From ba71d566c41c4187e94feaacb7d02f1db9dc4ebe Mon Sep 17 00:00:00 2001 From: Mark Old Date: Fri, 1 Sep 2023 13:37:00 -0700 Subject: [PATCH] Add networkResourceGroupName parameter for Azure This paramter can be used to specify a resource group containing existing network resources, which will be scoped to several network-related operators in addition to the main installation resource group (if one is provided) --- pkg/cmd/provisioning/azure/azure.go | 6 +++++ pkg/cmd/provisioning/azure/create_all.go | 8 +++++++ .../azure/create_managed_identities.go | 24 +++++++++++++++++-- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/pkg/cmd/provisioning/azure/azure.go b/pkg/cmd/provisioning/azure/azure.go index fa156e9ae..e9173bab1 100644 --- a/pkg/cmd/provisioning/azure/azure.go +++ b/pkg/cmd/provisioning/azure/azure.go @@ -46,6 +46,12 @@ type azureOptions struct { // DeleteResourceGroup is a bool indicating that the OIDC resource group should be deleted when // ccoctl azure delete is invoked with the --delete-oidc-resource-group flag DeleteOIDCResourceGroup bool + + // NetworkResourceGroupName is the name of the Azure resource group for network resources like + // the Virtual Network and Subnets used by the cluster. If provided, several operators + // (cluster-network-operator, machine-api-operator, and cluster-storage-operator(file)) will be + // scoped to the NetworkResourceGroupName. + NetworkResourceGroupName string } // NewAzureCmd implements the "azure" subcommand for credentials provisioning diff --git a/pkg/cmd/provisioning/azure/create_all.go b/pkg/cmd/provisioning/azure/create_all.go index 9e02baf20..561b6f620 100644 --- a/pkg/cmd/provisioning/azure/create_all.go +++ b/pkg/cmd/provisioning/azure/create_all.go @@ -92,6 +92,7 @@ func createAllCmd(cmd *cobra.Command, args []string) { CreateAllOpts.OutputDir, CreateAllOpts.InstallationResourceGroupName, CreateAllOpts.DNSZoneResourceGroupName, + CreateAllOpts.NetworkResourceGroupName, CreateAllOpts.UserTags, CreateAllOpts.EnableTechPreview, // dryRun may only be invoked by subcommands create-oidc-issuer and create-managed-identities @@ -186,6 +187,13 @@ func NewCreateAllCmd() *cobra.Command { "A resource group will be created (with name derived from the --name parameter) if an installation-resource-group-name parameter was not provided. "+ "Note that this resource group must be provided as the installation resource group when installing the OpenShift cluster.", ) + createAllCmd.PersistentFlags().StringVar( + &CreateAllOpts.NetworkResourceGroupName, + "network-resource-group-name", + "", + "The name of the Azure resource group for network resources like the Virtual Network and Subnets used by the cluster. "+ + "If not provided, these resources will be placed in the installation resource group", + ) createAllCmd.PersistentFlags().StringVar( &CreateAllOpts.StorageAccountName, "storage-account-name", diff --git a/pkg/cmd/provisioning/azure/create_managed_identities.go b/pkg/cmd/provisioning/azure/create_managed_identities.go index 99f3ff605..3daadbcae 100644 --- a/pkg/cmd/provisioning/azure/create_managed_identities.go +++ b/pkg/cmd/provisioning/azure/create_managed_identities.go @@ -3,6 +3,7 @@ package azure import ( "context" "fmt" + "k8s.io/utils/strings/slices" "log" "net/http" "os" @@ -43,7 +44,10 @@ metadata: namespace: %s type: Opaque` - ingressCredentialRequestName = "openshift-ingress-azure" + ingressCredentialRequestName = "openshift-ingress-azure" + machineAPIOperatorCredentialRequestName = "openshift-machine-api-azure" + clusterStorageOperatorFileCredentialRequestName = "azure-file-csi-driver-operator" + clusterNetworkOperatorCredentialRequestName = "openshift-cloud-network-config-controller-azure" ) // createManagedIdentity creates a user-assigned managed identity for the provided CredentialsRequest @@ -607,7 +611,7 @@ func writeCredReqSecret(cr *credreqv1.CredentialsRequest, outputDir, clientID, t // additionally scoped within the resource group identified by dnsZoneResourceGroupName. // // Kubernetes secrets containing the user-assigned managed identity's clientID will be generated and written to the outputDir. -func createManagedIdentities(client *azureclients.AzureClientWrapper, credReqDir, name, oidcResourceGroupName, subscriptionID, region, issuerURL, outputDir, installationResourceGroupName, dnsZoneResourceGroupName string, resourceTags map[string]string, enableTechPreview, dryRun bool) error { +func createManagedIdentities(client *azureclients.AzureClientWrapper, credReqDir, name, oidcResourceGroupName, subscriptionID, region, issuerURL, outputDir, installationResourceGroupName, dnsZoneResourceGroupName, networkResourceGroupName string, resourceTags map[string]string, enableTechPreview, dryRun bool) error { // Add CCO's "owned" tag to resource tags map resourceTags[fmt.Sprintf("%s_%s", ownedAzureResourceTagKeyPrefix, name)] = ownedAzureResourceTagValue @@ -634,6 +638,13 @@ func createManagedIdentities(client *azureclients.AzureClientWrapper, credReqDir if credentialsRequest.Name == ingressCredentialRequestName { scopingResourceGroupNames = append(scopingResourceGroupNames, dnsZoneResourceGroupName) } + // Additionally scope vnet related CredentialRequest within the networkResourceGroupName, + // if one is provided + if len(networkResourceGroupName) > 0 { + if slices.Contains([]string{machineAPIOperatorCredentialRequestName, clusterStorageOperatorFileCredentialRequestName, clusterNetworkOperatorCredentialRequestName}, credentialsRequest.Name) { + scopingResourceGroupNames = append(scopingResourceGroupNames, networkResourceGroupName) + } + } err := createManagedIdentity(client, name, oidcResourceGroupName, subscriptionID, region, issuerURL, outputDir, scopingResourceGroupNames, resourceTags, credentialsRequest, dryRun) if err != nil { return err @@ -679,6 +690,7 @@ func createManagedIdentitiesCmd(cmd *cobra.Command, args []string) { CreateManagedIdentitiesOpts.OutputDir, CreateManagedIdentitiesOpts.InstallationResourceGroupName, CreateManagedIdentitiesOpts.DNSZoneResourceGroupName, + CreateManagedIdentitiesOpts.NetworkResourceGroupName, CreateManagedIdentitiesOpts.UserTags, CreateManagedIdentitiesOpts.EnableTechPreview, CreateManagedIdentitiesOpts.DryRun) @@ -752,6 +764,14 @@ func NewCreateManagedIdentitiesCmd() *cobra.Command { "A resource group will be created (with name derived from the --name parameter) if an installation-resource-group-name parameter was not provided. "+ "Note that this resource group must be provided as the installation resource group when installing the OpenShift cluster", ) + createManagedIdentitiesCmd.PersistentFlags().StringVar( + &CreateManagedIdentitiesOpts.NetworkResourceGroupName, + "network-resource-group-name", + "", + "The name of the Azure resource group for network resources like the Virtual Network and Subnets used by the cluster. "+ + "If not provided, these resources will be placed in the installation resource group", + ) + createManagedIdentitiesCmd.PersistentFlags().StringVar(&CreateManagedIdentitiesOpts.SubscriptionID, "subscription-id", "", "Azure Subscription ID within which to create and scope the access of managed identities") createManagedIdentitiesCmd.MarkPersistentFlagRequired("subscription-id") createManagedIdentitiesCmd.PersistentFlags().StringVar(&CreateManagedIdentitiesOpts.IssuerURL, "issuer-url", "", "OIDC Issuer URL (the OIDC Issuer can be created with the 'create-oidc-issuer' sub-command)")