disallow duplicate operator identity resource IDs

This adds a step to static validation that checks to see if operator identities use the same resource ID as any other operator identities and causes the cluster installation to fail if so. Each operator should have its own identity.
2024-10-30 14:43:18 -04:00 · 2024-10-30 14:43:18 -04:00 · 517da1163f
--- a/pkg/api/v20240812preview/openshiftcluster_validatestatic.go
+++ b/pkg/api/v20240812preview/openshiftcluster_validatestatic.go
@ -469,7 +469,14 @@ func (sv openShiftClusterStaticValidator) validatePlatformWorkloadIdentityProfil
 	}

 	// Validate the PlatformWorkloadIdentities
+	foundIdentityResourceIDs := map[string]string{}
+
 	for name, p := range pwip.PlatformWorkloadIdentities {
+		if _, present := foundIdentityResourceIDs[strings.ToLower(p.ResourceID)]; present {
+			return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, fmt.Sprintf("%s.PlatformWorkloadIdentities", path), "ResourceID %s used by multiple identities.", p.ResourceID)
+		}
+		foundIdentityResourceIDs[strings.ToLower(p.ResourceID)] = ""
+
 		resource, err := azcorearm.ParseResourceID(p.ResourceID)
 		if err != nil {
 			return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, fmt.Sprintf("%s.PlatformWorkloadIdentities[%s].resourceID", path, name), "ResourceID %s formatted incorrectly.", p.ResourceID)
--- a/pkg/api/v20240812preview/openshiftcluster_validatestatic_test.go
+++ b/pkg/api/v20240812preview/openshiftcluster_validatestatic_test.go
@ -1379,6 +1379,44 @@ func TestOpenShiftClusterStaticValidatePlatformWorkloadIdentityProfile(t *testin
 			},
 			wantErr: "400: InvalidParameter: properties.servicePrincipalProfile: Must provide either an identity or service principal credentials.",
 		},
+		{
+			name: "duplicate operator identities",
+			modify: func(oc *OpenShiftCluster) {
+				oc.Identity = &ManagedServiceIdentity{
+					UserAssignedIdentities: map[string]UserAssignedIdentity{
+						"first": clusterIdentity1,
+					},
+				}
+				oc.Properties.PlatformWorkloadIdentityProfile = &PlatformWorkloadIdentityProfile{
+					PlatformWorkloadIdentities: map[string]PlatformWorkloadIdentity{
+						"FAKE-OPERATOR":         platformIdentity1,
+						"ANOTHER-FAKE-OPERATOR": platformIdentity1,
+					},
+				}
+				oc.Properties.ServicePrincipalProfile = nil
+			},
+			wantErr: "400: InvalidParameter: properties.platformWorkloadIdentityProfile.PlatformWorkloadIdentities: ResourceID /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/a-fake-group/providers/Microsoft.RedHatOpenShift/userAssignedIdentities/fake-cluster-name used by multiple identities.",
+		},
+		{
+			name: "duplicate operator identities, different cases",
+			modify: func(oc *OpenShiftCluster) {
+				oc.Identity = &ManagedServiceIdentity{
+					UserAssignedIdentities: map[string]UserAssignedIdentity{
+						"first": clusterIdentity1,
+					},
+				}
+				oc.Properties.PlatformWorkloadIdentityProfile = &PlatformWorkloadIdentityProfile{
+					PlatformWorkloadIdentities: map[string]PlatformWorkloadIdentity{
+						"FAKE-OPERATOR": platformIdentity1,
+						"ANOTHER-FAKE-OPERATOR": {
+							ResourceID: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/a-fake-group/providers/Microsoft.RedHatOpenShift/userAssignedIdentities/FAKE-CLUSTER-NAME",
+						},
+					},
+				}
+				oc.Properties.ServicePrincipalProfile = nil
+			},
+			wantErr: "400: InvalidParameter: properties.platformWorkloadIdentityProfile.PlatformWorkloadIdentities: ResourceID /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/a-fake-group/providers/Microsoft.RedHatOpenShift/userAssignedIdentities/fake-cluster-name used by multiple identities.",
+		},
 		{
 			name: "valid UpgradeableTo value",
 			modify: func(oc *OpenShiftCluster) {