NO-JIRA: De-duplicate Azure self-managed documentation

[bryan-cox]

Summary

• Merge azure-workload-identity-setup.md into create-iam-separately.md as the single canonical page for OIDC issuer and workload identity setup
• Rewrite create-self-managed-azure-cluster.md to use hypershift create infra azure instead of manual az CLI commands, eliminating overlap with create-infra-separately.md
• Update all cross-references across the Azure docs and mkdocs nav

Why

Downstream docs writer flagged that overlapping pages made it unclear which procedure users should follow:

1. IAM duplication: azure-workload-identity-setup.md and create-iam-separately.md both documented hypershift create iam azure
2. Infra duplication: create-self-managed-azure-cluster.md had manual az CLI infra steps while create-infra-separately.md documented hypershift create infra azure

What changed

File	Change
create-iam-separately.md	Added OIDC issuer setup (ccoctl), persistent RG warning, KMS identity flag, verification. Now the single IAM+OIDC page
azure-workload-identity-setup.md	Deleted — all content merged into create-iam-separately.md
create-self-managed-azure-cluster.md	Replaced manual az CLI infra with hypershift create infra azure, updated cluster creation to use --infra-json
index.md, self-managed-azure-index.md, azure-self-managed.md	Updated cross-references
mkdocs.yml	Removed nav entry for deleted page

All CLI command examples have been verified against the actual cobra flag registrations in the codebase.

Test plan

• grep -r "azure-workload-identity-setup" docs/ returns zero results (excluding auto-generated aggregated-docs.md)
• make docs-aggregate regenerates aggregated-docs.md without the deleted page
• Verify create-iam-separately.md is self-contained: OIDC → identities → verification
• Verify create-self-managed-azure-cluster.md flow: create infra azure → create cluster azure with --infra-json

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Consolidated Azure IAM/workload-identity guidance into a single "Create Azure IAM Resources" guide, removing the older standalone walkthrough.
  • Added end-to-end persistent OIDC issuer workflow, verification steps, and a new KMS enable option with related role guidance.
  • Updated self-managed Azure HostedCluster docs to use the HyperShift infra/cluster workflow and revised command examples.
  • Reorganized Azure how-to navigation for clearer guidance flow.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@bryan-cox: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Merge azure-workload-identity-setup.md into create-iam-separately.md as the single canonical page for OIDC issuer and workload identity setup
• Rewrite create-self-managed-azure-cluster.md to use hypershift create infra azure instead of manual az CLI commands, eliminating overlap with create-infra-separately.md
• Update all cross-references across the Azure docs and mkdocs nav

Why

Downstream docs writer flagged that overlapping pages made it unclear which procedure users should follow:

1. IAM duplication: azure-workload-identity-setup.md and create-iam-separately.md both documented hypershift create iam azure
2. Infra duplication: create-self-managed-azure-cluster.md had manual az CLI infra steps while create-infra-separately.md documented hypershift create infra azure

What changed

File	Change
create-iam-separately.md	Added OIDC issuer setup (ccoctl), persistent RG warning, KMS identity flag, verification. Now the single IAM+OIDC page
azure-workload-identity-setup.md	Deleted — all content merged into create-iam-separately.md
create-self-managed-azure-cluster.md	Replaced manual az CLI infra with hypershift create infra azure, updated cluster creation to use --infra-json
index.md, self-managed-azure-index.md, azure-self-managed.md	Updated cross-references
mkdocs.yml	Removed nav entry for deleted page

All CLI command examples have been verified against the actual cobra flag registrations in the codebase.

Test plan

• grep -r "azure-workload-identity-setup" docs/ returns zero results (excluding auto-generated aggregated-docs.md)
• make docs-aggregate regenerates aggregated-docs.md without the deleted page
• Verify create-iam-separately.md is self-contained: OIDC → identities → verification
• Verify create-self-managed-azure-cluster.md flow: create infra azure → create cluster azure with --infra-json

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR removes the standalone Azure Workload Identity guide and consolidates its content into an expanded Create Azure IAM Resources how-to. The new guide documents a two-step persistent-RG workflow: configure an OIDC issuer (ccoctl) and create workload identities (hypershift create iam azure) with a --resource-group-name, --oidc-issuer-url, and optional --enable-kms. It adds verification commands, updated command references, and an end-to-end example. The self-managed cluster guide and site navigation are updated to reference the consolidated guide and the infra/cluster workflow now uses hypershift create infra azure -> hypershift create cluster azure with --infra-json; mkdocs nav is adjusted.

Possibly related PRs

• openshift/hypershift#8088: Introduces KMS identity support (--enable-kms flag and KMS-related workflow) that this documentation update describes and aligns with.

Suggested reviewers

• Nirshal
• sdminonne

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'De-duplicate Azure self-managed documentation' accurately summarizes the main objective of the pull request, which consolidates overlapping Azure setup documentation into a single canonical page.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only documentation changes (.md and .yml files); no Ginkgo test files are modified, so the test name stability check does not apply.
Test Structure And Quality	✅ Passed	This PR contains only documentation changes (Azure guides consolidation). The custom check requires reviewing Ginkgo test code, which is not present in this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only documentation changes (.md files and mkdocs.yml config); no deployment manifests, operator code, or controller changes that could affect pod scheduling constraints.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests present; PR contains only documentation updates. Check is not applicable to documentation-only changes.
No-Weak-Crypto	✅ Passed	PR contains only documentation changes; no weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or insecure secret comparisons found in modified files.
Container-Privileges	✅ Passed	PR contains only documentation changes (markdown and mkdocs config). No Kubernetes manifests or container security configs present, making this check inapplicable.
No-Sensitive-Data-In-Logs	✅ Passed	Documentation properly uses placeholder variables and paths; no hardcoded credentials, API keys, tokens, PII (emails/SSNs/credit cards), or sensitive data found in logs or examples.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/uncc @sjenning

[bryan-cox]

/cc @Nirshal

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/content/how-to/azure/create-iam-separately.md`:
- Line 57: Replace fenced code blocks (the triple-backtick markers like ```bash)
with indented code blocks to satisfy markdownlint MD046: remove the ``` lines
and indent each line of the code block by four spaces (preserving blank lines),
and apply this change to every occurrence of fenced blocks in the document
(e.g., the ```bash blocks noted). Ensure the language marker is removed and that
the surrounding text spacing remains correct so Markdown renders the indented
code blocks as before.

In `@docs/content/how-to/azure/create-self-managed-azure-cluster.md`:
- Line 49: Replace the fenced bash code blocks (the ```bash markers) with
indented code block style to satisfy markdownlint MD046; specifically convert
the fenced blocks at the instances referenced (the ```bash markers around the
code at the noted locations) into the standard 4-space (or tab) indented lines
so the content is formatted as indented code blocks instead of fenced ones.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2cf9c577-c811-4867-b209-eab146491fce

📥 Commits

Reviewing files that changed from the base of the PR and between 36dfb1b and 989f232.

📒 Files selected for processing (7)

• docs/content/how-to/azure/azure-workload-identity-setup.md
• docs/content/how-to/azure/create-iam-separately.md
• docs/content/how-to/azure/create-self-managed-azure-cluster.md
• docs/content/how-to/azure/index.md
• docs/content/how-to/azure/self-managed-azure-index.md
• docs/content/reference/infrastructure/azure-self-managed.md
• docs/mkdocs.yml

💤 Files with no reviewable changes (2)

• docs/content/how-to/azure/azure-workload-identity-setup.md
• docs/mkdocs.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix markdown code block style to match repository lint config.

These blocks are fenced, but markdownlint reports MD046 expecting indented style at these lines.

Also applies to: 91-91, 134-134, 233-233

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 57-57: Code block style
Expected: indented; Actual: fenced

(MD046, code-block-style)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/content/how-to/azure/create-iam-separately.md` at line 57, Replace
fenced code blocks (the triple-backtick markers like ```bash) with indented code
blocks to satisfy markdownlint MD046: remove the ``` lines and indent each line
of the code block by four spaces (preserving blank lines), and apply this change
to every occurrence of fenced blocks in the document (e.g., the ```bash blocks
noted). Ensure the language marker is removed and that the surrounding text
spacing remains correct so Markdown renders the indented code blocks as before.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Normalize code block style for markdownlint compliance.

markdownlint reports MD046 on these code blocks (expected indented style, found fenced style).

Also applies to: 85-85, 349-349

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 49-49: Code block style
Expected: indented; Actual: fenced

(MD046, code-block-style)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/content/how-to/azure/create-self-managed-azure-cluster.md` at line 49,
Replace the fenced bash code blocks (the ```bash markers) with indented code
block style to satisfy markdownlint MD046; specifically convert the fenced
blocks at the instances referenced (the ```bash markers around the code at the
noted locations) into the standard 4-space (or tab) indented lines so the
content is formatted as indented code blocks instead of fenced ones.

[Nirshal]

The end-to-end workflow here is missing --assign-identity-roles and --dns-zone-rg-name on the create infra azure command, but create-self-managed-azure-cluster.md includes both flags in its infra command. Without --assign-identity-roles, role assignments would need to be done manually, which could trip up users who follow this workflow as-is.

Should these be added here for consistency?

[bryan-cox]

Done. Added --assign-identity-roles and --dns-zone-rg-name to the create infra azure command in the end-to-end workflow for consistency with create-self-managed-azure-cluster.md.

---

AI-assisted response via Claude Code

[Nirshal]

Nice cleanup — the de-duplication makes the flow much clearer.

One question: the create cluster azure examples use --assign-service-principal-roles, but in our recent testing we've been using --auto-assign-roles on the cluster command (and --assign-identity-roles on the infra command). Are these the same flag renamed, or do they serve different purposes?

[bryan-cox]

@Nirshal Good question — they're different flag names on different subcommands but they all control the same underlying AssignServicePrincipalRoles field:

• --assign-identity-roles → on create infra azure (cmd/infra/azure/create.go:58)
• --assign-service-principal-roles → on create cluster azure (cmd/cluster/azure/create.go:93)
• --auto-assign-roles → on create cluster azure in self-managed HCP mode (cmd/cluster/azure/create.go:142)

So --assign-service-principal-roles and --auto-assign-roles are equivalent — they set the same bool. The naming differs because self-managed clusters use workload identities (not service principals), so the flag was renamed for clarity in that context.

---

AI-assisted response via Claude Code

[Nirshal]

/lgtm

[openshift-merge-bot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/content/how-to/azure/create-iam-separately.md`:
- Line 239: The docs incorrectly suggest an identity-name ordering of
`${INFRA_ID}-disk`; update the how-to text to reflect the actual implementation
which builds identityName as identityName := opts.Name + def.IdentityNameSuffix
(i.e., `<clusterName>-disk-<infraID>`) and keep the verification example
`--identity-name "${CLUSTER_NAME}-disk-${INFRA_ID}"`; also change the INFRA_ID
example to avoid duplicating the cluster name (e.g., use only a random suffix
like `$(openssl rand -hex 4)` or another short unique suffix) so you don’t end
up with names like `my-cluster-disk-my-cluster-abc123`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9cbd53ef-fb56-41ed-ab95-0b6d4852adbc

📥 Commits

Reviewing files that changed from the base of the PR and between 989f232 and 1912079.

⛔ Files ignored due to path filters (1)

• docs/content/reference/aggregated-docs.md is excluded by !docs/content/reference/aggregated-docs.md

📒 Files selected for processing (7)

• docs/content/how-to/azure/azure-workload-identity-setup.md
• docs/content/how-to/azure/create-iam-separately.md
• docs/content/how-to/azure/create-self-managed-azure-cluster.md
• docs/content/how-to/azure/index.md
• docs/content/how-to/azure/self-managed-azure-index.md
• docs/content/reference/infrastructure/azure-self-managed.md
• docs/mkdocs.yml

💤 Files with no reviewable changes (2)

• docs/content/how-to/azure/azure-workload-identity-setup.md
• docs/mkdocs.yml

✅ Files skipped from review due to trivial changes (3)

• docs/content/reference/infrastructure/azure-self-managed.md
• docs/content/how-to/azure/self-managed-azure-index.md
• docs/content/how-to/azure/index.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Find the identity naming logic in the hypershift codebase

# Search for Azure identity creation patterns in create iam command
rg -nP --type=go -C5 'userAssignedIdentities.*disk|ManagedIdentity.*disk'

Repository: openshift/hypershift

Length of output: 5963

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Show relevant parts of the docs around INFRA_ID and the identity-name snippet.
doc="docs/content/how-to/azure/create-iam-separately.md"
if [ -f "$doc" ]; then
  echo "=== Docs around INFRA_ID (lines ~70-110) ==="
  nl -ba "$doc" | sed -n '70,120p'
  echo "=== Docs around identity-name snippet (lines ~220-260) ==="
  nl -ba "$doc" | sed -n '220,260p'
fi

# 2) Find the implementation of `hypershift create iam azure`.
echo "=== Search for create iam azure implementation ==="
rg -n --hidden --glob='*.go' "create iam.*azure|create-iam|iam azure" . | head -n 50

# 3) Search for identity naming templates and infraID/INFRA_ID usage.
echo "=== Search for infraID/INFRA_ID and disk identity naming ==="
rg -n --hidden --glob='*.go' "infra[_-]?id|INFRA_ID|identity[-_]?name|disk.*identity|disk.*(UserAssigned|ManagedIdentity)|userAssignedIdentities.*disk" . | head -n 200

# 4) Search for "azure-disk-controller" mentioned in API types; then follow usages.
echo "=== Search for azure-disk-controller usage ==="
rg -n --hidden --glob='*.go' "azure-disk-controller" . | head -n 100

# 5) Find where `Disk` managed identity is constructed (look for json:"disk" usage in templates/construction).
echo "=== Search for ManagedIdentity.*Disk construction ==="
rg -n --hidden --glob='*.go' "Disk:.*ManagedIdentity|Disk.*ManagedIdentityApplyConfiguration|ManagedIdentity{.*disk|CredentialsSecretName: \"disk" . | head -n 200

Repository: openshift/hypershift

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Show relevant parts of the docs around INFRA_ID and the identity-name snippet.
doc="docs/content/how-to/azure/create-iam-separately.md"
if [ -f "$doc" ]; then
  echo "=== Docs around INFRA_ID (lines ~70-110) ==="
  nl -ba "$doc" | sed -n '70,120p'
  echo "=== Docs around identity-name snippet (lines ~220-260) ==="
  nl -ba "$doc" | sed -n '220,260p'
fi

# 2) Find the implementation of `hypershift create iam azure`.
echo "=== Search for create iam azure implementation ==="
rg -n --hidden --glob='*.go' "create iam.*azure|create-iam|iam azure" . | head -n 50

# 3) Search for identity naming templates and infraID/INFRA_ID usage.
echo "=== Search for infraID/INFRA_ID and disk identity naming ==="
rg -n --hidden --glob='*.go' "infra[_-]?id|INFRA_ID|identity[-_]?name|disk.*identity|disk.*(UserAssigned|ManagedIdentity)|userAssignedIdentities.*disk" . | head -n 200

# 4) Search for "azure-disk-controller" mentioned in API types; then follow usages.
echo "=== Search for azure-disk-controller usage ==="
rg -n --hidden --glob='*.go' "azure-disk-controller" . | head -n 100

# 5) Find where `Disk` managed identity is constructed (look for json:"disk" usage in templates/construction).
echo "=== Search for ManagedIdentity.*Disk construction ==="
rg -n --hidden --glob='*.go' "Disk:.*ManagedIdentity|Disk.*ManagedIdentityApplyConfiguration|ManagedIdentity{.*disk|CredentialsSecretName: \"disk" . | head -n 200

Repository: openshift/hypershift

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

doc="docs/content/how-to/azure/create-iam-separately.md"
if [ -f "$doc" ]; then
  echo "=== Docs around INFRA_ID (lines ~70-120) ==="
  nl -ba "$doc" | sed -n '70,120p'
  echo "=== Docs around identity-name snippet (lines ~220-260) ==="
  nl -ba "$doc" | sed -n '220,260p'
fi

echo "=== Search for create iam azure implementation ==="
rg -n --hidden --glob='*.go' "create iam.*azure|create-iam|iam azure" . | head -n 50

echo "=== Search for infraID/INFRA_ID and disk identity naming ==="
rg -n --hidden --glob='*.go' "infra[_-]?id|INFRA_ID|identity[-_]?name|disk.*identity|disk.*(UserAssigned|ManagedIdentity)|userAssignedIdentities.*disk" . | head -n 200

echo "=== Search for azure-disk-controller usage ==="
rg -n --hidden --glob='*.go' "azure-disk-controller" . | head -n 100

echo "=== Search for ManagedIdentity.*Disk construction ==="
rg -n --hidden --glob='*.go' "Disk:.*ManagedIdentity|Disk.*ManagedIdentityApplyConfiguration|ManagedIdentity{.*disk|CredentialsSecretName: \"disk" . | head -n 200

Repository: openshift/hypershift

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

doc="docs/content/how-to/azure/create-iam-separately.md"
echo "=== Docs around INFRA_ID (lines ~80-120) ==="
sed -n '80,120p' "$doc" || true

echo "=== Docs around identity-name snippet (lines ~230-255) ==="
sed -n '230,260p' "$doc" || true

echo "=== Search for create iam azure implementation ==="
rg -n --hidden --glob='*.go' "create[- ]iam|createIam|create iam|iam azure|create.*iam.*azure|disk.*ManagedIdentity|userAssignedIdentities" . | head -n 200

echo "=== Search for disk managed identity naming templates ==="
rg -n --hidden --glob='*.go' "(infra[_-]?id|INFRA[_-]?ID|cluster[_-]?name|CLUSTER_NAME|identityName|identity[-_]?name|disk.*identity|disk.*managedidentity|userAssignedIdentities.*disk)" . | head -n 200

Repository: openshift/hypershift

Length of output: 42575

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the IAM Azure create implementation
echo "=== Candidate files for create iam azure ==="
fd -t f -g 'create*.go' cmd product-cli | rg -n "iam/azure/create.go|cmd/iam/azure/create.go|product-cli/cmd/iam/azure/create.go|create_iam.*azure|create.*iam.*azure" || true
rg -n "hypershift create iam azure|create iam azure" cmd product-cli . -S | head -n 50 || true

# Inspect cmd/iam/azure/create.go if present
for f in cmd/iam/azure/create.go product-cli/cmd/iam/azure/create.go; do
  if [ -f "$f" ]; then
    echo "=== File: $f ==="
    sed -n '1,220p' "$f" | head -n 220
    rg -n "infra-id|INFRA[_-]?ID|identity[-_]?name|disk|Disk|ManagedIdentity" "$f" || true
  fi
done

# Search across repo for disk identity name formatting involving infra-id
echo "=== Repo-wide search for disk identity-name formatting ==="
rg -n --hidden --glob='*.go' "(disk.*(identity|Identity)|ManagedIdentity.*disk|disk.*ManagedIdentity|\"disk\".*infra|infra.*\"disk\"|infra.*disk.*name|identityName.*disk)" cmd product-cli hypershift-operator . | head -n 200

# Search for "workload-identities.json" schema usage
echo "=== Search for workload-identities.json usage in Go ==="
rg -n --hidden --glob='*.go' "workload-identities\.json|workload identities" cmd product-cli . | head -n 200

# Search for "infra-id" usage in Azure IAM create path
echo "=== Search for --infra-id usage around IAM create ==="
rg -n --hidden --glob='*.go' "infra-id" cmd/iam cmd/infra product-cli/cmd/iam . | head -n 200

Repository: openshift/hypershift

Length of output: 41487

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ls -la cmd/infra/azure | head

# File sizes for targeted reading
wc -l cmd/infra/azure/create_iam.go cmd/infra/azure/identities.go cmd/infra/azure/destroy_iam.go 2>/dev/null || true

echo "=== rg 'disk' in cmd/infra/azure ==="
rg -n --glob='*.go' "disk" cmd/infra/azure | head -n 200

echo "=== rg identity name patterns in cmd/infra/azure ==="
rg -n --glob='*.go' "(identity.?name|IdentityName|userAssignedIdentities|federatedIdentityCredentials|federated.?credential)" cmd/infra/azure | head -n 200

echo "=== rg infra-id usage in cmd/infra/azure ==="
rg -n --glob='*.go' "InfraID" cmd/infra/azure | head -n 200

Repository: openshift/hypershift

Length of output: 12980

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ls -la cmd/infra/azure | head

wc -l cmd/infra/azure/create_iam.go cmd/infra/azure/identities.go cmd/infra/azure/destroy_iam.go 2>/dev/null || true

echo "=== rg 'disk' in cmd/infra/azure ==="
rg -n --glob='*.go' "disk" cmd/infra/azure | head -n 200

echo "=== rg identity name patterns in cmd/infra/azure ==="
rg -n --glob='*.go' "(identity.?name|IdentityName|userAssignedIdentities|federatedIdentityCredentials|federated.?credential)" cmd/infra/azure | head -n 200

echo "=== rg infra-id usage in cmd/infra/azure ==="
rg -n --glob='*.go' "InfraID" cmd/infra/azure | head -n 200

Repository: openshift/hypershift

Length of output: 12980

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

f="cmd/infra/azure/identities.go"
echo "=== identities.go (resourceNamePrefix + naming helpers) ==="
sed -n '80,180p' "$f" | sed -e 's/\t/  /g'

echo "=== identities.go (disk identity block) ==="
sed -n '155,230p' "$f" | sed -e 's/\t/  /g'

echo "=== identities.go (any identity output naming for disk) ==="
sed -n '230,310p' "$f" | sed -e 's/\t/  /g'

echo "=== create_iam.go ==="
sed -n '1,200p' cmd/infra/azure/create_iam.go | sed -e 's/\t/  /g'

Repository: openshift/hypershift

Length of output: 18184

---

Adjust the docs discussion: disk identity names are <clusterName>-disk-<infraID> in code

hypershift create iam azure creates the disk managed identity as <clusterName>-disk-<infraID> (in cmd/infra/azure/identities.go, it builds identityName := opts.Name + def.IdentityNameSuffix where the disk suffix is -disk, then appends "-" + opts.InfraID). That matches the docs’ verification example --identity-name "${CLUSTER_NAME}-disk-${INFRA_ID}", so the identity-name ordering suggestion (${INFRA_ID}-disk) doesn’t align with implementation.

The “duplicate cluster name” comes from the docs’ INFRA_ID="${CLUSTER_NAME}-$(openssl rand -hex 4)" definition (yielding names like my-cluster-disk-my-cluster-abc123). To avoid that, update the docs’ INFRA_ID example (e.g., use only the random suffix) rather than changing the identity-name template.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/content/how-to/azure/create-iam-separately.md` at line 239, The docs
incorrectly suggest an identity-name ordering of `${INFRA_ID}-disk`; update the
how-to text to reflect the actual implementation which builds identityName as
identityName := opts.Name + def.IdentityNameSuffix (i.e.,
`<clusterName>-disk-<infraID>`) and keep the verification example
`--identity-name "${CLUSTER_NAME}-disk-${INFRA_ID}"`; also change the INFRA_ID
example to avoid duplicating the cluster name (e.g., use only a random suffix
like `$(openssl rand -hex 4)` or another short unique suffix) so you don’t end
up with names like `my-cluster-disk-my-cluster-abc123`.

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bryan-cox]

/verified by @bryan-cox

[openshift-ci-robot]

@bryan-cox: This PR has been marked as verified by @bryan-cox.

Details

In response to this:

/verified by @bryan-cox

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hypershift-jira-solve-ci]

I now have all the evidence needed. Both failures are the same Go build cache corruption issue hitting all PRs on this repo — completely unrelated to this docs-only PR.

Test Failure Analysis Complete

Job Information

• Prow Job: lint / Lint (GitHub Actions workflow)
• Build ID: 26572716219 (lint), 26572716174 (verify)
• PR: NO-JIRA: De-duplicate Azure self-managed documentation #8566 — NO-JIRA: De-duplicate Azure self-managed documentation
• Branch: fix-azure-docs-2 → main

Test Failure Analysis

Error

# Lint job:
support/capabilities/management_cluster_capabilities.go:15:2: could not import k8s.io/client-go/discovery
  (/home/runner/go/pkg/mod/k8s.io/client-go@v0.35.1/discovery/discovery_client.go:44:2: could not import
  k8s.io/client-go/kubernetes/scheme (/home/runner/go/pkg/mod/k8s.io/client-go@v0.35.1/kubernetes/scheme/register.go:39:15:
  could not import k8s.io/api/batch/v1beta1 (-: loading compiled Go files from cache: reading srcfiles list:
  cache entry not found: bad checksum))) (typecheck)

# Verify job:
-: loading compiled Go files from cache: reading srcfiles list: cache entry not found: bad checksum
Error: not all generators ran successfully
make: *** [Makefile:252: hypershift-api] Error 1

Summary

Both failures are caused by Go build cache corruption on the GitHub Actions runner — the error "cache entry not found: bad checksum" indicates the pre-warmed Go module cache on the runner has corrupted entries for k8s.io/client-go@v0.35.1 and related packages. This is a repo-wide infrastructure flake affecting all PRs, completely unrelated to this docs-only PR which only modifies Markdown files and mkdocs.yml.

Root Cause

The root cause is corrupted Go build cache on the GitHub Actions runner, not anything in this PR.

The Go toolchain caches compiled package files in $GOCACHE. When cache entries become corrupted (e.g., due to runner disk issues, concurrent writes, or stale pre-warmed caches), Go reports "loading compiled Go files from cache: reading srcfiles list: cache entry not found: bad checksum". This prevents downstream tools from loading the compiled package, causing cascading import failures.

Lint job: golangci-lint (second pass, linting ./support/...) fails with a typecheck error because it cannot load k8s.io/client-go/discovery — the import chain discovery → kubernetes/scheme → k8s.io/api/batch/v1beta1 hits the corrupted cache entry. Notably, the first golangci-lint pass (on ./api/...) completed successfully with 0 issues.

Verify job: controller-gen (invoked by make hypershift-api) fails during code generation for ./api/... with the identical cache corruption error, causing the Makefile target to exit with error code 2.

This is a fleet-wide issue: The identical bad checksum error also appears in:

• test-arc-runners branch lint run 26572736102 (same day, different file path in chain)
• test-arc-runners branch lint run 26571764311 (different file hit: oapi/reconcile.go)
• test-arc-runners branch verify run 26571764233 (identical controller-gen failure)

The PR changes zero Go files — it only modifies 6 Markdown docs, 1 YAML nav file, and 1 aggregated-docs reference. The Go compilation and linting pipeline should not be affected by these changes at all.

Recommendations

1. Re-run both failed jobs — The cache corruption is non-deterministic and a fresh runner will likely have a clean cache. Click "Re-run failed jobs" on both workflow runs.

2. No code changes needed in this PR — The PR is docs-only (Markdown + mkdocs.yml). The failures are infrastructure flakes unrelated to the PR content.

3. Repo-level fix (for maintainers) — If the issue persists across re-runs, the GitHub Actions workflows should add a go clean -cache step before the lint/verify targets to ensure a clean build cache, or the runner image's pre-warmed cache should be rebuilt.

4. Consider skipping Go CI for docs-only PRs — Adding a path filter to the lint and verify workflows (e.g., paths-ignore: ['docs/**', '*.md', 'mkdocs.yml']) would avoid running expensive Go compilation for documentation changes entirely.

Evidence

Evidence	Detail
PR files changed	6 Markdown files, 1 mkdocs.yml, 1 aggregated-docs.md — zero Go files
Lint error	typecheck on k8s.io/api/batch/v1beta1: cache entry not found: bad checksum
Verify error	controller-gen on ./api/...: cache entry not found: bad checksum
Same error on other PRs	test-arc-runners branch runs 26572736102, 26571764311, 26571764233 all show identical bad checksum failures
Lint pass 1 (./api/...)	Completed successfully — 0 issues — showing the error is non-deterministic cache corruption
Lint pass 2 (./support/...)	Failed on import chain: discovery → kubernetes/scheme → batch/v1beta1 → corrupted cache
Go module version	k8s.io/client-go@v0.35.1 — the corrupted cache entry is for this dependency
Runner environment	GitHub Actions hosted runner, Go 1.25.7, golangci-lint 2.11.4

---

[bryan-cox]

/retest