Skip to content

Commit 2418744

Browse files
PhaowPhaow
committed
fix: data-plane auth support
1 parent 8fef029 commit 2418744

File tree

3 files changed

+56
-11
lines changed

3 files changed

+56
-11
lines changed

ci-operator/step-registry/azure/provision/service-principal/hypershift/azure-provision-service-principal-hypershift-commands.sh

+44-8
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,11 @@ COMPONENTS="azure-disk azure-file ciro cloud-provider cncc cpo ingress capz"
2424

2525
declare -A component_to_client_id
2626
declare -A component_to_cert_name
27+
declare -A component_to_credential_secret_name
2728

2829
for component in $COMPONENTS; do
2930
name="${SP_NAME_PREFIX}-${component}"
31+
credential_secret_name="${SP_NAME_PREFIX}-${component}-secret"
3032
scopes="/subscriptions/$AZURE_AUTH_SUBSCRIPTION_ID/resourceGroups/$RG_HC"
3133
role="b24988ac-6180-42a0-ab88-20f7382dd24c"
3234

@@ -57,8 +59,25 @@ for component in $COMPONENTS; do
5759
client_id="$(eval "az ad sp create-for-rbac --name $name --role \"$role\" --scopes $scopes --create-cert --cert $name --keyvault $KV_NAME --output json --only-show-errors" | jq -r '.appId')"
5860
echo "$client_id" >> "${SHARED_DIR}/azure_sp_id"
5961

62+
client_secret_value="$(az keyvault secret show --vault-name "$KV_NAME" --name "$name" --query value -o tsv)"
63+
not_before_timestamp=$(az keyvault secret show --vault-name ci-op-881bs2s5-12c20-kv --name ci-op-881bs2s5-12c20-azure-disk | jq -r .attributes.notBefore)
64+
not_after_timestamp=$(date -u -d "$not_before_timestamp + 3 months" +"%Y-%m-%dT%H:%M:%SZ")
65+
cat <<EOF >"${SHARED_DIR}"/"$credential_secret_name".json
66+
{
67+
"authentication_endpoint": "https://login.microsoftonline.com/",
68+
"client_id": "$client_id",
69+
"client_secret": "$client_secret_value",
70+
"tenant_id": "$AZURE_AUTH_TENANT_ID",
71+
"not_after": "$not_after_timestamp",
72+
"not_before": "$not_before_timestamp"
73+
}
74+
EOF
75+
echo "created secret $credential_secret_name"
76+
az keyvault secret set --vault-name "$KV_NAME" --name "$credential_secret_name" --file "${SHARED_DIR}"/"$credential_secret_name".json
77+
6078
component_to_client_id+=(["$component"]="$client_id")
6179
component_to_cert_name+=(["$component"]="$name")
80+
component_to_credential_secret_name+=(["$component"]="$credential_secret_name")
6281
done
6382

6483
# TODO: Remove this once the we used the automated role assignment by "--assign-service-principal-role"
@@ -77,35 +96,52 @@ cat <<EOF >"${SHARED_DIR}"/hypershift_azure_mi_file.json
7796
},
7897
"cloudProvider": {
7998
"clientID": "${component_to_client_id[cloud-provider]}",
80-
"certificateName": "${component_to_cert_name[cloud-provider]}"
99+
"certificateName": "${component_to_cert_name[cloud-provider]}",
100+
"credentialsSecretName": "${component_to_credential_secret_name[cloud-provider]}",
81101
},
82102
"nodePoolManagement": {
83103
"clientID": "${component_to_client_id[capz]}",
84-
"certificateName": "${component_to_cert_name[capz]}"
104+
"certificateName": "${component_to_cert_name[capz]}",
105+
"credentialsSecretName": "${component_to_credential_secret_name[capz]}",
85106
},
86107
"controlPlaneOperator": {
87108
"clientID": "${component_to_client_id[cpo]}",
88-
"certificateName": "${component_to_cert_name[cpo]}"
109+
"certificateName": "${component_to_cert_name[cpo]}",
110+
"credentialsSecretName": "${component_to_credential_secret_name[cpo]}",
89111
},
90112
"imageRegistry": {
91113
"clientID": "${component_to_client_id[ciro]}",
92-
"certificateName": "${component_to_cert_name[ciro]}"
114+
"certificateName": "${component_to_cert_name[ciro]}",
115+
"credentialsSecretName": "${component_to_credential_secret_name[ciro]}",
93116
},
94117
"ingress": {
95118
"clientID": "${component_to_client_id[ingress]}",
96-
"certificateName": "${component_to_cert_name[ingress]}"
119+
"certificateName": "${component_to_cert_name[ingress]}",
120+
"credentialsSecretName": "${component_to_credential_secret_name[ingress]}",
97121
},
98122
"network": {
99123
"clientID": "${component_to_client_id[cncc]}",
100-
"certificateName": "${component_to_cert_name[cncc]}"
124+
"certificateName": "${component_to_cert_name[cncc]}",
125+
"credentialsSecretName": "${component_to_credential_secret_name[cncc]}",
101126
},
102127
"disk": {
103128
"clientID": "${component_to_client_id[azure-disk]}",
104-
"certificateName": "${component_to_cert_name[azure-disk]}"
129+
"certificateName": "${component_to_cert_name[azure-disk]}",
130+
"credentialsSecretName": "${component_to_credential_secret_name[azure-disk]}",
105131
},
106132
"file": {
107133
"clientID": "${component_to_client_id[azure-file]}",
108-
"certificateName": "${component_to_cert_name[azure-file]}"
134+
"certificateName": "${component_to_cert_name[azure-file]}",
135+
"credentialsSecretName": "${component_to_credential_secret_name[azure-file]}",
109136
}
110137
}
111138
EOF
139+
140+
141+
cat <<EOF >"${SHARED_DIR}"/hypershift_azure_data_plane_identities_file.json
142+
{
143+
"imageRegistryMSIClientID": "${component_to_client_id[ciro]}",
144+
"diskMSIClientID": "${component_to_client_id[azure-disk]}",
145+
"fileMSIClientID": "${component_to_client_id[azure-file]}"
146+
}
147+
EOF

ci-operator/step-registry/cucushift/installer/rehearse/azure/aks/hypershift/ephemeral-creds/provision/cucushift-installer-rehearse-azure-aks-hypershift-ephemeral-creds-provision-chain.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ chain:
2222
default: "true"
2323
- name: HYPERSHIFT_AZURE_CP_MI
2424
default: "true"
25+
- name: HYPERSHIFT_AZURE_DP_MI
26+
default: "true"
2527
- name: HYPERSHIFT_AZURE_DIAGNOSTICS_STORAGE_ACCOUNT_TYPE
2628
default: "Managed"
2729
- name: HYPERSHIFT_AZURE_LOCATION

ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml

+10-3
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,9 @@ chain:
3030
- name: HYPERSHIFT_AZURE_CP_MI
3131
default: "false"
3232
documentation: Specifies whether control plane components should authenticate to Azure using managed identities.
33+
- name: HYPERSHIFT_AZURE_DP_MI
34+
default: "false"
35+
documentation: Specifies whether data plane components should authenticate to Azure using managed identities.
3336
- name: HYPERSHIFT_AZURE_DIAGNOSTICS_STORAGE_ACCOUNT_TYPE
3437
default: ""
3538
documentation: "Specifies the type of storage account for storing diagnostics data."
@@ -207,6 +210,10 @@ chain:
207210
COMMAND+=(--managed-identities-file "${SHARED_DIR}/hypershift_azure_mi_file.json")
208211
fi
209212
fi
213+
214+
if [[ $HYPERSHIFT_AZURE_DP_MI == "true" ]]; then
215+
COMMAND+=(--data-plane-identities-file "${SHARED_DIR}/hypershift_azure_data_plane_identities_file.json")
216+
fi
210217
211218
HC_ANNOTATIONS_FILE="${SHARED_DIR}/hypershift_hc_annotations"
212219
if [[ -f "$HC_ANNOTATIONS_FILE" ]]; then
@@ -289,12 +296,12 @@ chain:
289296
fi
290297
291298
echo "Running command: ${COMMAND[@]}" > /tmp/create_hc_commands
292-
293-
# keep the aks for debugging
294-
sleep 12h
295299
296300
("${COMMAND[@]}" || true)
297301
302+
# keep the aks for debugging
303+
sleep 12h
304+
298305
# The timeout should be much lower, this is due to https://bugzilla.redhat.com/show_bug.cgi?id=2060091
299306
echo "Waiting for cluster to become available"
300307
oc wait --timeout=30m --for=condition=Available --namespace=clusters hostedcluster/${CLUSTER_NAME}

0 commit comments

Comments
 (0)