IR-363: Update Azure Credentials Request manifest of the Cluster Image Registry Operator to use new API field for requesting permissions

[abutcher]

Utilizes new CredentialsRequests API field dataPermissions for necessary blob data actions as per the Storage Blob Data Contributor Azure built-in role.

IR-363
supersedes #859

[openshift-ci-robot]

@abutcher: This pull request references IR-363 which is a valid jira issue.

In response to this:

Utilizes new CredentialsRequests API field 'dataPermissionsfor necessary blob data actions as per theStorage Blob Data Contributor` Azure built-in role.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@abutcher: This pull request references IR-363 which is a valid jira issue.

In response to this:

Utilizes new CredentialsRequests API field dataPermissions for necessary blob data actions as per the Storage Blob Data Contributor Azure built-in role.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dmage]

/hold
until this PR gets all approvals

[dmage]

/lgtm

[dmage]

/assign @sferich888
/assign @xiuwang
/assign @stevsmit
for PX, QE, and Docs approvals

[abutcher]

Marking WIP. We need to validate openshift/cloud-credential-operator#584.

[abutcher]

Tested with a ClusterBot cluster along with openshift/cloud-credential-operator#584.

workflow-launch openshift-e2e-azure-manual-oidc-workload-identity https://github.com/openshift/cluster-image-registry-operator/pull/890,https://github.com/openshift/cloud-credential-operator/pull/584

Credentials provisioning build log:

2023/08/01 13:44:34 Created user-assigned managed identity /subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourcegroups/ci-ln-85fqhg2-1d09d-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ci-ln-85fqhg2-1d09d-openshift-image-registry-installer-cloud-credentials
2023/08/01 13:44:35 Created customRole ci-ln-85fqhg2-1d09d-openshift-image-registry-installer-cloud-credentials /subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/providers/Microsoft.Authorization/roleDefinitions/59425494-e5ca-437e-a42d-703759845cc2
2023/08/01 13:44:36 Failed to get role definition. This is likely due to a replication delay. Retrying...
2023/08/01 13:44:46 Failed to get role definition. This is likely due to a replication delay. Retrying...
2023/08/01 13:44:56 Failed to get role definition. This is likely due to a replication delay. Retrying...
2023/08/01 13:45:06 Failed to get role definition. This is likely due to a replication delay. Retrying...
2023/08/01 13:45:18 Created role assignment for role ci-ln-85fqhg2-1d09d-openshift-image-registry-installer-cloud-credentials with user-assigned managed identity principal ID 200a9a2a-e967-4311-9bef-90ed2b36accb at scope /subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourceGroups/ci-ln-85fqhg2-1d09d
2023/08/01 13:45:18 Created federated identity credential /subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourcegroups/ci-ln-85fqhg2-1d09d-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ci-ln-85fqhg2-1d09d-openshift-image-registry-installer-cloud-credentials/federatedIdentityCredentials/cluster-image-registry-operator
2023/08/01 13:45:19 Created federated identity credential /subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourcegroups/ci-ln-85fqhg2-1d09d-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ci-ln-85fqhg2-1d09d-openshift-image-registry-installer-cloud-credentials/federatedIdentityCredentials/registry
2023/08/01 13:45:19 Saved credentials configuration to: /tmp/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml

Permissions in this PR are sufficient based on the image registry cluster operator status:

status:
  conditions:
  - lastTransitionTime: "2023-08-01T14:35:27Z"
    message: |-
      Available: The registry is ready
      NodeCADaemonAvailable: The daemon set node-ca has available replicas
      ImagePrunerAvailable: Pruner CronJob has been created
    reason: Ready
    status: "True"
    type: Available

[abutcher]

Will run e2e once more after openshift/cloud-credential-operator#584 merges.

[jstuever]

/test e2e-azure-manual-oidc

[xiuwang]

/retest

[xiuwang]

@abutcher Hi, I meet 403 AuthorizationPermissionMismatch when push data to image registry on the clusterbot cluster along this change

workflow-launch openshift-e2e-azure-manual-oidc-workload-identity https://github.com/openshift/cluster-image-registry-operator/pull/890

The error is

time="2023-08-02T03:49:09.464587516Z" level=error msg="response completed with error" err.code=unknown err.detail="DELETE https://imageregistrycilnvbqps8z.blob.core.windows.net/ci-ln-vbdypib-1d09d-v6nz5-image-registry-fowlglvujdxuarjpetbru/docker/registry/v2/repositories/wxj/httpd-ex/_uploads/24ee7d03-287d-4352-942d-3aeddd4303be/data\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\ufeff<?xml version=\"1.0\" encoding=\"utf-8\"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.\nRequestId:2cbe7a78-501e-0068-01f4-c44b6b000000\nTime:2023-08-02T03:49:09.4357584Z</Message></Error>\n--------------------------------------------------------------------------------\n" err.message="unknown error" go.version=go1.20.3 http.request.host="image-registry.openshift-image-registry.svc:5000" http.request.id=35c07284-3f7f-4c12-846d-6a2db5e41e48 http.request.method=DELETE http.request.remoteaddr="10.129.2.13:57818" http.request.uri="/v2/wxj/httpd-ex/blobs/uploads/24ee7d03-287d-4352-942d-3aeddd4303be?_state=Xxo4m9IcwD5JJEKPqcMQrx-KS5djUEhUHUaWiptI5YV7Ik5hbWUiOiJ3eGovaHR0cGQtZXgiLCJVVUlEIjoiMjRlZTdkMDMtMjg3ZC00MzUyLTk0MmQtM2FlZGRkNDMwM2JlIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIzLTA4LTAyVDAzOjQ5OjA5LjMzMzQ0MDEwMloifQ%3D%3D" http.request.useragent="containers/5.26.1 (github.com/containers/image)" http.response.contenttype=application/json http.response.duration=71.28021ms http.response.status=500 http.response.written=0 openshift.auth.user="system:serviceaccount:wxj:builder" vars.name=wxj/httpd-ex vars.uuid=24ee7d03-287d-4352-942d-3aeddd4303be

[abutcher]

@xiuwang Ack!

[abutcher]

@xiuwang I've added Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete to the dataPermissions based on the documented permissions in the Storage Blob Data Contributor role. I think this will allow the DELETE operation to succeed.

[abutcher]

/test e2e-azure-manual-oidc

[openshift-ci-robot]

@abutcher: This pull request references IR-363 which is a valid jira issue.

In response to this:

Utilizes new CredentialsRequests API field dataPermissions for necessary blob data actions as per the Storage Blob Data Contributor Azure built-in role.

IR-363
supersedes #859

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@abutcher: This pull request references IR-363 which is a valid jira issue.

In response to this:

Utilizes new CredentialsRequests API field dataPermissions for necessary blob data actions as per the Storage Blob Data Contributor Azure built-in role.

IR-363
supersedes #859

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[abutcher]

Tested with latest permissions and image upload to internal registry succeeds. Updated OCPBUGS-17247.

[abutcher]

/test e2e-azure-manual-oidc

[jstuever]

/test e2e-azure-manual-oidc

[xiuwang]

/retest

[xiuwang]

/label qe-approved

Verified OCPBUGS-17247.
And do regression test on this change, no new issue found.

[xiuwang]

/retest

[flavianmissi]

thanks Andrew!
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abutcher, dmage, flavianmissi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dmage,flavianmissi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[flavianmissi]

/hold cancel

[newtonheath]

@flavianmissi - things look close - whats your take?

[abutcher]

Do we need docs-approved, px-approved labels?

[stevsmit]

/label docs-approved

[sferich888]

/label px-approved

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6de7fae and 2 for PR HEAD 6ef401e in total

[flavianmissi]

/retest

[flavianmissi]

/retest

[flavianmissi]

different flake failure
/retest-required

[abutcher]

/retest-required

[abutcher]

e2e-ovirt-sdn: ovirt is no longer a supported platform in install-config openshift/installer#7213

edit: this is an optional test per the CI config but can probably be removed

[openshift-ci]

@abutcher: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-ovirt-sdn	6ef401e	link	false	/test e2e-ovirt-sdn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.