas.InClusterKASReadyURL(platformType), params.AvailabilityProberImage, &dep.Spec.Template.Spec, func(o *util.AvailabilityProberOpts) { o.KubeconfigVolumeName = "hosted-etc-kube" diff --git a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go index 0d88997afa1..064b56ca736 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go +++ b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go @@ -3621,6 +3621,24 @@ func (r *HostedControlPlaneReconciler) reconcileClusterVersionOperator(ctx conte func (r *HostedControlPlaneReconciler) reconcileClusterNetworkOperator(ctx context.Context, hcp *hyperv1.HostedControlPlane, releaseImageProvider, userReleaseImageProvider *imageprovider.SimpleReleaseImageProvider, hasRouteCap bool, createOrUpdate upsert.CreateOrUpdateFN) error { p := cno.NewParams(hcp, userReleaseImageProvider.Version(), releaseImageProvider, userReleaseImageProvider, r.SetDefaultSecurityContext, r.DefaultIngressDomain) + // Create SecretProviderClass when deploying on ARO HCP + if hyperazureutil.IsAroHCP() { + cnccSecretProviderClass := manifests.ManagedAzureSecretProviderClass(config.ManagedAzureNetworkSecretStoreProviderClassName, hcp.Namespace) + if _, err := createOrUpdate(ctx, r, cnccSecretProviderClass, func() error { + secretproviderclass.ReconcileManagedAzureSecretProviderClass(cnccSecretProviderClass, hcp, hcp.Spec.Platform.Azure.ManagedIdentities.ControlPlane.Network.CertificateName) + return nil + }); err != nil { + return fmt.Errorf("failed to reconcile ingressoperator secret provider class: %w", err) + } + + credentialsSecret := manifests.AzureCredentialInformation(hcp.Namespace) + if err := r.Client.Get(ctx, client.ObjectKeyFromObject(credentialsSecret), credentialsSecret); err != nil { + return fmt.Errorf("failed to get Azure credentials secret: %w", err) + } + + p.AzureTenantID = string(credentialsSecret.Data["AZURE_TENANT_ID"]) + } + sa := manifests.ClusterNetworkOperatorServiceAccount(hcp.Namespace) if _, err := createOrUpdate(ctx, r.Client, sa, func() error { return cno.ReconcileServiceAccount(sa, p.OwnerRef)