* Add missing Identity fields to API converters
* Properly convert PlatformWorkloadIdentityProfile from internal -> admin
* Do not clobber existing read-only fields on admin PUT/PATCH
* Fix silly mistakes...
* Fix unit test case
* Do not clobber existing PlatformWorkloadIdentity readonly fields (clientid/objectid) on patch
* Ensure CSP-specific update steps only run for CSP clusters
* Ensure ClientId/ObjectIds are populated for all platform workload identities
* Ensure required federated identity credentials during cluster update
Note that additional work is still required to ensure this works as expected,
which will be handled in follow-up efforts.
* Add step to directly deploy platform workload identity credential secrets on-cluster during Update
* Refactor: extract mock platformWorkloadIdentityRolesByVersion setup to shared function
* Do not clobber existing ManagedServiceIdentity fields (IssuerURI) on patch
* Apply upgradeable-to annotation to cloudcredential resource via Patch
This avoids issues with e.g. having the wrong version of the resource struct
definition vendored into the RP.
* Fix az aro update request body handling
- Only pass in new/updated identities (RP will add these to the existing identity map during a patch operation)
- Only set the upgradeableTo property if it is explicitly set
* api changes
fix tag package-2023-11
this was wrong in the readme
remove UserAssignedIdentities
top level fields must not have additionalproperties
update the default tag to latest
define a new IdentityType with x-ms-enum
modelAsString on identityType x-ms-enum should be false
rename IdentityType to ResourceIdentityType to match v3/types.json
make client
add descriptions to all new API fields
make client
fix unit test that was failing as a result of removing the UserAssignedIdentity type from the API
Adjust a doc comment according to feedback
make client
* add platformworkloadidentityroleset to API definition and examples
Update client generation to account for swagger subfolder
make client
fix pwip and validatestatic unit tests
fix relative path to common-types
migrate from common-types/v3 to common-types/v6
it was requested that we use the latest version of
common types. This involves some changes to our examples
to match the UUID expected.
move from Identity to ManagedServiceIdentity type
defined in common-types/v6
use modelerfour.lenient-model-deduplication=true
avoids python client generation issues
convert PlatformWorkloadIdentity to map
ARO-4382 fix unit test cases
make generate swagger
fix unit tests
revert naming openShiftCluster.ManagedServiceIdentity to Identity
fix prod code and unit tests post-rebase, reference common-types
directly for the identity property
* more swagger CI fixes
* fix examples to contain identity and type
* remove PlatformWorkloadIdentityRoleSetUpdate
oct 16th changes
oct 17th changes
fix issues post-rebase
* update readme to contain suppression for avoidAdditionalProperties
* fix ModelValidation error by converting example IDs to resourceIDs
* Update python/go clients
* Update az aro extension to enumerate platform_workload_identities as a dict instead of a list
* Fix python linter issues
* configure suppression for PatchBodyParametersSchema
appease the linter, fix subscriptionID type in util/azureclient
appease the linter again
correct log statement, use better naming
* regenerate examples
* changes operatorName and roleDefinitionName in PWIRS_List.json
---------
Co-authored-by: Tanmay Satam <tsatam@redhat.com>
* Add a parameter for enabling Entra ID RBAC on key vaults
* Add an RP-level feature flag for determining whether to use the mock MSI RP
* Tweak the mock identity URL to play nicely with the mock MSI RP
* Add Azure SDK client wrappers for new clients (federated identity credentials control plane and key vault data plane)
* Vendor in new Azure SDK clients and update msi-dataplane
* Lay groundwork for use of cluster MSI...
- Initialize the MSI dataplane client, using the mock MSI RP/stub if
appropriate
- Initialize key vault store client (for MSI certificates; functionality
is implemented in MSI dataplane module)
- Create a cluster MSI certificate and store it in the key vault during
cluster bootstrap
- Instantiate an Azure SDK FederatedIdentityCredential client using the
cluster MSI certificate
- Delete the cluster MSI certificate as needed during cluster deletion
* Don't fail during cluster deletion if the cluster MSI certificate is
already gone from the key vault (or was potentially never created)
* Establish an RP-Config variable for the MSI RP endpoint
- Update doc comment for ensureClusterMsiCertificate
- Simplify conditional logic in MSI cert deletion
* Use pointer conversion functions that aren't deprecated
* Respond to PR comments (and fix some other things along the way)
- Move `clusterMsiResourceId` function to `OpenShiftCluster` type
- When persisting the MSI cert to KV, use the `NotAfter` returned by the MSI RP (for the stub, just use an arbitrary value)
- Move `getClientOptions` functionality to `AROEnvironment` type
- Move logic for determining cluster MSI key vault name to `pkg/env`
- Pull cloud name mapping stuff out to `AROEnvironment` type
- Update msi-dataplane module to include new changes and use `UserAssignedIdentities` type to get Azure credential in `pkg/cluster/clustermsi.go`
- Fix typo in https URL in comment in `pkg/cluster/delete.go`
- Implement suggestion to use `errors.As` instead of a type assertion in `pkg/cluster/delete.go`
* Update documentation with info about new feature flag
- Move new cluster MSI steps forward in bootstrap step order
- Move MSI dataplane client options stuff to pkg/env
- Explicitly check for a single cluster MSI in `ClusterMsiResourceId`
- Other small tweaks
* Vendor in msi-dataplane update that prevents a potential nil pointer dereference
* Add missing method to internal key vault client
* Make error messages more specific in ClusterMsiResourceId
* Add missing env vars to run-rp make target and uncomment dynamic validation bootstrap step
- In newly added Azure clients, return struct types instead of interface
types
- Move cluster MSI certificate deletion to be after Azure resource
deletion for safety just in case cx continues to use cluster that is
in Failed/Deleting provisioning state
* Add new env vars for MIWI to env.example for clarity/completeness
* Turn check for nonzero number of user assigned identities into a utility function
* Use existing constant for key vault dns suffix
* Clarifying etcd cert renew test
- Updated the test to make it clear it is passing because timeout is being reached
- Updated the timeout from 10s -> 0s to pass faster
* Fix slow changefeed tests
* Add unit tests for existing frontend version validation
* Use semver package to validate versions in frontend instead of regex
This allows the ability to provide prerelease versions or version strings
containing metadata.
* Ensure disableUpdates does not propagate metadata in version string to clusterversion resource
* Update `TestPutOrPatchOpenShiftCluster` to use the latest API version
* Add test case to help ensure identity headers are persisted
* Fix nil pointer dereference in converter
* Fix issue with identity headers not being persisted
* Finish updating variable name in all necessary places
Dumps the VM info + console logs on failure so that we don't need to run the Geneva Action or have the control plane still around to get it. Also refactors frontend and geneva action to make use of the same code path.
* Add Cosmos DB container for PlatformWorkloadIdentityRoleSets
* Revert change to AKS k8s version - committed by mistake
* Fix bug in converter
When I first wrote the converter, I thought Go would treat the the slice
we `make` few lines above these changes as a slice full of zero-value
structs, but it actually treats it as an empty slice, which led to
out-of-bound issues when I first tried to use this converter to work on
the API endpoints.
* Add the PlatformWorkloadIdentityRoleSetConverter to the API register
* Implement the change feed for role sets in the easiest, most naive way
* Implement the external API endpoint for listing role sets
* Fix a small oversight from earlier on
* Add unit tests for the list endpoint
* Add unit tests for changefeed changes
* Uncomment the static validator
* Fix more slice out of bounds bugs in the converters...
* Add converter and static validator to the admin API register
* Add list and put endpoints
* Fix name of function to match convention
* Fix bug in static validator
I originally wrote the code the way I did so that we could aggregate
errors so that we could provide a better UX in cases where there are
multiple similar errors in the request content. I found while writing
unit tests that aggregating the errors in this way and not wrapping them
in a CloudError causes the RP to return an internal server error instead
of a 400 bad request.
Is there a way we can aggregate the errors and still wrap them in a
CloudError? I'm not sure of the formatting requirements for the text of
CloudErrors.
* Add unit tests for new API endpoints
* Fix typo
* Appease the linter
* Appease the linter
* Add TODO comment re: the number of parameters
* Update static validator to return multiple validation issues at the same time where applicable for better UX
* Add a simple utility function to make semver comparisons of OpenShift minor version more readable
* Log error before returning 500 to user
* Log errors before returning 500 to user
* Improve naming of unit test cases
* Add additional unit test cases
Tanmay Satam
Nicolas Ontiveros
Ayato Tokubi
Nicolas Ontiveros
Kipp Morris
Caden Marchese
Amber Brown
kimorris27
Brendan Bergen
Sanjana Lawande
Sanjana Lawande
Aldo Fuster Turpin
bennerv
BCarvalheira
Maitiú Ó Ciaráin
Rajdeep Singh Chauhan
Nicolas Ontiveros
cadenmarchese