* Generate mocks for Azure clients added in cluster MSI PR
* Add other small changes in response to previous PR feedback:
- Get subscription ID from subscription doc instead of a platform MI
- Remove an unused mock controller
Mocks for these interfaces were previously present, but if you remove them and make generate, they don't get replaced. I'm guessing that when they were added, the committer forgot to commit their changes to the generate.go files. This came to my attention as I was moving us over to the Uber fork because it caused errors while I was trying to get builds and unit tests working, so I codified the generation properly in this commit.
* Removed non-containerized stuff from the CI pipeline.
* Kept the make generate check in the NotContainerized stage.
Kept the make generate check in the NotContainerized stage.
* removed the non-containerized Go block from the CI pipeline
* Add a parameter for enabling Entra ID RBAC on key vaults
* Add an RP-level feature flag for determining whether to use the mock MSI RP
* Tweak the mock identity URL to play nicely with the mock MSI RP
* Add Azure SDK client wrappers for new clients (federated identity credentials control plane and key vault data plane)
* Vendor in new Azure SDK clients and update msi-dataplane
* Lay groundwork for use of cluster MSI...
- Initialize the MSI dataplane client, using the mock MSI RP/stub if
appropriate
- Initialize key vault store client (for MSI certificates; functionality
is implemented in MSI dataplane module)
- Create a cluster MSI certificate and store it in the key vault during
cluster bootstrap
- Instantiate an Azure SDK FederatedIdentityCredential client using the
cluster MSI certificate
- Delete the cluster MSI certificate as needed during cluster deletion
* Don't fail during cluster deletion if the cluster MSI certificate is
already gone from the key vault (or was potentially never created)
* Establish an RP-Config variable for the MSI RP endpoint
- Update doc comment for ensureClusterMsiCertificate
- Simplify conditional logic in MSI cert deletion
* Use pointer conversion functions that aren't deprecated
* Respond to PR comments (and fix some other things along the way)
- Move `clusterMsiResourceId` function to `OpenShiftCluster` type
- When persisting the MSI cert to KV, use the `NotAfter` returned by the MSI RP (for the stub, just use an arbitrary value)
- Move `getClientOptions` functionality to `AROEnvironment` type
- Move logic for determining cluster MSI key vault name to `pkg/env`
- Pull cloud name mapping stuff out to `AROEnvironment` type
- Update msi-dataplane module to include new changes and use `UserAssignedIdentities` type to get Azure credential in `pkg/cluster/clustermsi.go`
- Fix typo in https URL in comment in `pkg/cluster/delete.go`
- Implement suggestion to use `errors.As` instead of a type assertion in `pkg/cluster/delete.go`
* Update documentation with info about new feature flag
- Move new cluster MSI steps forward in bootstrap step order
- Move MSI dataplane client options stuff to pkg/env
- Explicitly check for a single cluster MSI in `ClusterMsiResourceId`
- Other small tweaks
* Vendor in msi-dataplane update that prevents a potential nil pointer dereference
* Add missing method to internal key vault client
* Make error messages more specific in ClusterMsiResourceId
* Add missing env vars to run-rp make target and uncomment dynamic validation bootstrap step
- In newly added Azure clients, return struct types instead of interface
types
- Move cluster MSI certificate deletion to be after Azure resource
deletion for safety just in case cx continues to use cluster that is
in Failed/Deleting provisioning state
* Add new env vars for MIWI to env.example for clarity/completeness
* Turn check for nonzero number of user assigned identities into a utility function
* Use existing constant for key vault dns suffix
- Converted containerized CI process to use docker for ease of use in ADO
- Added stage to authenticate and push CI images to ACR
- Added support for extracting test results and coverage files from containerized build
* prevent updating existing platform identities
This adds a check to v20240812preview static validation that raises an
error if either the name or resource ID of an existing platform identity
* allow changing operator identity order
This allows changing the order of platform identities while still
preventing the resource ID and operator name from being changed
* additional platform identity update validation
This prevents removal of a platform identity or changing the identity's
OperatorName and ResourceID at the same time
* detect duplicate operator names in platform workload identity profiles
* use a map instead of a slice
* update the operator master deployment to support workload identity
This causes the spec for the operator master deployment to mount the
service account token as a volume, and maps the path to the environment
variable expected by Azure to support workload identities
* remove unused ExpectError value from test struct
* mount the token secret as a directory, not a file
* Remove dnf update cron job
Automatic OS Updates are configured. Updating packages via a cron job is no longer required.
* Remove certs arg from verify_role, Add/Remove comments
Certificate generation has been broken up into a named function for each VMSS role. This means it's no longer necessary to provide the certs=true argumenet when checking VMSS roles.
Add a comment for why AZURE_CLOUD_NAME returns an error if unset.
Remove az cli login comment from pull_container_images, it is no longer relevant after the last refactor.
* Set Azure prefix and USER as optional at env.example
Follow up commit to use an Azure unique prefix for the Azure resources that ARO-RP is using instead of always fetching the USER. When AZURE_PREFIX env var is not set, then use the USER env var
* Use westeurope as default location
Don't override existed LOCATION env var when it is already set, and 'westeurope' as the default value
* Add secret location to PlatformWorkloadIdentityRoleSet
* Add generatePlatformWorkloadIdentitySecrets function
* Add mutable:true validate:required struct tags to SecretLocation fields on admin api
* Add functions for other required WI resources
* Remove redundant UsesWorkloadIdentity check from generatePlatformWorkloadIdentitySecrets
* Fix coordinates for static CCO secret; move static coordinate strings to const values
* Return resources as map (w/ filename as key) instead of list
* Explicitly set TypeMeta on workload identity resources
This is needed in order to easily serialize these resources to YAML,
e.g. when setting them as string values in a Secret map for Hive to use
as an install manifest. Not setting these values will result in them being
omitted from the resulting JSON/YAML.
The original `enumer` tool is not maintained for the last five years and
does not support newer Go syntax. We can use this fork of the tool that
is getting life support for this reason instead.
Signed-off-by: Steve Kuznetsov <stekuznetsov@microsoft.com>
* Move Hive hack files under one directory
Group the Hive files under hack directory to hack/hive
* Refactor Hive installation and hack files location
Group the Hive files under hack directory to hack/hive, and refactor Hive installation using main function and utils.sh
* Print troubleshooting for Hive deployment rollout
Trust in the operator installation and print two options to monitor Hive deployment rollout
* Small fixes for hive installation script
Use double quote to prevent word splitting, break long line into multiple, use '-n' over '! -z', simpler if check, use consistent function declaration syntax, trap outside main and after cleanup is declared
Tanmay Satam
Amber Brown
Hilliary Lipsig
Taylor Fahlman
dependabot[bot]
Ayato Tokubi
Kipp Morris
Ben Vesel
kimorris27
Shubhadapaithankar
Ankur Singh
Jory Horeman
Alex Chvatal
Steven Fairchild
Or Raz
Rajdeep Chauhan
Nont
Hevellyn
Tony Schneider
Lisa Rashidi-Ranjbar
Steve Kuznetsov