CI Integration-Azure Managed Identity (Workload Identity) Support (#4…

…1121) * Azure Managed Identity (Workload Identity) Support * update
openshift · Jul 14, 2023 · 0fa99cf · 0fa99cf
1 parent fa655a7
commit 0fa99cf
Show file tree

Hide file tree

Showing 12 changed files with 343 additions and 0 deletions.
diff --git a/...penshift-tests-private/openshift-openshift-tests-private-release-4.14__amd64-nightly.yaml b/...penshift-tests-private/openshift-openshift-tests-private-release-4.14__amd64-nightly.yaml
@@ -1857,6 +1857,18 @@ tests:
     test:
     - chain: openshift-e2e-test-qe-destructive
     workflow: cucushift-installer-rehearse-azure-ipi-vmgenv1
+- as: azure-ipi-workload-identity-tp-p1-f14
+  cron: 54 19 8,23 * *
+  steps:
+    cluster_profile: azure-qe
+    env:
+      BASE_DOMAIN: qe.azure.devcluster.openshift.com
+      E2E_RUN_TAGS: '@amd64 and @azure-ipi and @network-ovnkubernetes and not @fips'
+      FEATURE_SET: TechPreviewNoUpgrade
+      TAG_VERSION: '@4.14'
+    test:
+    - chain: openshift-e2e-test-qe
+    workflow: cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity
 - as: azure-ipi-workers-rhel8-p2-f14
   cron: 13 20 11,26 * *
   steps:

diff --git a/...penshift-tests-private/openshift-openshift-tests-private-release-4.14__arm64-nightly.yaml b/...penshift-tests-private/openshift-openshift-tests-private-release-4.14__arm64-nightly.yaml
@@ -1590,6 +1590,22 @@ tests:
     test:
     - chain: openshift-e2e-test-qe-destructive
     workflow: cucushift-installer-rehearse-azure-ipi-usertags
+- as: azure-ipi-workload-identity-tp-p1-f14
+  cron: 17 17 9,24 * *
+  steps:
+    cluster_profile: azure-qe
+    dependencies:
+      OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest
+    env:
+      BASE_DOMAIN: qe.azure.devcluster.openshift.com
+      COMPUTE_NODE_TYPE: Standard_D4ps_v5
+      E2E_RUN_TAGS: '@arm64 and @azure-ipi and @network-ovnkubernetes and not @fips'
+      FEATURE_SET: TechPreviewNoUpgrade
+      OCP_ARCH: arm64
+      TAG_VERSION: '@4.14'
+    test:
+    - chain: openshift-e2e-test-qe
+    workflow: cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity
 - as: azure-upi-p3-f28
   cron: 17 17 19 * *
   steps:

diff --git a/...ift/openshift-tests-private/openshift-openshift-tests-private-release-4.14-periodics.yaml b/...ift/openshift-tests-private/openshift-openshift-tests-private-release-4.14-periodics.yaml
@@ -37575,6 +37575,88 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 54 19 8,23 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.14
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: azure4
+    ci-operator.openshift.io/cloud-cluster-profile: azure-qe
+    ci-operator.openshift.io/variant: amd64-nightly
+    ci.openshift.io/generator: prowgen
+    job-release: "4.14"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-nightly-azure-ipi-workload-identity-tp-p1-f14
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --secret-dir=/usr/local/azure-ipi-workload-identity-tp-p1-f14-cluster-profile
+      - --target=azure-ipi-workload-identity-tp-p1-f14
+      - --variant=amd64-nightly
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /usr/local/azure-ipi-workload-identity-tp-p1-f14-cluster-profile
+        name: cluster-profile
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: cluster-profile
+      secret:
+        secretName: cluster-secrets-azure-qe
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 11 3 13,28 * *
@@ -63215,6 +63297,88 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 17 17 9,24 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.14
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: azure4
+    ci-operator.openshift.io/cloud-cluster-profile: azure-qe
+    ci-operator.openshift.io/variant: arm64-nightly
+    ci.openshift.io/generator: prowgen
+    job-release: "4.14"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.14-arm64-nightly-azure-ipi-workload-identity-tp-p1-f14
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --secret-dir=/usr/local/azure-ipi-workload-identity-tp-p1-f14-cluster-profile
+      - --target=azure-ipi-workload-identity-tp-p1-f14
+      - --variant=arm64-nightly
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /usr/local/azure-ipi-workload-identity-tp-p1-f14-cluster-profile
+        name: cluster-profile
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: cluster-profile
+      secret:
+        secretName: cluster-secrets-azure-qe
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 17 17 19 * *

diff --git a/.../step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/OWNERS b/.../step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/OWNERS
@@ -0,0 +1,16 @@
+approvers:
+- jianlinliu
+- Amoghrd
+- yunjiang29
+- mgahagan73
+- MayXuQQ
+- huangmingxia
+- jianping-shu
+reviewers:
+- jianlinliu
+- Amoghrd
+- yunjiang29
+- mgahagan73
+- MayXuQQ
+- huangmingxia
+- jianping-shu
diff --git a/...ucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-workflow.metadata.json b/...ucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-workflow.metadata.json
@@ -0,0 +1,23 @@
+{
+	"path": "cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"jianlinliu",
+			"Amoghrd",
+			"yunjiang29",
+			"mgahagan73",
+			"MayXuQQ",
+			"huangmingxia",
+			"jianping-shu"
+		],
+		"reviewers": [
+			"jianlinliu",
+			"Amoghrd",
+			"yunjiang29",
+			"mgahagan73",
+			"MayXuQQ",
+			"huangmingxia",
+			"jianping-shu"
+		]
+	}
+}
diff --git a/...dentity/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-workflow.yaml b/...dentity/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-workflow.yaml
@@ -0,0 +1,15 @@
+workflow:
+  as:  cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity
+  steps:
+    pre:
+      - chain:  cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision
+    post:
+      - chain:  cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-deprovision
+  documentation: |-
+    The IPI workflow provides provision- and deprovision- steps that provision and
+    deprovision an OpenShift cluster with AZURE workload identity, allowing job authors 
+    to inject their own end-to-end test logic.
+    All modifications to this workflow should be done by modifying the
+    ` cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-{provision,deprovision}` 
+    chains to allow other workflows to mimic and extend this base workflow without 
+    a need to backport changes.
diff --git a/...ry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/deprovision/OWNERS b/...ry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/deprovision/OWNERS
@@ -0,0 +1,16 @@
+approvers:
+- jianlinliu
+- Amoghrd
+- yunjiang29
+- mgahagan73
+- MayXuQQ
+- huangmingxia
+- jianping-shu
+reviewers:
+- jianlinliu
+- Amoghrd
+- yunjiang29
+- mgahagan73
+- MayXuQQ
+- huangmingxia
+- jianping-shu
diff --git a/...installer-rehearse-azure-ipi-cco-manual-workload-identity-deprovision-chain.metadata.json b/...installer-rehearse-azure-ipi-cco-manual-workload-identity-deprovision-chain.metadata.json
@@ -0,0 +1,23 @@
+{
+	"path": "cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/deprovision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-deprovision-chain.yaml",
+	"owners": {
+		"approvers": [
+			"jianlinliu",
+			"Amoghrd",
+			"yunjiang29",
+			"mgahagan73",
+			"MayXuQQ",
+			"huangmingxia",
+			"jianping-shu"
+		],
+		"reviewers": [
+			"jianlinliu",
+			"Amoghrd",
+			"yunjiang29",
+			"mgahagan73",
+			"MayXuQQ",
+			"huangmingxia",
+			"jianping-shu"
+		]
+	}
+}
diff --git a/...ucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-deprovision-chain.yaml b/...ucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-deprovision-chain.yaml
@@ -0,0 +1,7 @@
+chain:
+  as:  cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-deprovision
+  steps:
+    - chain: cucushift-installer-rehearse-azure-ipi-deprovision
+    - ref: ipi-conf-azure-oidc-creds-deprovision
+  documentation: |-
+    The chain destroys resources created by "cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision".
diff --git a/...stry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/provision/OWNERS b/...stry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/provision/OWNERS
@@ -0,0 +1,16 @@
+approvers:
+- jianlinliu
+- Amoghrd
+- yunjiang29
+- mgahagan73
+- MayXuQQ
+- huangmingxia
+- jianping-shu
+reviewers:
+- jianlinliu
+- Amoghrd
+- yunjiang29
+- mgahagan73
+- MayXuQQ
+- huangmingxia
+- jianping-shu
diff --git a/...t-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.metadata.json b/...t-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.metadata.json
@@ -0,0 +1,23 @@
+{
+	"path": "cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.yaml",
+	"owners": {
+		"approvers": [
+			"jianlinliu",
+			"Amoghrd",
+			"yunjiang29",
+			"mgahagan73",
+			"MayXuQQ",
+			"huangmingxia",
+			"jianping-shu"
+		],
+		"reviewers": [
+			"jianlinliu",
+			"Amoghrd",
+			"yunjiang29",
+			"mgahagan73",
+			"MayXuQQ",
+			"huangmingxia",
+			"jianping-shu"
+		]
+	}
+}
diff --git a/.../cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.yaml b/.../cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.yaml
@@ -0,0 +1,12 @@
+chain:
+  as:  cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision
+  steps: 
+  - chain: ipi-conf-azure
+  - ref: ipi-conf-manual-creds
+  - ref: ipi-conf-azure-oidc-creds-provision
+  - ref: ipi-conf-azure-provisioned-resourcegroup
+  - ref: ipi-conf-manual-creds-remove-unnecessary-creds
+  - chain: ipi-install
+  - ref: enable-qe-catalogsource
+  documentation: |-
+    Create an IPI cluster with AZURE workload identity for QE e2e tests.