Bug 2055821: Remove Azure mint mode support as Active Directory Graph API will be sunset

[akhil-rane]

Migrate away from depending on the Azure Active Directory Graph API since it will be sunset in June 2022.

• No more mint mode for Azure. So continue supporting passthrough and manual mode as the only supported modes on Azure.
• The implementation is to always mark the Azure root secret as passthrough, and pivot a live running originally-mint cluster to passthrough mode.
• Overwrite existing Secrets with the content found in kube-system/azure-credentials (we can assume this as removing the root creds was never supported in Azure).
• Try to clean up previously minted App Registrations / Service Principals (while the Azure AD Graph API still works), but treat errors as non-fatal (just set a condition on the CredentialsRequest).
• Update test cases.

[openshift-ci]

@akhil-rane: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

Azure passthrough

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[akhil-rane]

/test e2e-azure

[codecov]

Codecov Report

Merging #453 (0074320) into release-4.9 (d642d11) will decrease coverage by 0.59%.
The diff coverage is 64.33%.

@@               Coverage Diff               @@
##           release-4.9     #453      +/-   ##
===============================================
- Coverage        45.97%   45.38%   -0.60%     
===============================================
  Files               74       71       -3     
  Lines             7747     7335     -412     
===============================================
- Hits              3562     3329     -233     
+ Misses            3691     3577     -114     
+ Partials           494      429      -65     

Impacted Files	Coverage Δ
pkg/azure/mock/client_generated.go	20.72% <34.28%> (-63.97%)	⬇️
pkg/aws/mock/client_generated.go	56.59% <47.00%> (ø)
pkg/azure/minter.go	35.71% <55.55%> (-12.85%)	⬇️
pkg/operator/secretannotator/azure/reconciler.go	35.06% <69.23%> (-2.24%)	⬇️
pkg/azure/actuator.go	56.36% <78.46%> (+11.31%)	⬆️
pkg/gcp/mock/client_generated.go	100.00% <100.00%> (ø)
...redentialsrequest/credentialsrequest_controller.go	52.37% <100.00%> (+3.52%)	⬆️
... and 5 more

[openshift-ci]

@akhil-rane: This pull request references Bugzilla bug 2055821, which is invalid:

• expected the bug to target the "4.9.z" release, but it targets "4.9.0" instead
• expected Bugzilla bug 2055821 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2055821: Remove Azure mint mode support as Active Directory Graph API since it will be sunset

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[akhil-rane]

/bugzilla refresh

[openshift-ci]

@akhil-rane: This pull request references Bugzilla bug 2055821, which is invalid:

• expected the bug to target the "4.9.z" release, but it targets "4.9.0" instead
• expected Bugzilla bug 2055821 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[akhil-rane]

/bugzilla refresh

[openshift-ci]

@akhil-rane: This pull request references Bugzilla bug 2055821, which is invalid:

• expected Bugzilla bug 2055821 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[akhil-rane]

/bugzilla refresh

[openshift-ci]

@akhil-rane: This pull request references Bugzilla bug 2055821, which is invalid:

• expected Bugzilla bug 2055821 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[akhil-rane]

/bugzilla refresh

[openshift-ci]

@akhil-rane: This pull request references Bugzilla bug 2055821, which is invalid:

• expected the bug to target the "4.9.z" release, but it targets "---" instead
• expected Bugzilla bug 2055821 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@akhil-rane: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[abutcher]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abutcher, akhil-rane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abutcher]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[abutcher]

Backports #433, #435

[akhil-rane]

/bugzilla refresh

[openshift-ci]

@akhil-rane: This pull request references Bugzilla bug 2055821, which is invalid:

• expected the bug to target the "4.9.z" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[akhil-rane]

/bugzilla refresh

[openshift-ci]

@akhil-rane: This pull request references Bugzilla bug 2055821, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.z) matches configured target release for branch (4.9.z)
• bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 2055894 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 2055894 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0
• bug has dependents

Requesting review from QA contact:
/cc @lwan-wanglin

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[akhil-rane]

/assign @lwan-wanglin

[jianping-shu]

/assign @jianping-shu

[jianping-shu]

Tested w/ CCO-173 testcases, passed

[jianping-shu]

/label cherry-pick-approved

[akhil-rane]

Tested w/ CCO-173 testcases, passed

@jianping-shu Do we also need a test wherein a passthrough SP has permissions to delete SPs generated my mint mode?

[jianping-shu]

@akhil-rane I think it is already covered by OCP-47144 and OCP-47159
Pls. let me know if I was wrong or you want to add some scenario more.

[akhil-rane]

@akhil-rane I think it is already covered by OCP-47144 and OCP-47159 Pls. let me know if I was wrong or you want to add some scenario more.

Sorry I missed it. Everything looks good!

[akhil-rane]

/label backport-risk-assessed

[openshift-ci]

@akhil-rane: All pull requests linked via external trackers have merged:

• openshift/cloud-credential-operator#453

Bugzilla bug 2055821 has been moved to the MODIFIED state.

In response to this:

Bug 2055821: Remove Azure mint mode support as Active Directory Graph API will be sunset

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[2uasimojo]

/cherry-pick release-4.8

[openshift-cherrypick-robot]

@2uasimojo: #453 failed to apply on top of branch "release-4.8":

Applying: update azure-sdk-for-go
.git/rebase-apply/patch:381: new blank line at EOF.
+
.git/rebase-apply/patch:1651: new blank line at EOF.
+
.git/rebase-apply/patch:4266: new blank line at EOF.
+
warning: 3 lines add whitespace errors.
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
CONFLICT (content): Merge conflict in vendor/modules.txt
Removing vendor/github.com/Azure/azure-sdk-for-go/NOTICE
Removing vendor/github.com/Azure/azure-sdk-for-go/LICENSE
Auto-merging go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 update azure-sdk-for-go
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[2uasimojo]

failed to apply

#454