CCO-372: Azure Workload Identity info in CredsRequests creates a Secret

[bentito]

Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

pkg/azure/actuator_test.go should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.

Known issues:

• - Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
  * Reviewed the several bug fix PRs against the AWS STS work, most fixes were in credentialsrequest_controller so their all present for this Azure branch as well, just OCPBUGS-16684 had an actuator change that seemed to be needed here.
• - This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow
  * PR to add calling make target to azure e2e is here: Add cmd make test-e2e-azident to e2e-azure-manual-oidc release#42126

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test (and unit tests eventually).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

Known issue: Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

Known issues:

• Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
• This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

pkg/azure/actuator_test.go should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.

Known issues:

• Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
• This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codecov]

Codecov Report

Merging #587 (7c970c7) into master (5a6da9c) will increase coverage by 0.06%.
Report is 4 commits behind head on master.
The diff coverage is 68.75%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #587      +/-   ##
==========================================
+ Coverage   47.90%   47.96%   +0.06%     
==========================================
  Files          96       96              
  Lines       11680    11737      +57     
==========================================
+ Hits         5595     5630      +35     
- Misses       5465     5483      +18     
- Partials      620      624       +4     

Files	Coverage Δ
...redentialsrequest/credentialsrequest_controller.go	48.78% <0.00%> (ø)
pkg/azure/actuator.go	60.97% <69.62%> (+7.27%)	⬆️

... and 3 files with indirect coverage changes

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

pkg/azure/actuator_test.go should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.

Known issues:

• - Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
  • Reviewed the several bug fix PRs against the AWS STS work, most fixes were in credentialsrequest_controller so their all present for this Azure branch as well, just OCPBUGS-16684 had an actuator change that seemed to be needed here.
• - This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

pkg/azure/actuator_test.go should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.

Known issues:

• - Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
  • Reviewed the several bug fix PRs against the AWS STS work, most fixes were in credentialsrequest_controller so their all present for this Azure branch as well, just OCPBUGS-16684 had an actuator change that seemed to be needed here.
• - This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bentito]

/retest e2e-hypershift

[openshift-ci]

@bentito: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

• /test coverage
• /test e2e-aws-ovn
• /test e2e-hypershift
• /test e2e-upgrade
• /test images
• /test unit
• /test verify
• /test verify-deps

The following commands are available to trigger optional jobs:

• /test e2e-aws-manual-oidc
• /test e2e-azure
• /test e2e-azure-manual-oidc
• /test e2e-azure-upgrade
• /test e2e-gcp
• /test e2e-gcp-manual-oidc
• /test e2e-openstack
• /test e2e-openstack-parallel

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-cloud-credential-operator-master-coverage
• pull-ci-openshift-cloud-credential-operator-master-e2e-aws-ovn
• pull-ci-openshift-cloud-credential-operator-master-e2e-hypershift
• pull-ci-openshift-cloud-credential-operator-master-e2e-upgrade
• pull-ci-openshift-cloud-credential-operator-master-images
• pull-ci-openshift-cloud-credential-operator-master-unit
• pull-ci-openshift-cloud-credential-operator-master-verify
• pull-ci-openshift-cloud-credential-operator-master-verify-deps

In response to this:

/retest e2e-hypershift

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bentito]

/test e2e-hypershift

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

pkg/azure/actuator_test.go should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.

Known issues:

• - Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
  • Reviewed the several bug fix PRs against the AWS STS work, most fixes were in credentialsrequest_controller so their all present for this Azure branch as well, just OCPBUGS-16684 had an actuator change that seemed to be needed here.
• - This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow
  • PR to add calling make target to azure e2e is here: Add cmd make test-e2e-azident to e2e-azure-manual-oidc release#42126

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

pkg/azure/actuator_test.go should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.

Known issues:

• - Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
  • Reviewed the several bug fix PRs against the AWS STS work, most fixes were in credentialsrequest_controller so their all present for this Azure branch as well, just OCPBUGS-16684 had an actuator change that seemed to be needed here.
• - This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow
  • PR to add calling make target to azure e2e is here: Add cmd make test-e2e-azident to e2e-azure-manual-oidc release#42126

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

WIP: Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

pkg/azure/actuator_test.go should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.

Known issues:

• - Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
  • Reviewed the several bug fix PRs against the AWS STS work, most fixes were in credentialsrequest_controller so their all present for this Azure branch as well, just OCPBUGS-16684 had an actuator change that seemed to be needed here.
• - This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow
  • PR to add calling make target to azure e2e is here: Add cmd make test-e2e-azident to e2e-azure-manual-oidc release#42126

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bentito]

/test e2e-hypershift

[bentito]

/test e2e-hypershift

[bentito]

/test e2e-azure-manual-oidc

[openshift-ci-robot]

@bentito: This pull request references CCO-372 which is a valid jira issue.

In response to this:

Adds Azure Workload Identity (Timed Access Token) support and e2e test and unit tests.

pkg/azure/actuator_test.go should get a review for changes that were needed to pre-existing unit tests. The changes were needed because of the requirements of the new detection for Workload Identity in-use flow.

Known issues:

• - Still need to verify OCPBUGS filed against the AWS STS work, particularly around properly setting status, conditions and lastSync times that were fixed for AWS STS are not brought back here for Azure.
  • Reviewed the several bug fix PRs against the AWS STS work, most fixes were in credentialsrequest_controller so their all present for this Azure branch as well, just OCPBUGS-16684 had an actuator change that seemed to be needed here.
• - This should be e2e testable with a PR in release which actually calls the new Make target: test-e2e-azident with the e2e-azure-manual-oidc workflow
  • PR to add calling make target to azure e2e is here: Add cmd make test-e2e-azident to e2e-azure-manual-oidc release#42126

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bentito]

/test e2e-azure-manual-oidc

[bentito]

@abutcher we're running into trouble here with Azure that we didn't see on AWS:

cloud-credential-operator/pkg/operator/credentialsrequest/credentialsrequest_controller.go

Line 683 in 973abf9

credsExists, err := r.Actuator.Exists(ctx, cr)

With the error at runtime looking like:

time="2023-08-05T02:35:39Z" level=error msg="error checking whether credentials already exists: Secret \"azure-credentials\" not found" controller=credreq cr=openshift-cloud-credential-operator/nginx secret=default/nginx-credentials

There is certainly more logic in the non-STSDetected flow after the else before the .Exists() check, but I'm not sure what in it might need to be pulled up to the STS flow section? Any ideas?

[gallettilance]

/test e2e-upgrade

[gallettilance]

/test e2e-aws-ovn

[gallettilance]

cred-req-secret-creationdeletion.webm

@jstuever here is a demo of the secret being created and deleted

[jstuever]

/test e2e-azure e2e-azure-upgrade

[gallettilance]

cred-req-workload-identity.webm

Update based on our convo @jstuever

• no errors for "old" manual mode
• updates of the secret to make it look exactly as the ccoctl tool does

[gallettilance]

Some notes for reviewers

[gallettilance]

Note to reviewers: the delete works because of the annotation on the secret

[gallettilance]

Note to reviewers: what's in the credReq should be the source of truth propagated down to the secret.

[gallettilance]

Note to reviewers: if none of the fields are provided, we assume the creator of the credReq is intending to use the old manual mode where the secrets are created by the ccoctl tool and CCO doesn't do anything (as is the case with openshift operators today).

[gallettilance]

Note to reviewers: if some but not all fields required for this new manual mode workload identity workflow are set then we should error

[gallettilance]

Note to reviewers: this if statement checks that the desiredSecret is from the new manual mode workload identity workflow since it does not set the Data field

[gallettilance]

Note to reviewers: this change is a result of erroring earlier in the process as a result of checking for the cloudcredentials mode.

[gallettilance]

Note to reviewers: just adding the AzureFederatedTokenFile

[jstuever]

/test e2e-azure e2e-azure-upgrade

[jstuever]

Should this return false?

[jstuever]

Ideally, we would actually check if the secret differs from the source of truth similar to AWS mint mode. However, this can be taken away as tech debt.

[jstuever]

/test e2e-azure
/test e2e-azure-upgrade

[jstuever]

/test e2e-hypershift

[jstuever]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bentito, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@bentito: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cloud-credential-operator-container-v4.15.0-202311300249.p0.ge295bb2.assembly.stream for distgit ose-cloud-credential-operator.
All builds following this will include this PR.

[gallettilance]

/cherry-pick release-4.14

[openshift-cherrypick-robot]

@gallettilance: new pull request created: #643

In response to this:

/cherry-pick release-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.