doc: document ARO-HCP Clusters creation in CS with Managed Identities

Azure · Nov 20, 2024 · 1ebd5df · 1ebd5df
1 parent fa2891a
commit 1ebd5df
Showing 1 changed file with 97 additions and 2 deletions.
diff --git a/dev-infrastructure/docs/development-setup.md b/dev-infrastructure/docs/development-setup.md
@@ -10,6 +10,8 @@ The idea of this repo is to provide means to create a development environment th
 
 * `az` version >= 2.60, `jq`, `make`, `kubelogin` (from <https://azure.github.io/kubelogin/install.html>), `kubectl` version >= 1.30, `helm`
 * `az login` with your Red Hat email
+* `openssl` CLI tool
+* `jq` CLI tool
 * Register the needed [AFEC](https://aka.ms/afec) feature flags using `cd dev-infrastructure && make feature-registration
 * __NOTE:__ This will take awhile, you will have to wait until they're in a registered state.
 * Your Red Hat account has been added to the ARO HCP Engineering App Developer group in Azure portal. This will give your account access to resources on Azure for development purposes. Please reach out to your manager or team lead to add you to this group.
@@ -353,8 +355,44 @@ Then register it with the Maestro Server
     ```
     az network vnet subnet update -g <resource-group> -n <subnet-name> --vnet-name <vnet-name> --network-security-group <nsg-name>
     ```
+  - Generate a random alphanumeric string used as a suffix for the User-Assigned Managed Identities of the operators of the cluster
+    > NOTE: The random suffix used has to be different for each cluster to be created
+    ```
+    export OPERATORS_UAMIS_SUFFIX=$(openssl rand -hex 3)
+    ```
+  - Create the User-Assigned Managed Identities for the Control Plane operators. This assumes OCP 4.17 based will be created.
+    > NOTE: Managed Identities cannot be reused between operators nor between clusters. This is, each operator must use
+            a different managed identity, and different clusters must use different managed identities, even for the same
+            operators.
+    ```
+    az identity create -n ${USER}-cp-cloud-controller-manager-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-cp-ingress-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-cp-disk-csi-driver-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-cp-file-csi-driver-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-cp-image-registry-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-cp-cloud-network-config-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    ```
+
+  - Create the User-Assigned Managed Identities for the Data Plane operators. This assumes OCP 4.17 clusters will be created.
+    > NOTE: Managed Identities cannot be reused between operators nor between clusters. This is, each operator must use
+            a different managed identity, and different clusters must use different managed identities, even for the same
+            operators.
+    ```
+    az identity create -n ${USER}-dp-disk-csi-driver-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-dp-image-registry-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-dp-file-csi-driver-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-dp-ingress-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    az identity create -n ${USER}-dp-cloud-network-config-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    ```
+  - Create the User-Assigned Service Managed Identity
+    > NOTE: Managed Identities cannot be reused between operators nor between clusters. This is, each operator must use
+            a different managed identity, and different clusters must use different managed identities, even for the same
+            operators.
+    ```
+    az identity create -n ${USER}-service-managed-identity-${OPERATORS_UAMIS_SUFFIX} -g <resource-group>
+    ```
 
-3) Create the cluster
+3) Create the cluster. This assumes OCP 4.17 clusters will be created.
     > **NOTE** See the [Cluster Service API](https://api.openshift.com/#/default/post_api_clusters_mgmt_v1_clusters) documentation
     > for further information on the properties within the payload below
 
@@ -368,6 +406,18 @@ Then register it with the Maestro Server
     MANAGEDRGNAME="<INSERT-NAME>"
     SUBNETRESOURCEID="<INSERT-NAME>"
     NSG="<INSERT-NAME>"
+    CP_CCM_UAMI=$(az identity show -n ${USER}-cp-cloud-controller-manager-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    CP_INGRESS_UAMI=$(az identity show -n ${USER}-cp-ingress-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    CP_DISK_CSI_DRIVER_UAMI=$(az identity show -n ${USER}-cp-disk-csi-driver-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    CP_FILE_CSI_DRIVER_UAMI=$(az identity show -n ${USER}-cp-file-csi-driver-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    CP_IMAGE_REGISTRY_UAMI=$(az identity show -n ${USER}-cp-image-registry-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    CP_CNC_UAMI=$(az identity show -n ${USER}-cp-cloud-network-config-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    DP_DISK_CSI_DRIVER_UAMI=$(az identity show -n ${USER}-dp-disk-csi-driver-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    DP_IMAGE_REGISTRY_UAMI=$(az identity show -n ${USER}-dp-image-registry-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    DP_FILE_CSI_DRIVER_UAMI=$(az identity show -n ${USER}-dp-file-csi-driver-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    DP_INGRESS_UAMI=$(az identity show -n ${USER}-dp-ingress-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    DP_CNC_UAMI=$(az identity show -n ${USER}-dp-cloud-network-config-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
+    SERVICE_MANAGED_IDENTITY_UAMI=$(az identity show -n ${USER}-service-managed-identity-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | jq -r '.id')
     cat <<EOF > cluster-test.json
     {
       "name": "$NAME",
@@ -391,7 +441,52 @@ Then register it with the Maestro Server
         "tenant_id": "$TENANTID",
         "managed_resource_group_name": "$MANAGEDRGNAME",
         "subnet_resource_id": "$SUBNETRESOURCEID",
-        "network_security_group_resource_id":"$NSG"
+        "network_security_group_resource_id":"$NSG",
+        "operators_authentication": {
+          "managed_identities": {
+            "managed_identities_data_plane_identity_url": "https://dummyurl.com",
+            "control_plane_operators_managed_identities": {
+              "cloud-controller-manager": {
+                "resource_id": "$CP_CCM_UAMI"
+              },
+              "ingress": {
+                "resource_id": "$CP_INGRESS_UAMI"
+              },
+              "disk-csi-driver": {
+                "resource_id": "$CP_DISK_CSI_DRIVER_UAMI"
+              },
+              "file-csi-driver": {
+                "resource_id": "$CP_FILE_CSI_DRIVER_UAMI"
+              },
+              "image-registry": {
+                "resource_id": "$CP_IMAGE_REGISTRY_UAMI"
+              },
+              "cloud-network-config": {
+                "resource_id": "$CP_CNC_UAMI"
+              }
+            },
+            "data_plane_operators_managed_identities": {
+              "disk-csi-driver": {
+                "resource_id": "$DP_DISK_CSI_DRIVER_UAMI"
+              },
+              "image-registry": {
+                "resource_id": "$DP_IMAGE_REGISTRY_UAMI"
+              },
+              "file-csi-driver": {
+                "resource_id": "$DP_FILE_CSI_DRIVER_UAMI"
+              },
+              "ingress": {
+                "resource_id": "$DP_INGRESS_UAMI"
+              },
+              "cloud-network-config": {
+                "resource_id": "$DP_CNC_UAMI"
+              }
+            },
+            "service_managed_identity": {
+              "resource_id": "$SERVICE_MANAGED_IDENTITY_UAMI"
+            }
+          }
+        }
       },
       "properties": {
         "provisioner_hostedcluster_step_enabled": "true",