OCPBUGS-42434: Implement Managed Identity for OpenShift Components#4690
OCPBUGS-42434: Implement Managed Identity for OpenShift Components#4690bryan-cox wants to merge 5 commits into
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@bryan-cox: This pull request references HOSTEDCP-1872 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci
Bot
added
do-not-merge/needs-area
area/cli
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bryan-cox The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
area/documentation
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
bryan-cox
force-pushed
the
HOSTEDCP-1872
branch
2 times, most recently
from
8e7eaec to
448fe4b
Compare
bryan-cox
force-pushed
the
HOSTEDCP-1872
branch
6 times, most recently
from
5bb3294 to
40401ab
Compare
|
@bryan-cox: This pull request references HOSTEDCP-1872 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
bryan-cox
force-pushed
the
HOSTEDCP-1872
branch
6 times, most recently
from
d5cf100 to
c07eb9a
Compare
|
@bryan-cox: This pull request references HOSTEDCP-1872 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
bryan-cox
force-pushed
the
HOSTEDCP-1872
branch
from
5be88af to
ed31611
Compare
There was a problem hiding this comment.
Hey @JoelSpeed do you mind taking a look at the changes to our API here?
There was a problem hiding this comment.
Also in conjunction, your thoughts on #4690 (comment)
bryan-cox
changed the title
|
@bryan-cox: This pull request references Jira Issue OCPBUGS-42004, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-42434, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (jiezhao@redhat.com), skipping review request. The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
bryan-cox
changed the title
| flags.StringVar(&opts.NetworkSecurityGroupID, "network-security-group-id", opts.NetworkSecurityGroupID, "The Network Security Group ID to use in the default NodePool.") | ||
| flags.StringToStringVarP(&opts.ResourceGroupTags, "resource-group-tags", "t", opts.ResourceGroupTags, "Additional tags to apply to the resource group created (e.g. 'key1=value1,key2=value2')") | ||
| flags.StringVar(&opts.SubnetID, "subnet-id", opts.SubnetID, "The subnet ID where the VMs will be placed.") | ||
| flags.StringVar(&opts.AzureCCMManagedIdentityClientID, "azure-ccm-mi-client-id", opts.AzureCCMManagedIdentityClientID, "The client id of managed identity related to the azure cloud controller manager.") |
There was a problem hiding this comment.
shouldn't those be created automatically by the cli?
There was a problem hiding this comment.
I am not doing that at this moment because the adapter sidecars do not support managed identity.
| defaultSecurityContext := setDefaultSecurityContext | ||
|
|
||
| // For ARO HCP, the MI sidecar containers need privileged permissions to run | ||
| if os.Getenv("MANAGED_SERVICE") == hyperv1.AroHCP { |
There was a problem hiding this comment.
if os.Getenv("MANAGED_SERVICE") == hyperv1.AroHCP
this should be a helper function, IsAro() or smth
bryan-cox
changed the title
|
@bryan-cox: This pull request references Jira Issue OCPBUGS-42434, which is valid. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (jiezhao@redhat.com), skipping review request. The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/severity-important
bryan-cox
changed the title
|
@bryan-cox: This pull request references Jira Issue OCPBUGS-42434, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Adds a function to include the managed identity sidecar containers in a deployment. The adapter-init is added as an init container and the adapter-server is added as a sidecar container in the related pod deployment it is included in. Signed-off-by: Bryan Cox <brcox@redhat.com>
Adds fields in the Azure HostedCluster API for the client IDs related to the managed service identities used for the following control plane components: azure cloud provider, KMS, CAPZ, the control plane operator, the image registry operator, cluster ingress operator, cluster network operator/cluster-network-config-controller, azure-disk-controller and azure-file-controller. Signed-off-by: Bryan Cox <brcox@redhat.com>
bryan-cox
force-pushed
the
HOSTEDCP-1872
branch
3 times, most recently
from
8c58cb1 to
102aa80
Compare
Initialize the control plane managed identities in the CLI. These are initialized with the client ID of the Service Principal at the moment. Once the Microsoft Adapter sidecar containers support Managed Identities, the CLI will create a new managed identity for each of these fields. Signed-off-by: Bryan Cox <brcox@redhat.com>
This commit replaces the use of Service Principal for Managed Identities for authenticating with Azure API. This commit also adds the Microsoft adapter-init and adapter-server sidecar containers to the deployments of the following HCP components - CAPZ, Azure Cloud Provider (CCM), KMS, and CPO - when deploying on ARO HCP. Signed-off-by: Bryan Cox <brcox@redhat.com>
This commit replaces the use of Service Principal for Managed Identities for authenticating with Azure API. This commit also adds the Microsoft adapter-init and adapter-server sidecar containers to the deployments of cluster-image-registry-operator (CIRO) and cluster-ingress-operator (CIO). This commit also passes the needed environment variables on to cluster-network-operator (CNO) so the operator can add the adapter-init and adapter-server sidecar containers to cloud network config controller (CNCC) and to cluster-storage-operator (CSO) for the azure-disk-csi-controller and azure-file-csi-controller. Signed-off-by: Bryan Cox <brcox@redhat.com>
bryan-cox
force-pushed
the
HOSTEDCP-1872
branch
from
102aa80 to
143e241
Compare
bryan-cox
changed the title
bryan-cox
changed the title
|
/close We don't need this now since we are not doing the sidecar containers. |
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-robot
added
the
needs-rebase
|
@bryan-cox: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@bryan-cox: This pull request references Jira Issue OCPBUGS-42434. The bug has been updated to no longer refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
7 participants
What this PR does / why we need it:
This PR builds upon:
This PR integrates the Microsoft adapter sidecar containers for the deployments of the following HCP OpenShift components:
Which issue(s) this PR fixes:
Fixes OCPBUGS-42434
Checklist