OCPCLOUD-2012: Add azure-manual-oidc workload to cluster-capi-operator (

#41652) * OCPCLOUD-2012: Add azure-manual-oidc workload to cluster capi operator * Base using --enable-tech-preview in AZWI creds provisioning on ENABLE_TECH_PREVIEW_CREDENTIALS_REQUESTS env var having been set. * Fix ADDITIONAL_CCOCTL_ARGS typo.
openshift · Aug 23, 2023 · ab12787 · ab12787
1 parent cb823c4
commit ab12787
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 1 deletion.
diff --git a/ci-operator/config/openshift/cluster-api-operator/openshift-cluster-api-operator-main.yaml b/ci-operator/config/openshift/cluster-api-operator/openshift-cluster-api-operator-main.yaml
@@ -63,6 +63,14 @@ tests:
   steps:
     cluster_profile: azure4
     workflow: openshift-e2e-azure-capi
+- always_run: false
+  as: e2e-azure-manual-oidc
+  optional: true
+  steps:
+    cluster_profile: azure4
+    env:
+      ENABLE_TECH_PREVIEW_CREDENTIALS_REQUESTS: "true"
+    workflow: openshift-e2e-azure-manual-oidc-workload-identity
 zz_generated_metadata:
   branch: main
   org: openshift

diff --git a/...r/jobs/openshift/cluster-api-operator/openshift-cluster-api-operator-main-presubmits.yaml b/...r/jobs/openshift/cluster-api-operator/openshift-cluster-api-operator-main-presubmits.yaml
@@ -152,6 +152,82 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-aws-ovn-techpreview,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build02
+    context: ci/prow/e2e-azure-manual-oidc
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/cloud: azure4
+      ci-operator.openshift.io/cloud-cluster-profile: azure4
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cluster-api-operator-main-e2e-azure-manual-oidc
+    optional: true
+    path_alias: sigs.k8s.io/cluster-api-operator
+    rerun_command: /test e2e-azure-manual-oidc
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --secret-dir=/usr/local/e2e-azure-manual-oidc-cluster-profile
+        - --target=e2e-azure-manual-oidc
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /usr/local/e2e-azure-manual-oidc-cluster-profile
+          name: cluster-profile
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: cluster-profile
+        secret:
+          secretName: cluster-secrets-azure4
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-azure-manual-oidc,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

diff --git a/...istry/ipi/conf/azure/oidc-creds-provision/ipi-conf-azure-oidc-creds-provision-commands.sh b/...istry/ipi/conf/azure/oidc-creds-provision/ipi-conf-azure-oidc-creds-provision-commands.sh
@@ -96,6 +96,12 @@ cat > ${SHARED_DIR}/metadata.json << EOF
 {"infraID":"${CLUSTER_NAME}","azure":{"region":"${REGION}","resourceGroupName":"${CLUSTER_NAME}"}}
 EOF
 
+if [ "${ENABLE_TECH_PREVIEW_CREDENTIALS_REQUESTS:-\"false\"}" == "true" ]; then
+  ADDITIONAL_CCOCTL_ARGS="--enable-tech-preview"
+else
+  ADDITIONAL_CCOCTL_ARGS=""
+fi
+
 # create required credentials infrastructure and installer manifests
 ccoctl azure create-all \
   --name="${CLUSTER_NAME}" \
@@ -105,7 +111,8 @@ ccoctl azure create-all \
   --credentials-requests-dir="/tmp/credrequests" \
   --dnszone-resource-group-name="${BASE_DOMAIN_RESOURCE_GROUP_NAME}" \
   --storage-account-name="$(tr -d '-' <<< ${CLUSTER_NAME})oidc" \
-  --output-dir="/tmp"
+  --output-dir="/tmp" \
+  ${ADDITIONAL_CCOCTL_ARGS}
 
 # Output authentication file for ci logs
 echo "Cluster authentication:"

diff --git a/...registry/ipi/conf/azure/oidc-creds-provision/ipi-conf-azure-oidc-creds-provision-ref.yaml b/...registry/ipi/conf/azure/oidc-creds-provision/ipi-conf-azure-oidc-creds-provision-ref.yaml
@@ -10,6 +10,11 @@ ref:
   dependencies:
     - name: "release:latest"
       env: RELEASE_IMAGE_LATEST_FROM_BUILD_FARM
+  env:
+  - name: ENABLE_TECH_PREVIEW_CREDENTIALS_REQUESTS
+    default: "false"
+    documentation: |-
+      Determine wheather to process CredentialsRequests marked as TechPreviewNoUpgrade.
   documentation: |-
     The IPI oidc-creds-provision configure step adds a authentications.config.openshift.io/cluster object
     and secrets for each operator.