openshift · openshift-merge-bot · Dec 4, 2024 · Nov 6, 2024 · Oct 29, 2024 · Nov 7, 2024
diff --git a/api/go.mod b/api/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	golang.org/x/net v0.31.0 // indirect

diff --git a/api/go.sum b/api/go.sum
@@ -30,8 +30,8 @@ github.com/openshift/api v0.0.0-20240524162738-d899f8877d22/go.mod h1:7Hm1kLJGxW
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace h1:9PNP1jnUjRhfmGMlkXHjYPishpcw4jpSt/V/xYY3FMA=
 github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

diff --git a/api/vendor/modules.txt b/api/vendor/modules.txt
@@ -25,8 +25,8 @@ github.com/modern-go/reflect2
 github.com/openshift/api/config/v1
 # github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
 ## explicit
-# github.com/rogpeppe/go-internal v1.12.0
-## explicit; go 1.20
+# github.com/rogpeppe/go-internal v1.13.1
+## explicit; go 1.22
 # github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace
 ## explicit; go 1.12
 # github.com/stretchr/testify v1.9.0

diff --git a/cmd/infra/azure/create.go b/cmd/infra/azure/create.go
@@ -425,8 +425,13 @@ func buildCreateServicePrincipalCommand(subscriptionID, managedResourceGroupName
 	switch component {
 	case cloudProvider:
 		scopes = fmt.Sprintf("%s %s", scopes, nsgRG)
+	case cpo:
+		scopes = fmt.Sprintf("%s %s", scopes, nsgRG)
+		scopes = fmt.Sprintf("%s %s", scopes, vnetRG)
 	case ingress:
 		scopes = fmt.Sprintf("%s %s %s", scopes, vnetRG, dnsZoneRG)
+	case nodePoolMgmt:
+		scopes = fmt.Sprintf("%s %s", scopes, vnetRG)
 	}
 
 	// The command creates a Service Principal with a role(s) over resource group(s), create a new certificate for it, and store it in an existing keyvault

diff --git a/...ts/cluster-api-provider-azure/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml b/...ts/cluster-api-provider-azure/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml
@@ -122,6 +122,11 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                 type: object
+              certPath:
+                description: CertPath is the path where certificates exist. When set,
+                  it takes precedence over ClientSecret for types that use certs like
+                  ServicePrincipalCertificate.
+                type: string
               clientID:
                 description: |-
                   ClientID is the service principal client ID.

diff --git a/...tall/assets/cluster-api-provider-azure/infrastructure.cluster.x-k8s.io_azuremachines.yaml b/...tall/assets/cluster-api-provider-azure/infrastructure.cluster.x-k8s.io_azuremachines.yaml
@@ -281,8 +281,8 @@ spec:
               image:
                 description: |-
                   Image is used to provide details of an image to use during VM creation.
-                  If image details are omitted the image will default the Azure Marketplace "capi" offer,
-                  which is based on Ubuntu.
+                  If image details are omitted, the default is to use an Azure Compute Gallery Image
+                  from CAPZ's community gallery.
                 properties:
                   computeGallery:
                     description: ComputeGallery specifies an image to use from the

diff --git a/...ets/cluster-api-provider-azure/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml b/...ets/cluster-api-provider-azure/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml
@@ -292,8 +292,8 @@ spec:
                       image:
                         description: |-
                           Image is used to provide details of an image to use during VM creation.
-                          If image details are omitted the image will default the Azure Marketplace "capi" offer,
-                          which is based on Ubuntu.
+                          If image details are omitted, the default is to use an Azure Compute Gallery Image
+                          from CAPZ's community gallery.
                         properties:
                           computeGallery:
                             description: ComputeGallery specifies an image to use

diff --git a/cmd/install/assets/hypershift_operator.go b/cmd/install/assets/hypershift_operator.go
@@ -1268,6 +1268,7 @@ func (o HyperShiftOperatorClusterRole) Build() *rbacv1.ClusterRole {
 				Verbs: []string{
 					"list",
 					"create",
+					"update",
 				},
 			})
 	}

diff --git a/control-plane-operator/controllers/hostedcontrolplane/cloud/azure/params.go b/control-plane-operator/controllers/hostedcontrolplane/cloud/azure/params.go
@@ -11,10 +11,12 @@ import (
 )
 
 type AzureParams struct {
-	ClusterID        string                  `json:"clusterID"`
-	ClusterNetwork   string                  `json:"clusterNetwork"`
-	OwnerRef         *metav1.OwnerReference  `json:"ownerRef"`
-	DeploymentConfig config.DeploymentConfig `json:"deploymentConfig"`
+	ClusterID               string                  `json:"clusterID"`
+	ClusterNetwork          string                  `json:"clusterNetwork"`
+	OwnerRef                *metav1.OwnerReference  `json:"ownerRef"`
+	DeploymentConfig        config.DeploymentConfig `json:"deploymentConfig"`
+	TenantID                string                  `json:"tenantID"`
+	SecretProviderClassName string                  `json:"secretProviderClassName"`
 }
 
 func NewAzureParams(hcp *hyperv1.HostedControlPlane) *AzureParams {
@@ -26,6 +28,7 @@ func NewAzureParams(hcp *hyperv1.HostedControlPlane) *AzureParams {
 		ClusterNetwork: hcp.Spec.Networking.ClusterNetwork[0].CIDR.String(),
 	}
 	p.OwnerRef = config.ControllerOwnerRef(hcp)
+	p.SecretProviderClassName = config.ManagedAzureCloudProviderSecretProviderClassName
 
 	p.DeploymentConfig.Resources = config.ResourcesSpec{
 		ccmContainer().Name: {

diff --git a/control-plane-operator/controllers/hostedcontrolplane/cloud/azure/providerconfig.go b/control-plane-operator/controllers/hostedcontrolplane/cloud/azure/providerconfig.go
@@ -6,6 +6,7 @@ import (
 
 	hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
 	"github.com/openshift/hypershift/support/azureutil"
+	"github.com/openshift/hypershift/support/config"
 
 	corev1 "k8s.io/api/core/v1"
 )
@@ -42,10 +43,11 @@ func ReconcileCloudConfigWithCredentials(secret *corev1.Secret, hcp *hyperv1.Hos
 		return err
 	}
 
-	cfg.AADClientID = string(credentialsSecret.Data["AZURE_CLIENT_ID"])
-	cfg.AADClientSecret = string(credentialsSecret.Data["AZURE_CLIENT_SECRET"])
+	cfg.AADClientID = hcp.Spec.Platform.Azure.ManagedIdentities.ControlPlane.CloudProvider.ClientID
+	cfg.AADClientCertPath = config.ManagedAzureCertificatePath + hcp.Spec.Platform.Azure.ManagedIdentities.ControlPlane.CloudProvider.CertificateName
 	cfg.UseManagedIdentityExtension = false
 	cfg.UseInstanceMetadata = false
+
 	serializedConfig, err := json.MarshalIndent(cfg, "", "  ")
 	if err != nil {
 		return fmt.Errorf("failed to serialize cloudconfig: %w", err)
@@ -103,12 +105,14 @@ func azureConfigWithoutCredentials(hcp *hyperv1.HostedControlPlane, credentialsS
 // Now the source is https://github.com/kubernetes-sigs/cloud-provider-azure/blob/e5d670328a51e31787fc949ddf41a3efcd90d651/examples/out-of-tree/cloud-controller-manager.yaml#L232
 // https://github.com/kubernetes-sigs/cloud-provider-azure/tree/e5d670328a51e31787fc949ddf41a3efcd90d651/pkg/provider/config
 type AzureConfig struct {
-	Cloud                        string `json:"cloud"`
-	TenantID                     string `json:"tenantId"`
-	UseManagedIdentityExtension  bool   `json:"useManagedIdentityExtension"`
-	SubscriptionID               string `json:"subscriptionId"`
-	AADClientID                  string `json:"aadClientId"`
+	Cloud                       string `json:"cloud"`
+	TenantID                    string `json:"tenantId"`
+	UseManagedIdentityExtension bool   `json:"useManagedIdentityExtension"`
+	SubscriptionID              string `json:"subscriptionId"`
+	AADClientID                 string `json:"aadClientId"`
+	// TODO HOSTEDCP-1542 - Bryan - drop client secret once we have WorkloadIdentity working
 	AADClientSecret              string `json:"aadClientSecret"`
+	AADClientCertPath            string `json:"aadClientCertPath"`
 	ResourceGroup                string `json:"resourceGroup"`
 	Location                     string `json:"location"`
 	VnetName                     string `json:"vnetName"`
@@ -123,5 +127,4 @@ type AzureConfig struct {
 	LoadBalancerSku              string `json:"loadBalancerSku"`
 	DisableOutboundSNAT          bool   `json:"disableOutboundSNAT"`
 	LoadBalancerName             string `json:"loadBalancerName"`
-	AADClientCertPath            string `json:"aadClientCertPath"`
 }
diff --git a/control-plane-operator/controllers/hostedcontrolplane/cloud/azure/reconcile.go b/control-plane-operator/controllers/hostedcontrolplane/cloud/azure/reconcile.go
@@ -7,6 +7,7 @@ import (
 	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/imageprovider"
 	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/manifests"
 	"github.com/openshift/hypershift/hypershift-operator/controllers/manifests/controlplaneoperator"
+	"github.com/openshift/hypershift/support/azureutil"
 	"github.com/openshift/hypershift/support/config"
 	"github.com/openshift/hypershift/support/proxy"
 	"github.com/openshift/hypershift/support/util"
@@ -46,6 +47,14 @@ func ReconcileDeployment(deployment *appsv1.Deployment, hcp *hyperv1.HostedContr
 
 	addVolumes(deployment)
 
+	deployment.Spec.Template.Spec.Containers[0].VolumeMounts = append(deployment.Spec.Template.Spec.Containers[0].VolumeMounts,
+		azureutil.CreateVolumeMountForAzureSecretStoreProviderClass(config.ManagedAzureCloudProviderSecretStoreVolumeName),
+	)
+
+	deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes,
+		azureutil.CreateVolumeForAzureSecretStoreProviderClass(config.ManagedAzureCloudProviderSecretStoreVolumeName, config.ManagedAzureCloudProviderSecretProviderClassName),
+	)
+
 	config.OwnerRefFrom(hcp).ApplyTo(deployment)
 	p.DeploymentConfig.ApplyTo(deployment)
 	return nil
-Original file line number
+Diff line change
@@ Expand Up @@
     				Verbs: []string{
     					"list",
     					"create",
+    					"update",
     				},
     			})
     	}
@@ Expand Down @@