pr comments

Azure · Jan 30, 2025 · 62e78f3 · 62e78f3
1 parent d57f9e1
commit 62e78f3
Show file tree

Hide file tree

Showing 6 changed files with 309 additions and 90 deletions.
diff --git a/.pipelines/e2e.yml b/.pipelines/e2e.yml
@@ -116,8 +116,6 @@ jobs:
           run_mimo_actuator
           validate_mimo_actuator_running
 
-          update_role_sets
-
           run_rp
           validate_rp_running
 

diff --git a/hack/devtools/local_dev_env.sh b/hack/devtools/local_dev_env.sh
@@ -8,79 +8,7 @@ set -o pipefail
 # The steps here are the ones defined in docs/deploy-development-rp.md
 # We recommend to use this script after you understand the steps of the process, not before.
 
-PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS='[
-    {
-        "openShiftVersion": "4.15",
-        "platformWorkloadIdentityRoles": [
-            {
-                "operatorName": "cloud-controller-manager",
-                "roleDefinitionName": "Azure Red Hat OpenShift Cloud Controller Manager",
-                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/a1f96423-95ce-4224-ab27-4e3dc72facd4",
-                "serviceAccounts": ["system:serviceaccount:openshift-cloud-controller-manager:cloud-controller-manager"],
-                "secretLocation": { "namespace": "openshift-cloud-controller-manager", "name": "azure-cloud-credentials" }
-            },
-            {
-                "operatorName": "ingress",
-                "roleDefinitionName": "Azure Red Hat OpenShift Cluster Ingress Operator",
-                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0336e1d3-7a87-462b-b6db-342b63f7802c",
-                "serviceAccounts": ["system:serviceaccount:openshift-ingress-operator:ingress-operator"],
-                "secretLocation": { "namespace": "openshift-ingress-operator", "name": "cloud-credentials" }
-            },
-            {
-                "operatorName": "machine-api",
-                "roleDefinitionName": "Azure Red Hat OpenShift Machine API Operator",
-                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0358943c-7e01-48ba-8889-02cc51d78637",
-                "serviceAccounts": ["system:serviceaccount:openshift-machine-api:machine-api-controllers"],
-                "secretLocation": { "namespace": "openshift-machine-api", "name": "azure-cloud-credentials" }
-            },
-            {
-                "operatorName": "disk-csi-driver",
-                "roleDefinitionName": "Azure Red Hat OpenShift Disk Storage Operator",
-                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/5b7237c5-45e1-49d6-bc18-a1f62f400748",
-                "serviceAccounts": [
-                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-disk-csi-driver-operator",
-                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-disk-csi-driver-controller-sa"
-                ],
-                "secretLocation": { "namespace": "openshift-cluster-csi-drivers", "name": "azure-disk-credentials" }
-            },
-            {
-                "operatorName": "cloud-network-config",
-                "roleDefinitionName": "Azure Red Hat OpenShift Network Operator",
-                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/be7a6435-15ae-4171-8f30-4a343eff9e8f",
-                "serviceAccounts": ["system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller"],
-                "secretLocation": { "namespace": "openshift-cloud-network-config-controller", "name": "cloud-credentials" }
-            },
-            {
-                "operatorName": "image-registry",
-                "roleDefinitionName": "Azure Red Hat OpenShift Image Registry Operator",
-                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
-                "serviceAccounts": [
-                    "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator",
-                    "system:serviceaccount:openshift-image-registry:registry"
-                ],
-                "secretLocation": { "namespace": "openshift-image-registry", "name": "installer-cloud-credentials" }
-            },
-            {
-                "operatorName": "file-csi-driver",
-                "roleDefinitionName": "Azure Red Hat OpenShift File Storage Operator",
-                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0d7aedc0-15fd-4a67-a412-efad370c947e",
-                "serviceAccounts": [
-                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-operator",
-                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-controller-sa",
-                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-node-sa"
-                ],
-                "secretLocation": { "namespace": "openshift-cluster-csi-drivers", "name": "azure-file-credentials" }
-            },
-            {
-                "operatorName": "aro-operator",
-                "roleDefinitionName": "Azure Red Hat OpenShift Service Operator",
-                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4436bae4-7702-4c84-919b-c4069ff25ee2",
-                "serviceAccounts": ["system:serviceaccount:openshift-azure-operator:aro-operator-master"],
-                "secretLocation": { "namespace": "openshift-azure-operator", "name": "azure-cloud-credentials" }
-            }
-        ]
-    }
-]'
+PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS="$(cat "$(dirname "$0")/platform_workload_identity_role_sets.json")"
 
 build_development_az_aro_extension() {
     echo "INFO: Building development az aro extension..."
@@ -159,12 +87,6 @@ assign_role_to_identity() {
     local objectId=$1
     local roleId=$2
 
-    # if CLUSTER_RESOURCEGROUP is unset, it should probably be set to the cluster name
-    if [[ "${CLUSTER_RESOURCEGROUP}" == "" ]]; then
-      echo "INFO: '\$CLUSTER_RESOURCEGROUP' is unset. Using '\$CLUSTER' instead."
-      export CLUSTER_RESOURCEGROUP="$CLUSTER"
-    fi
-
     local scope="/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCEGROUP}"
     local roles
 

diff --git a/hack/devtools/platform_workload_identity_role_sets.json b/hack/devtools/platform_workload_identity_role_sets.json
@@ -0,0 +1,144 @@
+[
+    {
+        "openShiftVersion": "4.15",
+        "platformWorkloadIdentityRoles": [
+            {
+                "operatorName": "cloud-controller-manager",
+                "roleDefinitionName": "Azure Red Hat OpenShift Cloud Controller Manager",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/a1f96423-95ce-4224-ab27-4e3dc72facd4",
+                "serviceAccounts": ["system:serviceaccount:openshift-cloud-controller-manager:cloud-controller-manager"],
+                "secretLocation": { "namespace": "openshift-cloud-controller-manager", "name": "azure-cloud-credentials" }
+            },
+            {
+                "operatorName": "ingress",
+                "roleDefinitionName": "Azure Red Hat OpenShift Cluster Ingress Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0336e1d3-7a87-462b-b6db-342b63f7802c",
+                "serviceAccounts": ["system:serviceaccount:openshift-ingress-operator:ingress-operator"],
+                "secretLocation": { "namespace": "openshift-ingress-operator", "name": "cloud-credentials" }
+            },
+            {
+                "operatorName": "machine-api",
+                "roleDefinitionName": "Azure Red Hat OpenShift Machine API Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0358943c-7e01-48ba-8889-02cc51d78637",
+                "serviceAccounts": ["system:serviceaccount:openshift-machine-api:machine-api-controllers"],
+                "secretLocation": { "namespace": "openshift-machine-api", "name": "azure-cloud-credentials" }
+            },
+            {
+                "operatorName": "disk-csi-driver",
+                "roleDefinitionName": "Azure Red Hat OpenShift Disk Storage Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/5b7237c5-45e1-49d6-bc18-a1f62f400748",
+                "serviceAccounts": [
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-disk-csi-driver-operator",
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-disk-csi-driver-controller-sa"
+                ],
+                "secretLocation": { "namespace": "openshift-cluster-csi-drivers", "name": "azure-disk-credentials" }
+            },
+            {
+                "operatorName": "cloud-network-config",
+                "roleDefinitionName": "Azure Red Hat OpenShift Network Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/be7a6435-15ae-4171-8f30-4a343eff9e8f",
+                "serviceAccounts": ["system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller"],
+                "secretLocation": { "namespace": "openshift-cloud-network-config-controller", "name": "cloud-credentials" }
+            },
+            {
+                "operatorName": "image-registry",
+                "roleDefinitionName": "Azure Red Hat OpenShift Image Registry Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
+                "serviceAccounts": [
+                    "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator",
+                    "system:serviceaccount:openshift-image-registry:registry"
+                ],
+                "secretLocation": { "namespace": "openshift-image-registry", "name": "installer-cloud-credentials" }
+            },
+            {
+                "operatorName": "file-csi-driver",
+                "roleDefinitionName": "Azure Red Hat OpenShift File Storage Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0d7aedc0-15fd-4a67-a412-efad370c947e",
+                "serviceAccounts": [
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-operator",
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-controller-sa",
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-node-sa"
+                ],
+                "secretLocation": { "namespace": "openshift-cluster-csi-drivers", "name": "azure-file-credentials" }
+            },
+            {
+                "operatorName": "aro-operator",
+                "roleDefinitionName": "Azure Red Hat OpenShift Service Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4436bae4-7702-4c84-919b-c4069ff25ee2",
+                "serviceAccounts": ["system:serviceaccount:openshift-azure-operator:aro-operator-master"],
+                "secretLocation": { "namespace": "openshift-azure-operator", "name": "azure-cloud-credentials" }
+            }
+        ]
+    },
+    {
+        "openShiftVersion": "4.14",
+        "platformWorkloadIdentityRoles": [
+            {
+                "operatorName": "cloud-controller-manager",
+                "roleDefinitionName": "Azure Red Hat OpenShift Cloud Controller Manager",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/a1f96423-95ce-4224-ab27-4e3dc72facd4",
+                "serviceAccounts": ["system:serviceaccount:openshift-cloud-controller-manager:cloud-controller-manager"],
+                "secretLocation": { "namespace": "openshift-cloud-controller-manager", "name": "azure-cloud-credentials" }
+            },
+            {
+                "operatorName": "ingress",
+                "roleDefinitionName": "Azure Red Hat OpenShift Cluster Ingress Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0336e1d3-7a87-462b-b6db-342b63f7802c",
+                "serviceAccounts": ["system:serviceaccount:openshift-ingress-operator:ingress-operator"],
+                "secretLocation": { "namespace": "openshift-ingress-operator", "name": "cloud-credentials" }
+            },
+            {
+                "operatorName": "machine-api",
+                "roleDefinitionName": "Azure Red Hat OpenShift Machine API Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0358943c-7e01-48ba-8889-02cc51d78637",
+                "serviceAccounts": ["system:serviceaccount:openshift-machine-api:machine-api-controllers"],
+                "secretLocation": { "namespace": "openshift-machine-api", "name": "azure-cloud-credentials" }
+            },
+            {
+                "operatorName": "disk-csi-driver",
+                "roleDefinitionName": "Azure Red Hat OpenShift Disk Storage Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/5b7237c5-45e1-49d6-bc18-a1f62f400748",
+                "serviceAccounts": [
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-disk-csi-driver-operator",
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-disk-csi-driver-controller-sa"
+                ],
+                "secretLocation": { "namespace": "openshift-cluster-csi-drivers", "name": "azure-disk-credentials" }
+            },
+            {
+                "operatorName": "cloud-network-config",
+                "roleDefinitionName": "Azure Red Hat OpenShift Network Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/be7a6435-15ae-4171-8f30-4a343eff9e8f",
+                "serviceAccounts": ["system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller"],
+                "secretLocation": { "namespace": "openshift-cloud-network-config-controller", "name": "cloud-credentials" }
+            },
+            {
+                "operatorName": "image-registry",
+                "roleDefinitionName": "Azure Red Hat OpenShift Image Registry Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
+                "serviceAccounts": [
+                    "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator",
+                    "system:serviceaccount:openshift-image-registry:registry"
+                ],
+                "secretLocation": { "namespace": "openshift-image-registry", "name": "installer-cloud-credentials" }
+            },
+            {
+                "operatorName": "file-csi-driver",
+                "roleDefinitionName": "Azure Red Hat OpenShift File Storage Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0d7aedc0-15fd-4a67-a412-efad370c947e",
+                "serviceAccounts": [
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-operator",
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-controller-sa",
+                    "system:serviceaccount:openshift-cluster-csi-drivers:azure-file-csi-driver-node-sa"
+                ],
+                "secretLocation": { "namespace": "openshift-cluster-csi-drivers", "name": "azure-file-credentials" }
+            },
+            {
+                "operatorName": "aro-operator",
+                "roleDefinitionName": "Azure Red Hat OpenShift Service Operator",
+                "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4436bae4-7702-4c84-919b-c4069ff25ee2",
+                "serviceAccounts": ["system:serviceaccount:openshift-azure-operator:aro-operator-master"],
+                "secretLocation": { "namespace": "openshift-azure-operator", "name": "azure-cloud-credentials" }
+            }
+        ]
+    }
+]
diff --git a/hack/e2e/run-rp-and-e2e.sh b/hack/e2e/run-rp-and-e2e.sh
@@ -13,6 +13,7 @@ if [[ $CI ]]; then
     HIVEKUBECONFIGPATH="secrets/e2e-aks-kubeconfig"
     HIVE_KUBE_CONFIG_PATH_1="secrets/aks.kubeconfig"
     CLUSTER="v4-e2e-V$BUILD_BUILDID-$LOCATION"
+    CLUSTER_RESOURCEGROUP="$CLUSTER"
     DATABASE_NAME="v4-e2e-V$BUILD_BUILDID-$LOCATION"
     PRIVATE_CLUSTER=true
     E2E_DELETE_CLUSTER=true # any value other than "false" ensures the cluster is deleted

diff --git a/pkg/util/cluster/cluster.go b/pkg/util/cluster/cluster.go
@@ -64,7 +64,7 @@ type ClusterConfig struct {
 	WorkloadIdentityRoles string `mapstructure:"platform_workload_identity_role_sets"`
 	IsCI                  bool   `mapstructure:"ci"`
 	RpMode                string `mapstructure:"rp_mode"`
-	VnetResourceGroup     string `mapstructure:"vnet_resourcegroup"`
+	VnetResourceGroup     string `mapstructure:"cluster_resourcegroup"`
 	RPResourceGroup       string `mapstructure:"resourcegroup"`
 	OSClusterVersion      string `mapstructure:"os_cluster_version"`
 	FPServicePrincipalID  string `mapstructure:"azure_fp_service_principal_id"`
@@ -349,13 +349,31 @@ func (c *Cluster) SetupClassicRoleAssignments(ctx context.Context, diskEncryptio
 	return nil
 }
 
-func (c *Cluster) SetupWorkloadIdentity(ctx context.Context, vnetResourceGroup string) error {
+func (c *Cluster) GetPlatformWIRoles() ([]api.PlatformWorkloadIdentityRole, error) {
 	var wiRoleSets []api.PlatformWorkloadIdentityRoleSetProperties
+
 	if err := json.Unmarshal([]byte(c.Config.WorkloadIdentityRoles), &wiRoleSets); err != nil {
-		return fmt.Errorf("failed to parse JSON: %w", err)
+		return nil, fmt.Errorf("failed to parse JSON: %w", err)
 	}
 
-	platformWorkloadIdentityRoles := append(wiRoleSets[0].PlatformWorkloadIdentityRoles, api.PlatformWorkloadIdentityRole{
+	for _, rs := range wiRoleSets {
+		if strings.HasPrefix(c.Config.OSClusterVersion, rs.OpenShiftVersion) {
+			return rs.PlatformWorkloadIdentityRoles, nil
+		}
+	}
+
+	return nil, fmt.Errorf("workload identity role sets for version %s not found", c.Config.OSClusterVersion)
+
+}
+
+func (c *Cluster) SetupWorkloadIdentity(ctx context.Context, vnetResourceGroup string) error {
+
+	platformWorkloadIdentityRoles, err := c.GetPlatformWIRoles()
+	if err != nil {
+		return fmt.Errorf("failed parsing platformWI Roles: %w", err)
+	}
+
+	platformWorkloadIdentityRoles = append(platformWorkloadIdentityRoles, api.PlatformWorkloadIdentityRole{
 		OperatorName:     "aro-Cluster",
 		RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/ef318e2a-8334-4a05-9e4a-295a196c6a6e",
 	})
@@ -754,12 +772,11 @@ func (c *Cluster) deleteWI(ctx context.Context, resourceGroup string) error {
 		return nil
 	}
 	c.log.Info("deleting WIs")
-	jsonData := []byte(os.Getenv("PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS"))
-	var wiRoleSets []api.PlatformWorkloadIdentityRoleSetProperties
-	if err := json.Unmarshal(jsonData, &wiRoleSets); err != nil {
-		return fmt.Errorf("failed to parse JSON: %w", err)
+	platformWorkloadIdentityRoles, err := c.GetPlatformWIRoles()
+	if err != nil {
+		return fmt.Errorf("failure parsing Platform WI Roles, unable to remove them: %w", err)
 	}
-	platformWorkloadIdentityRoles := append(wiRoleSets[0].PlatformWorkloadIdentityRoles, api.PlatformWorkloadIdentityRole{
+	platformWorkloadIdentityRoles = append(platformWorkloadIdentityRoles, api.PlatformWorkloadIdentityRole{
 		OperatorName:     "aro-Cluster",
 		RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/ef318e2a-8334-4a05-9e4a-295a196c6a6e",
 	})