Add Aro-hcp proposal #5605
Add Aro-hcp proposal #5605
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
the
size/XL
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5605 +/- ##
==========================================
- Coverage 53.28% 52.84% -0.45%
==========================================
Files 272 278 +6
Lines 29537 29610 +73
==========================================
- Hits 15739 15647 -92
- Misses 12983 13146 +163
- Partials 815 817 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
serngawy
force-pushed
the
aro-proposal
branch
2 times, most recently
from
22ad098 to
35b0abc
Compare
|
|
||
| // Resource group name where the Aro-hcp will be attached to it. | ||
| ResourceGroup string `json:"resourceGroup,omitempty"` | ||
|
|
There was a problem hiding this comment.
IMHO we will also need the:
tenant_id,subscription_id,managed_resource_group_name(not onlyresource_group_name)
to create a cluster, isn't it?
There was a problem hiding this comment.
yes, those info are provided at the azureclusteridentity
| // PlatformProfile represents the Azure platform configuration. | ||
| type PlatformProfile struct { | ||
| // Azure subnet id | ||
| Subnet string `json:"subnet,omitempty"` |
There was a problem hiding this comment.
Why Subnet & SubnetRef ?
subnet id or cluster id or node pool id ? I'm not sure base on: https://github.com/Azure/ARO-HCP/blob/main/cluster-service/cluster-creation.md#creating-node-pools
Replicas & autorepare will be used from capi MachinePool?
There was a problem hiding this comment.
subnetRef will be referring to VirtualNetworksSubnet CR by name.
yes, replicas defined at CAPI machinePool CR
docs/proposals/20250425-aro-hcp.md
Outdated
| ControlPlaneOperators map[string]string `json:"controlPlaneOperators,omitempty"` | ||
|
|
||
|
|
||
| // DataPlaneOperators ref to Microsoft.ManagedIdentity/userAssignedIdentities | ||
| DataPlaneOperators map[string]string `json:"dataPlaneOperators,omitempty"` | ||
|
|
||
|
|
||
| // ServiceManagedIdentity ref to Microsoft.ManagedIdentity/userAssignedIdentities | ||
| ServiceManagedIdentity string `json:"serviceManagedIdentity,omitempty"` |
There was a problem hiding this comment.
What are the keys in those maps?
What about to replace maps with structures for it?
There was a problem hiding this comment.
I updated the managed Identities to include all the required identities names
| ServiceManagedIdentity string `json:"serviceManagedIdentity,omitempty"` | ||
| } | ||
|
|
||
| type ControlPlaneOperators struct { |
There was a problem hiding this comment.
Are we not planning to reuse the HyperShift API for this, rather than duplicating API efforts?
There was a problem hiding this comment.
no, we will re-use the Hypershift API. The naming for CRD fields is a bit different but internally with API call will set the naming as here
| KmsManagedIdentities string `json:"kmsManagedIdentities,omitempty"` | ||
| } | ||
|
|
||
| type DataPlaneOperators struct { |
There was a problem hiding this comment.
Similar question as above, re: reusing HyperShift API
| ServiceManagedIdentity string `json:"serviceManagedIdentity,omitempty"` | ||
| } | ||
|
|
||
| type ControlPlaneOperators struct { |
There was a problem hiding this comment.
Should we also list the exact role definitions each one of these will get?
There was a problem hiding this comment.
not sure if I understand, The field desc mentioning the role definition "control-plane" and similar for every UAMI
There was a problem hiding this comment.
Every control plane and data plane are assigned a specific Azure role definition(s) - CNTRLPLANE-171.
For example, the ingress managed identity is only assigned the "Azure Red Hat OpenShift Cluster Ingress Operator" role over the resource groups containing the VNET and the DNS Zone.
There was a problem hiding this comment.
okay, that is fine we will use the same role naming and keys. Would you mention the ref for it from the Hypershift repo . I don't think the Jira url above is accessible for everyone.
There was a problem hiding this comment.
The mapping of control plane to role definition to resource group does not reside from the HyperShift repo. I am not sure if it is available in some public fashion on the ARO side 🤔
There was a problem hiding this comment.
There was a problem hiding this comment.
it is here in the ocm-cluster-service
There was a problem hiding this comment.
FWIW, we do not set the role definitions in HyperShift. That is assumed to be done prior to creating the HostedCluster.
The HyperShift link you mentioned is related to the HyperShift CLI, which does set the role definitions but that is only for development and testing use.
There was a problem hiding this comment.
hmm, so we need to have this defined some where yes/no ?
Also this is more like implementation details for the UserAssignedIdentity CR that will be created we will need to set the right spec info
There was a problem hiding this comment.
I think it would be nice to be defined somewhere.
Maybe it goes with the UserAssignedIdentity CR; is that defined somewhere?
|
/assign |
docs/proposals/20250425-aro-hcp.md
Outdated
| ControlPlaneManagedIdentities string `json:"controlPlaneOperatorsManagedIdentities,omitempty"` | ||
|
|
||
| // ClusterApiAzureManagedIdentities "cluster-api-azure" Microsoft.ManagedIdentity/userAssignedIdentities | ||
| ClusterApiAzureManagedIdentities string `json:clusterApiAzureManagedIdentities",omitempty"` |
There was a problem hiding this comment.
sometimes is here badly formatted json option:
json:clusterApiAzureManagedIdentities",omitempty" -> json:"clusterApiAzureManagedIdentities,omitempty"
The " should be moved after json: . There is such a typo multiple times.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
docs/proposals/20250425-aro-hcp.md
Outdated
|
|
||
| // IdentityRef is a reference to an identity to be used when reconciling the aro control plane. | ||
| // If no identity is specified, the default identity for this controller will be used. | ||
| IdentityRef *infrav1.AzureClusterIdentity `json:"identityRef,omitempty"` |
There was a problem hiding this comment.
| IdentityRef *infrav1.AzureClusterIdentity `json:"identityRef,omitempty"` | |
| IdentityRef *corev1.ObjectReference `json:"identityRef,omitempty"` |
docs/proposals/20250425-aro-hcp.md
Outdated
| identityRef: | ||
| name: aro-identity |
There was a problem hiding this comment.
| identityRef: | |
| name: aro-identity | |
| identityRef: | |
| kind: AzureClusterIdentity | |
| name: aro-identity | |
| namespace: default |
docs/proposals/20250425-aro-hcp.md
Outdated
|
|
||
| // DiskStorageAccountType represents supported Azure storage account types. | ||
| // Available values are Premium_LRS, StandardSSD_LRS and Standard_LRS. | ||
| DiskStorageAccountType DiskStorageAccountType `json:"diskStorageAccountType,omitempty"` |
There was a problem hiding this comment.
The right type is IMHO enumeration compute.DiskStorageAccountTypes ... but make generate fails fit NPE :(
I'm suggesting:
| DiskStorageAccountType DiskStorageAccountType `json:"diskStorageAccountType,omitempty"` | |
| DiskStorageAccountType string `json:"diskStorageAccountType,omitempty"` |
There was a problem hiding this comment.
okay, with the kubebuilder tags it should be as string with enum validation tag.
docs/proposals/20250425-aro-hcp.md
Outdated
|
|
||
|
|
||
| ```yaml | ||
| apiVersion: controlplane.cluster.x-k8s.io/v1alpha1 |
There was a problem hiding this comment.
| apiVersion: controlplane.cluster.x-k8s.io/v1alpha1 | |
| apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 |
There was a problem hiding this comment.
its a controlplane group but version should v1beta2
There was a problem hiding this comment.
its a controlplane group but version should v1beta2
docs/proposals/20250425-aro-hcp.md
Outdated
| // DiskCsiDrivereManagedIdentities "disk-csi-driver" Microsoft.ManagedIdentity/userAssignedIdentities | ||
| DiskCsiDrivereManagedIdentities string `json:"diskCsiDrivereManagedIdentities,omitempty"` |
There was a problem hiding this comment.
| // DiskCsiDrivereManagedIdentities "disk-csi-driver" Microsoft.ManagedIdentity/userAssignedIdentities | |
| DiskCsiDrivereManagedIdentities string `json:"diskCsiDrivereManagedIdentities,omitempty"` | |
| // DiskCsiDriverManagedIdentities "disk-csi-driver" Microsoft.ManagedIdentity/userAssignedIdentities | |
| DiskCsiDriverManagedIdentities string `json:"diskCsiDriverManagedIdentities,omitempty"` |
docs/proposals/20250425-aro-hcp.md
Outdated
| // DiskCsiDrivereManagedIdentities "disk-csi-driver" Microsoft.ManagedIdentity/userAssignedIdentities | ||
| DiskCsiDrivereManagedIdentities string `json:"diskCsiDrivereManagedIdentities,omitempty"` |
There was a problem hiding this comment.
linter's request:
| // DiskCsiDrivereManagedIdentities "disk-csi-driver" Microsoft.ManagedIdentity/userAssignedIdentities | |
| DiskCsiDrivereManagedIdentities string `json:"diskCsiDrivereManagedIdentities,omitempty"` | |
| // DiskCsiDriverManagedIdentities "disk-csi-driver" Microsoft.ManagedIdentity/userAssignedIdentities | |
| DiskCsiDriverManagedIdentities string `json:"diskCsiDriverManagedIdentities,omitempty"` |
docs/proposals/20250425-aro-hcp.md
Outdated
|
|
||
|
|
||
| // ResourceGroup Ref name that is used to create the ResourceGroup CR. The ResourceGroupRef must be in the same namespace as the AroControlPlane and cannot be set with ResourceGroup. | ||
| ResourceGroupRef string `json:"resourceGroup,omitempty"` |
There was a problem hiding this comment.
| ResourceGroupRef string `json:"resourceGroup,omitempty"` | |
| ResourceGroupRef string `json:"resourceGroupRef,omitempty"` |
docs/proposals/20250425-aro-hcp.md
Outdated
| // ClusterApiAzureManagedIdentities "cluster-api-azure" Microsoft.ManagedIdentity/userAssignedIdentities | ||
| ClusterApiAzureManagedIdentities string `json:"clusterApiAzureManagedIdentities,omitempty"` |
There was a problem hiding this comment.
| // ClusterApiAzureManagedIdentities "cluster-api-azure" Microsoft.ManagedIdentity/userAssignedIdentities | |
| ClusterApiAzureManagedIdentities string `json:"clusterApiAzureManagedIdentities,omitempty"` | |
| // ClusterAPIAzureManagedIdentities "cluster-api-azure" Microsoft.ManagedIdentity/userAssignedIdentities | |
| ClusterAPIAzureManagedIdentities string `json:"clusterApiAzureManagedIdentities,omitempty"` |
docs/proposals/20250425-aro-hcp.md
Outdated
| // ApiURL is the url for the ARO-HCP openshift cluster api endPoint. | ||
| ApiURL string `json:"apiURL,omitempty"` |
There was a problem hiding this comment.
linter's reguest:
| // ApiURL is the url for the ARO-HCP openshift cluster api endPoint. | |
| ApiURL string `json:"apiURL,omitempty"` | |
| // APIURL is the url for the ARO-HCP openshift cluster api endPoint. | |
| APIURL string `json:"apiURL,omitempty"` |
Signed-off-by: serngawy <serngawy@gmail.com>
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Proposal for ARO-HCP feature
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
TODOs:
Release note: