WI/MI CLI Phase 1 - Base Update Functionality

pkg/api/v20240812preview/openshiftcluster_convert.go

@@ -129,6 +129,7 @@ func (c openShiftClusterConverter) ToExternal(oc *api.OpenShiftCluster) interfac
 	}
 
 	if oc.Identity != nil {
+		out.Identity = &Identity{}
 		out.Identity.Type = oc.Identity.Type
 		out.Identity.UserAssignedIdentities = make(map[string]ClusterUserAssignedIdentity, len(oc.Identity.UserAssignedIdentities))
 		for k := range oc.Identity.UserAssignedIdentities {
@@ -208,6 +209,7 @@ func (c openShiftClusterConverter) ToInternal(_oc interface{}, out *api.OpenShif
 	}
 
 	if oc.Identity != nil {
+		out.Identity = &api.Identity{}
 		out.Identity.Type = oc.Identity.Type
 		out.Identity.UserAssignedIdentities = make(map[string]api.ClusterUserAssignedIdentity, len(oc.Identity.UserAssignedIdentities))
 		for k := range oc.Identity.UserAssignedIdentities {

python/az/aro/azext_aro/_params.py

@@ -132,19 +132,19 @@ def load_arguments(self, _):
                    validator=validate_load_balancer_managed_outbound_ip_count,
                    options_list=['--load-balancer-managed-outbound-ip-count', '--lb-ip-count'])
 
-        c.argument('enable_managed_identity', arg_group='Identity', arg_type=get_three_state_flag(),
+        c.argument('enable_managed_identity', arg_group='Identity', is_preview=True, arg_type=get_three_state_flag(),
+                   help='Enable managed identity for this cluster.',
                    options_list=['--enable-managed-identity', '--enable-mi'],
-                   validator=validate_enable_managed_identity,
-                   help='Enable managed identity for this cluster.', is_preview=True)
-        c.argument('platform_workload_identities', arg_group='Identity',
-                   help='Assign a platform workload identity used within the cluster', is_preview=True,
+                   validator=validate_enable_managed_identity)
+        c.argument('platform_workload_identities', arg_group='Identity', is_preview=True,
+                   help='Assign a platform workload identity used within the cluster',
                    options_list=['--assign-platform-workload-identity', '--assign-platform-wi'],
-                   validator=validate_platform_workload_identities,
+                   validator=validate_platform_workload_identities(isCreate=True),
                    action=AROPlatformWorkloadIdentityAddAction, nargs='+')
-        c.argument('mi_user_assigned', arg_group='Identity',
+        c.argument('mi_user_assigned', arg_group='Identity', is_preview=True,
+                   help='Set the user managed identity on the cluster.',
                    options_list=['--mi-user-assigned', '--assign-cluster-identity'],
-                   validator=validate_cluster_identity,
-                   help='Set the user managed identity on the cluster.')
+                   validator=validate_cluster_identity)
 
     with self.argument_context('aro update') as c:
         c.argument('client_secret',
@@ -155,6 +155,11 @@ def load_arguments(self, _):
                    help='Refresh cluster application credentials.',
                    options_list=['--refresh-credentials'],
                    validator=validate_refresh_cluster_credentials)
+        c.argument('platform_workload_identities', arg_group='Identity',
+                   help='Assign a platform workload identity used within the cluster', is_preview=True,
+                   options_list=['--assign-platform-workload-identity', '--assign-platform-wi'],
+                   validator=validate_platform_workload_identities(isCreate=False),
+                   action=AROPlatformWorkloadIdentityAddAction, nargs='+')
 
     with self.argument_context('aro get-admin-kubeconfig') as c:
         c.argument('file',

python/az/aro/azext_aro/_validators.py

@@ -42,6 +42,8 @@ def validate_client_id(namespace):
         return
     if namespace.enable_managed_identity is True:
         raise MutuallyExclusiveArgumentError('Must not specify --client-id when --enable-managed-identity is True')  # pylint: disable=line-too-long
+    if namespace.platform_workload_identities is not None:
+        raise MutuallyExclusiveArgumentError('Must not specify --client-id when --assign-platform-workload-identity is used')  # pylint: disable=line-too-long
 
     try:
         uuid.UUID(namespace.client_id)
@@ -54,11 +56,13 @@ def validate_client_id(namespace):
 
 def validate_client_secret(isCreate):
     def _validate_client_secret(namespace):
-        if not isCreate or namespace.client_secret is None:
+        if namespace.client_secret is None:
             return
         if namespace.enable_managed_identity is True:
             raise MutuallyExclusiveArgumentError('Must not specify --client-secret when --enable-managed-identity is True')  # pylint: disable=line-too-long
-        if namespace.client_id is None or not str(namespace.client_id):
+        if namespace.platform_workload_identities is not None:
+            raise MutuallyExclusiveArgumentError('Must not specify --client-secret when --assign-platform-workload-identity is used')  # pylint: disable=line-too-long
+        if isCreate and (namespace.client_id is None or not str(namespace.client_id)):
             raise RequiredArgumentMissingError('Must specify --client-id with --client-secret.')
 
     return _validate_client_secret
@@ -318,20 +322,23 @@ def validate_enable_managed_identity(namespace):
         raise RequiredArgumentMissingError('Enabling managed identity requires cluster identity to be provided')
 
 
-def validate_platform_workload_identities(cmd, namespace):
-    if namespace.platform_workload_identities is None:
-        return
+def validate_platform_workload_identities(isCreate):
+    def _validate_platform_workload_identities(cmd, namespace):
+        if namespace.platform_workload_identities is None:
+            return
 
-    if not namespace.enable_managed_identity:
-        raise RequiredArgumentMissingError('Must set --enable-managed-identity when providing platform workload identities')  # pylint: disable=line-too-long
+        if isCreate and not namespace.enable_managed_identity:
+            raise RequiredArgumentMissingError('Must set --enable-managed-identity when providing platform workload identities')  # pylint: disable=line-too-long
+
+        for identity in namespace.platform_workload_identities:
+            if not is_valid_resource_id(identity.resource_id):
+                identity.resource_id = identity_name_to_resource_id(
+                    cmd, namespace, identity.resource_id)
 
-    for identity in namespace.platform_workload_identities:
-        if not is_valid_resource_id(identity.resource_id):
-            identity.resource_id = identity_name_to_resource_id(
-                cmd, namespace, identity.resource_id)
+            if not is_valid_identity_resource_id(identity.resource_id):
+                raise InvalidArgumentValueError(f"Resource {identity.resource_id} used for platform workload identity {identity.name} is not a valid userAssignedIdentity")  # pylint: disable=line-too-long
 
-        if not is_valid_identity_resource_id(identity.resource_id):
-            raise InvalidArgumentValueError(f"Resource {identity.resource_id} used for platform workload identity {identity.name} is not a valid userAssignedIdentity")  # pylint: disable=line-too-long
+    return _validate_platform_workload_identities
 
 
 def validate_cluster_identity(cmd, namespace):

python/az/aro/azext_aro/custom.py

@@ -19,6 +19,7 @@
 from azure.cli.core.azclierror import (
     FileOperationError,
     ResourceNotFoundError,
+    InvalidArgumentValueError,
     UnauthorizedError,
     ValidationError
 )
@@ -452,24 +453,46 @@ def aro_update(cmd,
                refresh_cluster_credentials=False,
                client_id=None,
                client_secret=None,
+               platform_workload_identities=None,
                load_balancer_managed_outbound_ip_count=None,
                no_wait=False):
     # if we can't read cluster spec, we will not be able to do much. Fail.
     oc = client.open_shift_clusters.get(resource_group_name, resource_name)
 
     ocUpdate = openshiftcluster.OpenShiftClusterUpdate()
 
-    client_id, client_secret = cluster_application_update(cmd.cli_ctx, oc, client_id, client_secret, refresh_cluster_credentials)  # pylint: disable=line-too-long
+    if oc.service_principal_profile is not None:
+        client_id, client_secret = cluster_application_update(cmd.cli_ctx, oc, client_id, client_secret, refresh_cluster_credentials)  # pylint: disable=line-too-long
+
+        if client_id is not None or client_secret is not None:
+            # construct update payload
+            ocUpdate.service_principal_profile = openshiftcluster.ServicePrincipalProfile()
+
+            if client_secret is not None:
+                ocUpdate.service_principal_profile.client_secret = client_secret
+
+            if client_id is not None:
+                ocUpdate.service_principal_profile.client_id = client_id
 
-    if client_id is not None or client_secret is not None:
-        # construct update payload
-        ocUpdate.service_principal_profile = openshiftcluster.ServicePrincipalProfile()
+    if platform_workload_identities is not None:
+        if oc.service_principal_profile is not None:
+            raise InvalidArgumentValueError(
+                "Cannot assign platform workload identities to a cluster with service principal"
+            )
+
+        pwis = {}
+        for i in oc.platform_workload_identity_profile.platform_workload_identities:
+            pwis[i.operator_name] = openshiftcluster.PlatformWorkloadIdentity(
+                operator_name=i.operator_name,
+                resource_id=i.resource_id
+            )
 
-        if client_secret is not None:
-            ocUpdate.service_principal_profile.client_secret = client_secret
+        for i in platform_workload_identities:
+            pwis[i.operator_name] = i
 
-        if client_id is not None:
-            ocUpdate.service_principal_profile.client_id = client_id
+        ocUpdate.platform_workload_identity_profile = openshiftcluster.PlatformWorkloadIdentityProfile(
+            platform_workload_identities=list(pwis.values())
+        )
 
     if load_balancer_managed_outbound_ip_count is not None:
         ocUpdate.network_profile = openshiftcluster.NetworkProfile()