-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
azure: don't use managed identity on ARO
At the moment OCP on Azure uses MSI for kubelets and controllers and one or more service principals for operators. For now on ARO, simplify to all components using the user-provided SP. Later, we'll reinstate a separate managed identity at least for worker kubelets.
- Loading branch information
Showing
9 changed files
with
163 additions
and
2 deletions.
There are no files selected for viewing
14 changes: 14 additions & 0 deletions
14
data/data/manifests/openshift/99_azure-cloud-provider-secret-getter-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: system:azure-cloud-provider-secret-getter | ||
namespace: kube-system | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resourceNames: | ||
- azure-cloud-provider | ||
resources: | ||
- secrets | ||
verbs: | ||
- get |
13 changes: 13 additions & 0 deletions
13
data/data/manifests/openshift/99_azure-cloud-provider-secret-getter-rolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: system:azure-cloud-provider-secret-getter | ||
namespace: kube-system | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: system:azure-cloud-provider-secret-getter | ||
subjects: | ||
- kind: ServiceAccount | ||
name: azure-cloud-provider | ||
namespace: kube-system |
7 changes: 7 additions & 0 deletions
7
data/data/manifests/openshift/99_azure-cloud-provider-secret.yaml.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: azure-cloud-provider | ||
namespace: kube-system | ||
data: | ||
cloud-config: {{.Base64encodedCloudConfig}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80 changes: 80 additions & 0 deletions
80
pkg/asset/templates/content/openshift/azure-cloud-provider-secret.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
package openshift | ||
|
||
import ( | ||
"os" | ||
"path/filepath" | ||
|
||
"github.com/openshift/installer/pkg/asset" | ||
"github.com/openshift/installer/pkg/asset/templates/content" | ||
) | ||
|
||
const ( | ||
azureCloudProviderSecretFileName = "99_azure-cloud-provider-secret.yaml.template" | ||
azureCloudProviderSecretGetterRoleBindingFileName = "99_azure-cloud-provider-secret-getter-rolebinding.yaml" | ||
azureCloudProviderSecretGetterRoleFileName = "99_azure-cloud-provider-secret-getter-role.yaml" | ||
) | ||
|
||
var _ asset.WritableAsset = (*AzureCloudProviderSecret)(nil) | ||
|
||
// AzureCloudProviderSecret is the variable to represent contents of corresponding files | ||
type AzureCloudProviderSecret struct { | ||
FileList []*asset.File | ||
} | ||
|
||
// Dependencies returns all of the dependencies directly needed by the asset | ||
func (t *AzureCloudProviderSecret) Dependencies() []asset.Asset { | ||
return []asset.Asset{} | ||
} | ||
|
||
// Name returns the human-friendly name of the asset. | ||
func (t *AzureCloudProviderSecret) Name() string { | ||
return "AzureCloudProviderSecret" | ||
} | ||
|
||
// Generate generates the actual files by this asset | ||
func (t *AzureCloudProviderSecret) Generate(parents asset.Parents) error { | ||
t.FileList = []*asset.File{} | ||
|
||
for _, fileName := range []string{ | ||
azureCloudProviderSecretFileName, | ||
azureCloudProviderSecretGetterRoleBindingFileName, | ||
azureCloudProviderSecretGetterRoleFileName, | ||
} { | ||
data, err := content.GetOpenshiftTemplate(fileName) | ||
if err != nil { | ||
return err | ||
} | ||
t.FileList = append(t.FileList, &asset.File{ | ||
Filename: filepath.Join(content.TemplateDir, fileName), | ||
Data: []byte(data), | ||
}) | ||
} | ||
return nil | ||
} | ||
|
||
// Files returns the files generated by the asset. | ||
func (t *AzureCloudProviderSecret) Files() []*asset.File { | ||
return t.FileList | ||
} | ||
|
||
// Load returns the asset from disk. | ||
func (t *AzureCloudProviderSecret) Load(f asset.FileFetcher) (bool, error) { | ||
t.FileList = []*asset.File{} | ||
|
||
for _, fileName := range []string{ | ||
azureCloudProviderSecretFileName, | ||
azureCloudProviderSecretGetterRoleBindingFileName, | ||
azureCloudProviderSecretGetterRoleFileName, | ||
} { | ||
file, err := f.FetchByName(filepath.Join(content.TemplateDir, fileName)) | ||
if err != nil { | ||
if os.IsNotExist(err) { | ||
return false, nil | ||
} | ||
return false, err | ||
} | ||
t.FileList = append(t.FileList, file) | ||
} | ||
|
||
return true, nil | ||
} |