Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-42434: Enable Managed Identity w/ Certificates in HyperShift Control Plane Components #5160

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

OCPBUGS-42434: Enable Managed Identity w/ Certificates in HyperShift Control Plane Components #5160

wants to merge 9 commits into from
+10,714 −7,862

Conversation

bryan-cox
Copy link
Member

@bryan-cox bryan-cox commented Nov 20, 2024
edited
Loading

What this PR does / why we need it:
This PR enables components in the hosted control plane to authenticate with Azure Cloud through client certificate. These components include:

  1. KMS
  2. CPO
  3. CAPZ
  4. Cloud Provider

Which issue(s) this PR fixes:
Fixes OCPBUGS-42434

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 20, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 20, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added do-not-merge/needs-area area/api Indicates the PR includes changes for the API labels Nov 20, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 20, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added area/cli Indicates the PR includes changes for CLI approved Indicates a PR has been approved by an approver from all required OWNERS files. area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release area/testing Indicates the PR includes changes for e2e testing and removed do-not-merge/needs-area labels Nov 20, 2024
@netlify Netlify
Copy link

netlify bot commented Nov 20, 2024
edited
Loading

Deploy Preview for hypershift-docs ready!

Name Link
🔨 Latest commit ef8852b
🔍 Latest deploy log https://app.netlify.com/sites/hypershift-docs/deploys/673dd254c493be0008a659e4
😎 Deploy Preview https://deploy-preview-5160--hypershift-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@bryan-cox bryan-cox force-pushed the OCPBUGS-42434-combined branch 4 times, most recently from 7cdb04d to 3ce0090 Compare November 20, 2024 03:05
@bryan-cox bryan-cox marked this pull request as ready for review November 20, 2024 03:05
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 20, 2024
@bryan-cox
Reconcile SecretProvider for Ingress on ARO HCP
7e440d7 
Reconcile the SecretProviderClass for the ingress operator for ARO HCP
deployments. The SecretProviderClass is used by the Secrets Store CSI
driver to mount a certificate to a volume in the ingress pod deployment.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Add DNS RG to Ingress SP's contributor role scope
1b3ec16 
Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Reconcile Azure Creds to fixed secret in HCP NS
222444b 
Reconcile the Azure credentials information secret to a fixed secret
name, azure-credential-information, in the hosted control plane
namespace.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Authenticate Azure KMS with cert authentication
2762c9e 
This commit authenticates Azure KMS with certificate authentication in
order to communicate with Azure Cloud API. The certificate is stored in
an Azure key vault and mounted into the KAS pod through a Secrets Store
CSI driver SecretProviderClass.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Reconcile SecretProvider for CPO on ARO HCP
bdc8532 
Reconcile the SecretProviderClass for the control plane operator for ARO
 HCP deployments. The SecretProviderClass is used by the Secrets Store
 CSI driver to mount a certificate to a volume in the control plane
 operator pod deployment.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Update go.mod to include cert changes for CAPZ
040d1b3 
Update the go.mod to include the specific commit that includes the
changes to allow service principal with certificate to use a certificate
.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Authenticate CAPZ with cert authentication
a114357 
This commit authenticates CAPZ with certificate authentication in order
to communicate with Azure Cloud API. The certificate is stored in an
Azure key vault and mounted into the capi-provider pod through a Secrets
 Store CSI driver SecretProviderClass.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox bryan-cox changed the title Ocpbugs 42434 combined OCPBUGS-42434: Enable Managed Identity w/ Certificates in HyperShift Control Plane Components Nov 20, 2024
@openshift-ci-robot openshift-ci-robot added the jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. label Nov 20, 2024
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 20, 2024
@openshift-ci-robot
Copy link

@bryan-cox: This pull request references Jira Issue OCPBUGS-42434, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.0) matches configured target version for branch (4.18.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @fxierh

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Nov 20, 2024
@openshift-ci openshift-ci bot requested a review from fxierh November 20, 2024 12:17
This was referenced Nov 20, 2024
Closed
Closed
Closed
Closed
@bryan-cox
Copy link
Member Author

/retest

@bryan-cox
Reconcile SecretProvider for CP on ARO HCP
23241af 
This commit changes the authentication from client secret to
client certificate as well as reconciling the SecretProviderClass for
cloud provider for ARO HCP deployments. The SecretProviderClass is used
by the Secrets Store CSI driver to mount a certificate to a volume in
the azure-cloud-controller-manager pod's deployment.

Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Copy link
Member Author

/test e2e-aks

@bryan-cox
Copy link
Member Author

/test e2e-aws

Patryk-Stefanski
Patryk-Stefanski reviewed Nov 20, 2024
View reviewed changes
control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
return fmt.Errorf("failed to get Azure credentials secret: %w", err)
}

tenantID := strings.TrimSpace(string(credentialsSecret.Data["AZURE_TENANT_ID"]))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to trim spaces here?

Patryk-Stefanski
Patryk-Stefanski reviewed Nov 20, 2024
View reviewed changes
control-plane-operator/controllers/hostedcontrolplane/cloud/azure/reconcile.go
@@ -2,6 +2,7 @@ package azure

import (
"fmt"
"github.com/openshift/hypershift/support/azureutil"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sort imports

Patryk-Stefanski
Patryk-Stefanski reviewed Nov 20, 2024
View reviewed changes
...ol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config.go
@@ -3,6 +3,9 @@ package azure
import (
"encoding/json"
"fmt"
"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/secretproviderclass"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sort imports

@bryan-cox
Copy link
Member Author

/test e2e-aws-4-17

@bryan-cox
WIP - add rbac for cpo to update secretprovider
f5ff648 
Signed-off-by: Bryan Cox <brcox@redhat.com>
@bryan-cox
Copy link
Member Author

/test unit

@bryan-cox
Copy link
Member Author

/retest

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 20, 2024

@bryan-cox: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aks f5ff648 link true /test e2e-aks
ci/prow/e2e-aws-4-17 f5ff648 link true /test e2e-aws-4-17

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci-robot openshift-ci-robot mentioned this pull request Nov 21, 2024
Merged
muraee
muraee reviewed Nov 21, 2024
View reviewed changes
...lane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go
@@ -20,5 +22,12 @@ func adaptDeployment(cpContext component.ControlPlaneContext, deployment *appsv1
fmt.Sprintf("--cluster-name=%s", cpContext.HCP.Spec.InfraID),
)
})
deployment.Spec.Template.Spec.Containers[0].VolumeMounts = append(deployment.Spec.Template.Spec.Containers[0].VolumeMounts,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please move this inside util.UpdateContainer function above and use the passed in container instead of deployment.Spec.Template.Spec.Containers[0]

muraee
muraee reviewed Nov 21, 2024
View reviewed changes
...ol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config.go
@@ -49,14 +51,17 @@ func adaptConfigSecret(cpContext component.ControlPlaneContext, secret *corev1.S
return nil
}

func adaptSecretProvider(cpContext component.ControlPlaneContext, secretProvider *secretsstorev1.SecretProviderClass) error {
secretProvider = manifests.ManagedAzureSecretProviderClass(secretProvider.Name, cpContext.HCP.Namespace)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
secretProvider = manifests.ManagedAzureSecretProviderClass(secretProvider.Name, cpContext.HCP.Namespace)

This line is not needed

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 27, 2024
@openshift-merge-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Patryk-Stefanski Patryk-Stefanski Patryk-Stefanski left review comments

@muraee muraee muraee left review comments

@enxebre enxebre Awaiting requested review from enxebre

@hasueki hasueki Awaiting requested review from hasueki

@fxierh fxierh Awaiting requested review from fxierh

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Indicates the PR includes changes for the API area/cli Indicates the PR includes changes for CLI area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release area/testing Indicates the PR includes changes for e2e testing jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bryan-cox @openshift-ci-robot @openshift-merge-robot @muraee @Patryk-Stefanski