* Metrics for SyncSet and SelectorSyncSets
merging 8659 and 9545
Metrics for SyncSet and SelectorSyncSets
* Since emitClusterSync is run unconditionally, even in environment
without Hive, make sure that it doesn't panic when the monitor's
hive.ClusterManager is nil
Compare to preexisting code in emitHiveRegistrationStatus
* Add Hive rest config and ClusterManager to monitor
---------
Co-authored-by: kimorris27 <kimorris@redhat.com>
* Update disableSamples test to use samplesclient fake instead of mock
* Create new samples config with Removed managementstate if config does not exist
* move to go-jose v3 instead of the gopkg.in version
* while I'm here, fix license locations
* bump to josev4
* update go-oidc, containers/ocicrypt, and letsencrypt/boulder to versions that use josev4
* add the option to not check for whitespace in error checking, because sometimes the format strings are weird
* don't check for the whitespace in this error
* go mod tidy
* go mod vendor
* bump cluster-credentials-operator
* add Get to roledefinitions client
* check script
* pipeline
* use parameters
* change target-version help message
* vendor
* fix role.go
* use candidate channel
* use operator names in RP-Config
* modify the output format
* changed to use quay.io API
* add some comments
* remove pipeline resource
* change role definition names
* Generate federated MIWI credentials
bring in more changes from master
typos
add len check for federated Identity naming
don't return cluster ID when OIDC issuer is nil
skip RBAC on CSP for WI cluster
check for invalid object ID before RBAC template creation
single qoute when passing resource Name
check for nil clusterMsiFederatedIdentityCredentials
remove unused controller
ensure the case folding of cluster MSI resourceID
Fed Cred name logic
update calls to fetch fed cred name
No RBAC for Cluster MSI
update getPlatformWorkloadIdentityFederatedCredName
fix WI RG RBAC
define constants to imporve readability
correct the call to resourceGroupRoleAssignmentWithDetails
Move fed cred deletion to be before cluster MSI cert deletion and add a log statement for fed cred deletion
Rename function for clarity and to match name of unit test function
Nitpick test case names for clarity and test data for correctness
* don't continue resource clean up on fed cred deletion fails
* remove duplicate of clusterServicePrincipalRBAC()
* nit
---------
Co-authored-by: gniranjan <gniranjan@microsoft.com>
* Add a parameter for enabling Entra ID RBAC on key vaults
* Add an RP-level feature flag for determining whether to use the mock MSI RP
* Tweak the mock identity URL to play nicely with the mock MSI RP
* Add Azure SDK client wrappers for new clients (federated identity credentials control plane and key vault data plane)
* Vendor in new Azure SDK clients and update msi-dataplane
* Lay groundwork for use of cluster MSI...
- Initialize the MSI dataplane client, using the mock MSI RP/stub if
appropriate
- Initialize key vault store client (for MSI certificates; functionality
is implemented in MSI dataplane module)
- Create a cluster MSI certificate and store it in the key vault during
cluster bootstrap
- Instantiate an Azure SDK FederatedIdentityCredential client using the
cluster MSI certificate
- Delete the cluster MSI certificate as needed during cluster deletion
* Don't fail during cluster deletion if the cluster MSI certificate is
already gone from the key vault (or was potentially never created)
* Establish an RP-Config variable for the MSI RP endpoint
- Update doc comment for ensureClusterMsiCertificate
- Simplify conditional logic in MSI cert deletion
* Use pointer conversion functions that aren't deprecated
* Respond to PR comments (and fix some other things along the way)
- Move `clusterMsiResourceId` function to `OpenShiftCluster` type
- When persisting the MSI cert to KV, use the `NotAfter` returned by the MSI RP (for the stub, just use an arbitrary value)
- Move `getClientOptions` functionality to `AROEnvironment` type
- Move logic for determining cluster MSI key vault name to `pkg/env`
- Pull cloud name mapping stuff out to `AROEnvironment` type
- Update msi-dataplane module to include new changes and use `UserAssignedIdentities` type to get Azure credential in `pkg/cluster/clustermsi.go`
- Fix typo in https URL in comment in `pkg/cluster/delete.go`
- Implement suggestion to use `errors.As` instead of a type assertion in `pkg/cluster/delete.go`
* Update documentation with info about new feature flag
- Move new cluster MSI steps forward in bootstrap step order
- Move MSI dataplane client options stuff to pkg/env
- Explicitly check for a single cluster MSI in `ClusterMsiResourceId`
- Other small tweaks
* Vendor in msi-dataplane update that prevents a potential nil pointer dereference
* Add missing method to internal key vault client
* Make error messages more specific in ClusterMsiResourceId
* Add missing env vars to run-rp make target and uncomment dynamic validation bootstrap step
- In newly added Azure clients, return struct types instead of interface
types
- Move cluster MSI certificate deletion to be after Azure resource
deletion for safety just in case cx continues to use cluster that is
in Failed/Deleting provisioning state
* Add new env vars for MIWI to env.example for clarity/completeness
* Turn check for nonzero number of user assigned identities into a utility function
* Use existing constant for key vault dns suffix
* ARO-4376 Track2 authorization api addition for roledefinitions
* ARO-4376 add a stringutil funcs
* ARO-4376 use dbPlatformWorkloadIdentityRoleSets to get platform identity roles for cluster version
* ARO-4376 add dynamic validation for platformworkloadidentityprofile
* ARO-4376 resolve initial comments
* ARO-4376 refactor error messages and checkaccess action crosscheck
* ARO-4376 Add unit tests and comments resolution
* ARO-4376 add validation for upgradeableTo
* ARO-4376 Comment resoultion and additional unit tests
* ARO-4376 minor version comparison handling
* ARO-4376 update permission error messaging handling for MIWI
* ARO-4376 update constructors to return non-interface type
* ARO-4376 add unit tests for GroupsIntersect
* ARO-4376 update generate files to support bingo
* fix make aro build in onebranch
* just install jq for clean subscription
* move fipsdetect and gojq out of go run/manual go build territory
* install tools for validate-fips and e2e
* add to bin
* copy gojq here too
* go mod tidy
* go mod vendor
* Update openshift/api to release-4.12
* Add machinev1 resources to scheme
* Add CPMSDeactivatorEnabled flag
* Add CPMS Deactivator operator controller
* Add controlplanemachinesets to system:aro-sre ClusterRole
* Use better naming convention for CPMS controller flag
* Change debug log messages to info
* Make CPMS controller exit early if clusterversion < 4.12
* Only setup CPMS controller on clusters with machinev1 API
This is necessary in order to Watch the CPMS resource - this operation will fail on
clusters that do not support the Machine V1 API (OCP <= 4.11), causing controller
setup to fail. Since these clusters do not have a CPMS resource to manage, we can
safely skip running this controller on those clusters.
* Fix CPMS controller name
Taylor Fahlman
Amit Arora
dependabot[bot]
Tanmay Satam
Steven Fairchild
Amber Brown
Nicolas Ontiveros
Daniel J. Holmes (jaitaiwan)
Nicolas Ontiveros
Goutham Muguluvalli Niranjan
Ayato Tokubi
Goutham Muguluvalli Niranjan
kimorris27
Kipp Morris
Nont
Rajdeep Chauhan
Anshul Verma
Maitiú Ó Ciaráin
Steven Fairchild
Jonathan CHang
Hilliary Lipsig