зеркало из https://github.com/Azure/ARO-RP.git
Merge pull request #3916 from Azure/bvesel/update-role-names-and-keys
Update role definition names and keys used for MIWI
This commit is contained in:
Ben Vesel
GitHub
Коммит
a18e02b680
|
|
@ -5,7 +5,7 @@ set -o pipefail
|
|||
|
||||
# Local development environment script.
|
||||
# Execute this script from the root folder of the repo (ARO-RP).
|
||||
# This script is aimed to provide an automatic and easy way to prepare
|
||||
# This script is aimed to provide an automatic and easy way to prepare
|
||||
# the environment and execute the ARO RP locally.
|
||||
# The steps here are the ones defined in docs/deploy-development-rp.md
|
||||
# We recommend to use this script after you understand the steps of the process, not before.
|
||||
|
|
@ -15,29 +15,29 @@ PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS='[
|
|||
"openShiftVersion": "4.14",
|
||||
"platformWorkloadIdentityRoles": [
|
||||
{
|
||||
"operatorName": "CloudControllerManager",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Cloud Controller Manager Role",
|
||||
"operatorName": "cloud-controller-manager",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Cloud Controller Manager",
|
||||
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/a1f96423-95ce-4224-ab27-4e3dc72facd4",
|
||||
"serviceAccounts": ["system:serviceaccount:openshift-cloud-controller-manager:cloud-controller-manager"],
|
||||
"secretLocation": { "namespace": "openshift-cloud-controller-manager", "name": "azure-cloud-credentials" }
|
||||
},
|
||||
{
|
||||
"operatorName": "ClusterIngressOperator",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Cluster Ingress Operator Role",
|
||||
"operatorName": "ingress",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Cluster Ingress Operator",
|
||||
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0336e1d3-7a87-462b-b6db-342b63f7802c",
|
||||
"serviceAccounts": ["system:serviceaccount:openshift-ingress-operator:ingress-operator"],
|
||||
"secretLocation": { "namespace": "openshift-ingress-operator", "name": "cloud-credentials" }
|
||||
},
|
||||
{
|
||||
"operatorName": "MachineApiOperator",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Machine API Operator Role",
|
||||
"operatorName": "machine-api",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Machine API Operator",
|
||||
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0358943c-7e01-48ba-8889-02cc51d78637",
|
||||
"serviceAccounts": ["system:serviceaccount:openshift-machine-api:machine-api-controllers"],
|
||||
"secretLocation": { "namespace": "openshift-machine-api", "name": "azure-cloud-credentials" }
|
||||
},
|
||||
{
|
||||
"operatorName": "StorageOperator",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Storage Operator Role",
|
||||
"operatorName": "disk-csi-driver",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Disk Storage Operator",
|
||||
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/5b7237c5-45e1-49d6-bc18-a1f62f400748",
|
||||
"serviceAccounts": [
|
||||
"system:serviceaccount:openshift-cluster-csi-drivers:azure-disk-csi-driver-operator",
|
||||
|
|
@ -46,15 +46,15 @@ PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS='[
|
|||
"secretLocation": { "namespace": "openshift-cluster-csi-drivers", "name": "azure-disk-credentials" }
|
||||
},
|
||||
{
|
||||
"operatorName": "NetworkOperator",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Network Operator Role",
|
||||
"operatorName": "cloud-network-config",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Network Operator",
|
||||
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/be7a6435-15ae-4171-8f30-4a343eff9e8f",
|
||||
"serviceAccounts": ["system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller"],
|
||||
"secretLocation": { "namespace": "openshift-cloud-network-config-controller", "name": "cloud-credentials" }
|
||||
},
|
||||
{
|
||||
"operatorName": "ImageRegistryOperator",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Image Registry Operator Role",
|
||||
"operatorName": "image-registry",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Image Registry Operator",
|
||||
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
|
||||
"serviceAccounts": [
|
||||
"system:serviceaccount:openshift-image-registry:cluster-image-registry-operator",
|
||||
|
|
@ -63,8 +63,8 @@ PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS='[
|
|||
"secretLocation": { "namespace": "openshift-image-registry", "name": "installer-cloud-credentials" }
|
||||
},
|
||||
{
|
||||
"operatorName": "AzureFilesStorageOperator",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Azure Files Storage Operator Role",
|
||||
"operatorName": "file-csi-driver",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift File Storage Operator",
|
||||
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0d7aedc0-15fd-4a67-a412-efad370c947e",
|
||||
"serviceAccounts": [
|
||||
"system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-operator",
|
||||
|
|
@ -74,8 +74,8 @@ PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS='[
|
|||
"secretLocation": { "namespace": "openshift-cluster-csi-drivers", "name": "azure-file-credentials" }
|
||||
},
|
||||
{
|
||||
"operatorName": "ServiceOperator",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Service Operator Role",
|
||||
"operatorName": "aro-operator",
|
||||
"roleDefinitionName": "Azure Red Hat OpenShift Service Operator",
|
||||
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4436bae4-7702-4c84-919b-c4069ff25ee2",
|
||||
"serviceAccounts": ["system:serviceaccount:openshift-azure-operator:aro-operator-master"],
|
||||
"secretLocation": { "namespace": "openshift-azure-operator", "name": "azure-cloud-credentials" }
|
||||
|
|
@ -145,12 +145,12 @@ create_env_file() {
|
|||
read -r -p "Do you want to create an env file for Managed/Workload identity development? (y / n) " answer
|
||||
if [[ "$answer" == "y" || "$answer" == "Y" ]]; then
|
||||
create_miwi_env_file
|
||||
else
|
||||
else
|
||||
create_regular_env_file
|
||||
fi
|
||||
}
|
||||
|
||||
get_platform_workloadIdentity_role_sets() {
|
||||
get_platform_workloadIdentity_role_sets() {
|
||||
# Parse the JSON data using jq
|
||||
platformWorkloadIdentityRoles=$(echo "${PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS}" | jq -c '.[].platformWorkloadIdentityRoles[]')
|
||||
|
||||
|
|
@ -210,7 +210,7 @@ create_platform_identity_and_assign_role() {
|
|||
|
||||
setup_platform_identity() {
|
||||
local platformWorkloadIdentityRoles
|
||||
|
||||
|
||||
platformWorkloadIdentityRoles=$(get_platform_workloadIdentity_role_sets)
|
||||
|
||||
echo "INFO: Creating platform identities under RG ($CLUSTER_RESOURCEGROUP) and Sub Id ($AZURE_SUBSCRIPTION_ID)"
|
||||
|
|
@ -236,7 +236,7 @@ cluster_msi_role_assignment() {
|
|||
local clusterMSIAppID="${1}"
|
||||
local FEDERATED_CREDENTIAL_ROLE_ID="ef318e2a-8334-4a05-9e4a-295a196c6a6e"
|
||||
local clusterMSIObjectID
|
||||
|
||||
|
||||
clusterMSIObjectID=$(az ad sp show --id "${clusterMSIAppID}" --query '{objectId: id}' | jq -r .objectId)
|
||||
|
||||
echo "INFO: Assigning role to cluster MSI: ${clusterMSIAppID}"
|
||||
|
|
@ -316,7 +316,7 @@ create_Azure_deployment() {
|
|||
"databaseAccountName=$DATABASE_ACCOUNT_NAME" \
|
||||
"databaseName=$DATABASE_NAME" \
|
||||
>/dev/null
|
||||
|
||||
|
||||
echo "INFO: Azure deployment created."
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -44,7 +44,6 @@ import (
|
|||
"github.com/Azure/ARO-RP/pkg/util/azureerrors"
|
||||
utilgraph "github.com/Azure/ARO-RP/pkg/util/graph"
|
||||
"github.com/Azure/ARO-RP/pkg/util/rbac"
|
||||
"github.com/Azure/ARO-RP/pkg/util/rolesets"
|
||||
"github.com/Azure/ARO-RP/pkg/util/uuid"
|
||||
"github.com/Azure/ARO-RP/pkg/util/version"
|
||||
)
|
||||
|
|
@ -69,6 +68,17 @@ type Cluster struct {
|
|||
}
|
||||
|
||||
const GenerateSubnetMaxTries = 100
|
||||
const localDefaultURL string = "https://localhost:8443"
|
||||
|
||||
func insecureLocalClient() *http.Client {
|
||||
return &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func New(log *logrus.Entry, environment env.Core, ci bool) (*Cluster, error) {
|
||||
if env.IsLocalDevelopmentMode() {
|
||||
|
|
@ -369,7 +379,7 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str
|
|||
|
||||
if env.IsLocalDevelopmentMode() {
|
||||
c.log.Info("peering subnets to CI infra")
|
||||
err = c.peerSubnetsToCI(ctx, vnetResourceGroup, clusterName)
|
||||
err = c.peerSubnetsToCI(ctx, vnetResourceGroup)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -560,7 +570,7 @@ func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterN
|
|||
}
|
||||
|
||||
if c.env.IsLocalDevelopmentMode() {
|
||||
err := c.registerSubscription(ctx)
|
||||
err := c.registerSubscription()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -570,28 +580,13 @@ func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterN
|
|||
return err
|
||||
}
|
||||
|
||||
err = c.insertPlatformWorkloadIdentityRoleSetsIntoCosmosdb()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
oc.Properties.WorkerProfiles[0].VMSize = api.VMSizeStandardD2sV3
|
||||
}
|
||||
|
||||
return c.openshiftclusters.CreateOrUpdateAndWait(ctx, vnetResourceGroup, clusterName, &oc)
|
||||
}
|
||||
|
||||
var insecureLocalClient *http.Client = &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
const localDefaultURL string = "https://localhost:8443"
|
||||
|
||||
func (c *Cluster) registerSubscription(ctx context.Context) error {
|
||||
func (c *Cluster) registerSubscription() error {
|
||||
b, err := json.Marshal(&api.Subscription{
|
||||
State: api.SubscriptionStateRegistered,
|
||||
Properties: &api.SubscriptionProperties{
|
||||
|
|
@ -615,7 +610,7 @@ func (c *Cluster) registerSubscription(ctx context.Context) error {
|
|||
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
|
||||
resp, err := insecureLocalClient.Do(req)
|
||||
resp, err := insecureLocalClient().Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -637,7 +632,7 @@ func getVersionsInCosmosDB(ctx context.Context) ([]*api.OpenShiftVersion, error)
|
|||
|
||||
getRequest.Header.Set("Content-Type", "application/json")
|
||||
|
||||
getResponse, err := insecureLocalClient.Do(getRequest)
|
||||
getResponse, err := insecureLocalClient().Do(getRequest)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error couldn't retrieve versions in cosmos db: %w", err)
|
||||
}
|
||||
|
|
@ -651,7 +646,7 @@ func getVersionsInCosmosDB(ctx context.Context) ([]*api.OpenShiftVersion, error)
|
|||
|
||||
// ensureDefaultVersionInCosmosdb puts a default openshiftversion into the
|
||||
// cosmos DB IF it doesn't already contain an entry for the default version. It
|
||||
// is hardcoded to use the local-RP endpoint `https://localhost:8443`
|
||||
// is hardcoded to use the local-RP endpoint
|
||||
//
|
||||
// It returns without an error when a default version is already present or a
|
||||
// default version was successfully put into the db.
|
||||
|
|
@ -690,35 +685,7 @@ func (c *Cluster) ensureDefaultVersionInCosmosdb(ctx context.Context) error {
|
|||
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
|
||||
resp, err := insecureLocalClient.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return resp.Body.Close()
|
||||
}
|
||||
|
||||
func (c *Cluster) insertPlatformWorkloadIdentityRoleSetsIntoCosmosdb() error {
|
||||
b, err := json.Marshal(rolesets.DefaultPlatformWorkloadIdentityRoleSet)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
req, err := http.NewRequest(http.MethodPut, "https://localhost:8443/admin/platformworkloadidentityrolesets/", bytes.NewReader(b))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
|
||||
cli := &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
resp, err := cli.Do(req)
|
||||
resp, err := insecureLocalClient().Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -878,7 +845,7 @@ func (c *Cluster) deleteVnetResources(ctx context.Context, resourceGroup, vnetNa
|
|||
return errors.Join(errs...)
|
||||
}
|
||||
|
||||
func (c *Cluster) peerSubnetsToCI(ctx context.Context, vnetResourceGroup, clusterName string) error {
|
||||
func (c *Cluster) peerSubnetsToCI(ctx context.Context, vnetResourceGroup string) error {
|
||||
cluster := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/virtualNetworks/dev-vnet", c.env.SubscriptionID(), vnetResourceGroup)
|
||||
|
||||
r, err := azure.ParseResourceID(c.ciParentVnet)
|
||||
|
|
|
|||
|
|
@ -1,84 +0,0 @@
|
|||
package rolesets
|
||||
|
||||
// Copyright (c) Microsoft Corporation.
|
||||
// Licensed under the Apache License 2.0.
|
||||
|
||||
import (
|
||||
"github.com/Azure/ARO-RP/pkg/api"
|
||||
)
|
||||
|
||||
var DefaultPlatformWorkloadIdentityRoleSet = api.PlatformWorkloadIdentityRoleSet{
|
||||
Properties: api.PlatformWorkloadIdentityRoleSetProperties{
|
||||
OpenShiftVersion: "4.14",
|
||||
PlatformWorkloadIdentityRoles: []api.PlatformWorkloadIdentityRole{
|
||||
{
|
||||
OperatorName: "CloudControllerManager",
|
||||
RoleDefinitionName: "Azure RedHat OpenShift Cloud Controller Manager Role",
|
||||
RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/a1f96423-95ce-4224-ab27-4e3dc72facd4",
|
||||
ServiceAccounts: []string{
|
||||
"openshift-cloud-controller-manager:cloud-controller-manager",
|
||||
},
|
||||
},
|
||||
{
|
||||
OperatorName: "ClusterIngressOperator",
|
||||
RoleDefinitionName: "Azure RedHat OpenShift Cluster Ingress Operator Role",
|
||||
RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/0336e1d3-7a87-462b-b6db-342b63f7802c",
|
||||
ServiceAccounts: []string{
|
||||
"openshift-ingress-operator:ingress-operator",
|
||||
},
|
||||
},
|
||||
{
|
||||
OperatorName: "MachineApiOperator",
|
||||
RoleDefinitionName: "Azure RedHat OpenShift Machine API Operator Role",
|
||||
RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/0358943c-7e01-48ba-8889-02cc51d78637",
|
||||
ServiceAccounts: []string{
|
||||
"openshift-machine-api:machine-api-operator",
|
||||
},
|
||||
},
|
||||
{
|
||||
OperatorName: "StorageOperator",
|
||||
RoleDefinitionName: "Azure RedHat OpenShift Storage Operator Role",
|
||||
RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/5b7237c5-45e1-49d6-bc18-a1f62f400748",
|
||||
ServiceAccounts: []string{
|
||||
"openshift-cluster-csi-drivers:azure-disk-csi-driver-operator",
|
||||
"openshift-cluster-csi-drivers:azure-disk-csi-driver-controller-sa",
|
||||
},
|
||||
},
|
||||
{
|
||||
OperatorName: "NetworkOperator",
|
||||
RoleDefinitionName: "Azure RedHat OpenShift Network Operator Role",
|
||||
RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/be7a6435-15ae-4171-8f30-4a343eff9e8f",
|
||||
ServiceAccounts: []string{
|
||||
"openshift-cloud-network-config-controller:cloud-network-config-controller",
|
||||
},
|
||||
},
|
||||
{
|
||||
OperatorName: "ImageRegistryOperator",
|
||||
RoleDefinitionName: "Azure RedHat OpenShift Image Registry Operator Role",
|
||||
RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
|
||||
ServiceAccounts: []string{
|
||||
"openshift-image-registry:cluster-image-registry-operator",
|
||||
"openshift-image-registry:registry",
|
||||
},
|
||||
},
|
||||
{
|
||||
OperatorName: "AzureFilesStorageOperator",
|
||||
RoleDefinitionName: "Azure RedHat OpenShift Azure Files Storage Operator Role",
|
||||
RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/0d7aedc0-15fd-4a67-a412-efad370c947e",
|
||||
ServiceAccounts: []string{
|
||||
"openshift-cluster-csi-drivers:azure-file-csi-driver-operator",
|
||||
"openshift-cluster-csi-drivers:azure-file-csi-driver-controller-sa",
|
||||
"openshift-cluster-csi-drivers:azure-file-csi-driver-node-sa",
|
||||
},
|
||||
},
|
||||
{
|
||||
OperatorName: "ServiceOperator",
|
||||
RoleDefinitionName: "Azure RedHat OpenShift Service Operator",
|
||||
RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/4436bae4-7702-4c84-919b-c4069ff25ee2",
|
||||
ServiceAccounts: []string{
|
||||
"openshift-azure-operator:aro-operator-master",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче