Skip to content

OCPBUGS-42434: Implement Managed Identity for HCP Components#4824

Closed
bryan-cox wants to merge 4 commits into
openshift:mainfrom
bryan-cox:OCPBUGS-42434
Closed

OCPBUGS-42434: Implement Managed Identity for HCP Components#4824
bryan-cox wants to merge 4 commits into
openshift:mainfrom
bryan-cox:OCPBUGS-42434

Conversation

@bryan-cox
Copy link
Copy Markdown
Member

@bryan-cox bryan-cox commented Sep 27, 2024
edited
Loading

What this PR does / why we need it:
This PR builds upon:

  1. OCPBUGS-42434: Add Managed Identity Support in Azure HC API behind AROHCPManagedIdentities Feature gate #4811

This PR integrates the Microsoft adapter sidecar containers for the deployments of the following HCP components:

  1. CAPZ
  2. Azure cloud provider
  3. Azure KMS
  4. Control plane operater

Which issue(s) this PR fixes:
Fixes OCPBUGS-42434

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 27, 2024
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Sep 27, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Sep 27, 2024
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Sep 27, 2024

@bryan-cox: This pull request references Jira Issue OCPBUGS-42434, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.0) matches configured target version for branch (4.18.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @fxierh

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:
This PR builds upon:

  1. OCPBUGS-42004: Add capability to Add Microsoft Managed Identity Sidecar Containers to HCP Pod Deployments #4801
  2. OCPBUGS-42434: Add Managed Identity Support in Azure HC API behind AROHCPManagedIdentities Feature gate #4811

This PR integrates the Microsoft adapter sidecar containers for the deployments of the following HCP components:

  1. CAPZ
  2. Azure cloud provider
  3. Azure KMS
  4. Control plane operater

Which issue(s) this PR fixes:
Fixes OCPBUGS-42434

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested a review from fxierh September 27, 2024 15:16
@openshift-ci openshift-ci Bot added the area/cli Indicates the PR includes changes for CLI label Sep 27, 2024
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Sep 27, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release approved Indicates a PR has been approved by an approver from all required OWNERS files. area/documentation Indicates the PR includes changes for documentation area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release and removed do-not-merge/needs-area labels Sep 27, 2024
@netlify
Copy link
Copy Markdown

netlify Bot commented Sep 27, 2024
edited
Loading

Deploy Preview for hypershift-docs ready!

Name Link
🔨 Latest commit 35ac5fd
🔍 Latest deploy log https://app.netlify.com/sites/hypershift-docs/deploys/66fd679f11b160000810ba3a
😎 Deploy Preview https://deploy-preview-4824--hypershift-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@bryan-cox bryan-cox mentioned this pull request Sep 27, 2024
Closed
4 tasks
@bryan-cox bryan-cox changed the title OCPBUGS-42434: Implement Managed Identity in HCP OCPBUGS-42434: Implement Managed Identity for HCP Components Sep 27, 2024
@bryan-cox bryan-cox force-pushed the OCPBUGS-42434 branch 2 times, most recently from 3dc3664 to 0c0fb0f Compare September 27, 2024 15:54
enxebre
enxebre reviewed Sep 30, 2024
View reviewed changes
Comment thread control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go Outdated
return err
}

deployment.Spec.Template.Spec.Containers = append(deployment.Spec.Template.Spec.Containers, azureutil.AdapterServerContainer(string(azureCredentials.Data["AZURE_CLIENT_ID"]), string(azureCredentials.Data["AZURE_CLIENT_SECRET"]), string(azureCredentials.Data["AZURE_TENANT_ID"])))
Copy link
Copy Markdown
Member

@enxebre enxebre Sep 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where's this AdapterServerContainer contract defined?

Copy link
Copy Markdown
Member Author

@bryan-cox bryan-cox Sep 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://redhat-external.slack.com/archives/C075PHEFZKQ/p1725584576709039

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 2, 2024
@bryan-cox
Add Managed Identity Support in Azure HC API
990bfb0 
Adds fields in the Azure HostedCluster API for the managed identities
used for the following control plane components: azure cloud provider,
KMS, CAPZ, the control plane operator, the image registry operator,
cluster ingress operator, cluster network
operator/cluster-network-config-controller, azure-disk-controller and
 azure-file-controller.

This commit also adds fields for the management cluster's Azure key
vault where the managed identity certificates are stored.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Initialize the CP managed identities in the CLI
a50dc2b 
Initialize the control plane managed identities in the CLI. These are
initialized with the client ID of the Service Principal at the moment.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
vendor junk
dfa4ec1 
Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
WIP Update ingress operator to use cert deployment
35ac5fd 
Signed-off-by: Bryan Cox <brcox@redhat.com>
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 2, 2024
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 16, 2024
@openshift-merge-robot
Copy link
Copy Markdown
Contributor

openshift-merge-robot commented Oct 16, 2024

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@bryan-cox
Copy link
Copy Markdown
Member Author

bryan-cox commented Oct 18, 2024

/close

This is not needed since we are not doing the adapter sidecar container thing now

@openshift-ci openshift-ci Bot closed this Oct 18, 2024
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Oct 18, 2024

@bryan-cox: This pull request references Jira Issue OCPBUGS-42434. The bug has been updated to no longer refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:
This PR builds upon:

  1. OCPBUGS-42434: Add Managed Identity Support in Azure HC API behind AROHCPManagedIdentities Feature gate #4811

This PR integrates the Microsoft adapter sidecar containers for the deployments of the following HCP components:

  1. CAPZ
  2. Azure cloud provider
  3. Azure KMS
  4. Control plane operater

Which issue(s) this PR fixes:
Fixes OCPBUGS-42434

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Oct 18, 2024

@bryan-cox: Closed this PR.

Details

In response to this:

/close

This is not needed since we are not doing the adapter sidecar container thing now

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enxebre enxebre enxebre left review comments

@fxierh fxierh Awaiting requested review from fxierh

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cli Indicates the PR includes changes for CLI area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/documentation Indicates the PR includes changes for documentation area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bryan-cox @openshift-ci-robot @openshift-merge-robot @enxebre