OCPBUGS-42434: Enable Managed Identity w/ Certificates in HyperShift Control Plane Components

[bryan-cox]

What this PR does / why we need it:
This PR enables components in the hosted control plane to authenticate with Azure Cloud through client certificate. These components include:

1. KMS
2. CPO
3. CAPZ
4. Cloud Provider

Which issue(s) this PR fixes:
Fixes OCPBUGS-42434

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for hypershift-docs ready!

Name	Link
🔨 Latest commit	ef8852b
🔍 Latest deploy log	https://app.netlify.com/sites/hypershift-docs/deploys/673dd254c493be0008a659e4
😎 Deploy Preview	https://deploy-preview-5160--hypershift-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[openshift-ci-robot]

@bryan-cox: This pull request references Jira Issue OCPBUGS-42434, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.0) matches configured target version for branch (4.18.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @fxierh

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/retest

[enxebre]

nit: nodePool

[enxebre]

/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD e9fec4b and 2 for PR HEAD 33cebed in total

[bryan-cox]

/test e2e-aws-4-18

[bryan-cox]

/retest-required

[bryan-cox]

/retest-required

[bryan-cox]

/retest-required

[bryan-cox]

/retest-required

[bryan-cox]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD e9fec4b and 2 for PR HEAD 33cebed in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD e9fec4b and 2 for PR HEAD 33cebed in total

[openshift-ci]

@bryan-cox: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-4-17	ce31d49	link	true	/test e2e-aws-4-17
ci/prow/e2e-aks	33cebed	link	false	/test e2e-aks

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD e9fec4b and 2 for PR HEAD 33cebed in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD e9fec4b and 2 for PR HEAD 33cebed in total

[enxebre]

/override ci/prow/e2e-kubevirt-aws-ovn-reduced

[openshift-ci]

@enxebre: Overrode contexts on behalf of enxebre: ci/prow/e2e-kubevirt-aws-ovn-reduced

Details

In response to this:

/override ci/prow/e2e-kubevirt-aws-ovn-reduced

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@bryan-cox: Jira Issue OCPBUGS-42434: All pull requests linked via external trackers have merged:

• openshift/hypershift#4811
• openshift/hypershift#4877
• openshift/cluster-api-provider-azure#323
• openshift/hypershift#5160

Jira Issue OCPBUGS-42434 has been moved to the MODIFIED state.

Details

In response to this:

What this PR does / why we need it:
This PR enables components in the hosted control plane to authenticate with Azure Cloud through client certificate. These components include:

1. KMS
2. CPO
3. CAPZ
4. Cloud Provider

Which issue(s) this PR fixes:
Fixes OCPBUGS-42434

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/cherry-pick release-4.18

[openshift-cherrypick-robot]

@bryan-cox: #5160 failed to apply on top of branch "release-4.18":

Applying: Authenticate Azure KMS with cert authentication
Applying: Reconcile SecretProvider for CPO on ARO HCP
Using index info to reconstruct a base tree...
M	cmd/infra/azure/create.go
M	control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
M	hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Falling back to patching base and 3-way merge...
Auto-merging hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Auto-merging control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
Auto-merging cmd/infra/azure/create.go
Applying: Update go.mod to include cert changes for CAPZ
Applying: Authenticate CAPZ with cert authentication
Using index info to reconstruct a base tree...
M	cmd/infra/azure/create.go
M	hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
Falling back to patching base and 3-way merge...
Auto-merging hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
Auto-merging cmd/infra/azure/create.go
CONFLICT (content): Merge conflict in cmd/infra/azure/create.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0004 Authenticate CAPZ with cert authentication

Details

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/jira backport release-4.18

[openshift-ci-robot]

@bryan-cox: The following backport issues have been created:

• OCPBUGS-45524 for branch release-4.18

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.18

Details

In response to this:

/jira backport release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@openshift-ci-robot: #5160 failed to apply on top of branch "release-4.18":

Applying: Authenticate Azure KMS with cert authentication
Applying: Reconcile SecretProvider for CPO on ARO HCP
Using index info to reconstruct a base tree...
M	cmd/infra/azure/create.go
M	control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
M	hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Falling back to patching base and 3-way merge...
Auto-merging hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Auto-merging control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
Auto-merging cmd/infra/azure/create.go
Applying: Update go.mod to include cert changes for CAPZ
Applying: Authenticate CAPZ with cert authentication
Using index info to reconstruct a base tree...
M	cmd/infra/azure/create.go
M	hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
Falling back to patching base and 3-way merge...
Auto-merging hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
Auto-merging cmd/infra/azure/create.go
CONFLICT (content): Merge conflict in cmd/infra/azure/create.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0004 Authenticate CAPZ with cert authentication

Details

In response to this:

@bryan-cox: The following backport issues have been created:

• OCPBUGS-45524 for branch release-4.18

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.18

In response to this:

/jira backport release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: hypershift
This PR has been included in build ose-hypershift-container-v4.19.0-202412041809.p0.g857ccab.assembly.stream.el9.
All builds following this will include this PR.