Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-48688: Implement Workload Identity in Azure for Data Plane Components Part 4 #5361

Merged
merged 3 commits into from
Jan 21, 2025
Merged

OCPBUGS-48688: Implement Workload Identity in Azure for Data Plane Components Part 4 #5361

merged 3 commits into from
Jan 21, 2025

Conversation

bryan-cox
Copy link
Member

@bryan-cox bryan-cox commented Jan 9, 2025
edited
Loading

What this PR does / why we need it:
This PR is part 4 of implementing workload identity for data plane components in managed Azure. Specifically this PR only includes changes to the CPO.

The PR for part 3 is - #4587.

Which issue(s) this PR fixes:
Fixes HOSTEDCP-1542

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 9, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 9, 2025
edited by openshift-ci bot
Loading

@bryan-cox: This pull request references HOSTEDCP-1542 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.18" instead.

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from csrwng and enxebre January 9, 2025 12:38
@openshift-ci openshift-ci bot added the area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release label Jan 9, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 9, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed do-not-merge/needs-area labels Jan 9, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 9, 2025
edited by openshift-ci bot
Loading

@bryan-cox: This pull request references HOSTEDCP-1542 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.18" instead.

In response to this:

What this PR does / why we need it:
This PR is part 2 of implementing workload identity for data plane components in managed Azure. Specifically this PR only includes changes to the CPO.

The PR for part 1 is - #4587.

Which issue(s) this PR fixes:
Fixes HOSTEDCP-1542

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bryan-cox bryan-cox mentioned this pull request Jan 9, 2025
Merged
4 tasks
@openshift-merge-robot openshift-merge-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jan 11, 2025
@bryan-cox bryan-cox changed the title HOSTEDCP-1542: Implement Workload Identity in Azure for Data Plane Components Part 2 HOSTEDCP-1542: Implement Workload Identity in Azure for Data Plane Components Part 4 Jan 15, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 15, 2025
edited by openshift-ci bot
Loading

@bryan-cox: This pull request references HOSTEDCP-1542 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.18" instead.

In response to this:

What this PR does / why we need it:
This PR is part 4 of implementing workload identity for data plane components in managed Azure. Specifically this PR only includes changes to the CPO.

The PR for part 3 is - #4587.

Which issue(s) this PR fixes:
Fixes HOSTEDCP-1542

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bryan-cox bryan-cox mentioned this pull request Jan 15, 2025
Merged
@bryan-cox bryan-cox force-pushed the HOSTEDCP-1542-cpo-changes-only branch from ec8fa87 to 5f78eaa Compare January 18, 2025 11:13
@bryan-cox
Copy link
Member Author

/test e2e-aws

@bryan-cox
Copy link
Member Author

/retest-required

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 18, 2025
edited
Loading

Previous AWS failure seems like a flake.

The AKS failure may be something new that was working before

  - lastTransitionTime: "2025-01-18T11:58:11Z"
    message: Cluster operator image-registry is not available
    observedGeneration: 2
    reason: ClusterOperatorNotAvailable
    status: "False"
    type: ClusterVersionSucceeding

@bryan-cox
Copy link
Member Author

I'm seeing errors like this in the CIRO pod logs

I0118 15:22:15.332868       1 azureclient.go:110] Using client certification Azure authentication for ARO HCP
I0118 15:22:15.684433       1 dependencies.go:70] missing the deployment dependency: Secret image-registry-tls: secret "image-registry-tls" not found
I0118 15:22:15.690220       1 azureclient.go:110] Using client certification Azure authentication for ARO HCP
I0118 15:22:15.865520       1 dependencies.go:70] missing the deployment dependency: Secret image-registry-tls: secret "image-registry-tls" not found
I0118 15:22:20.946244       1 azureclient.go:110] Using client certification Azure authentication for ARO HCP
I0118 15:22:21.267001       1 dependencies.go:70] missing the deployment dependency: Secret image-registry-tls: secret "image-registry-tls" not found
I0118 15:22:22.935372       1 azureclient.go:110] Using client certification Azure authentication for ARO HCP
I0118 15:22:23.156231       1 dependencies.go:70] missing the deployment dependency: Secret image-registry-tls: secret "image-registry-tls" not found
I0118 15:22:23.169523       1 azureclient.go:110] Using client certification Azure authentication for ARO HCP
I0118 15:22:23.376115       1 dependencies.go:70] missing the deployment dependency: Secret image-registry-tls: secret "image-registry-tls" not found

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 19, 2025
edited
Loading

/test e2e-aks

I was able to get a HC completed locally so testing again just to make sure there wasn't a transient issue. Locally the HC came up much later than expected but that could have been the airport wifi/VPN (took about ~20m for HC to complete).

@bryan-cox bryan-cox force-pushed the HOSTEDCP-1542-cpo-changes-only branch from 5f78eaa to 69c685c Compare January 20, 2025 13:51
@openshift-ci openshift-ci bot added the area/cli Indicates the PR includes changes for CLI label Jan 20, 2025
@bryan-cox
Copy link
Member Author

/test e2e-aks

@bryan-cox
Set GC Azure cloud creds secret for CSI & IR
0729c8a 
Set the guest cluster Azure cloud credentials secret for azure file CSI,
 azure disk CSI, and image registry.

Signed-off-by: Bryan Cox <[email protected]>
@bryan-cox
Update SA RBAC for image registry & azure csi
ed51d26 
Update the needed RBAC policies for the system accounts for image
registry, azure file csi driver, and azure disk csi driver.

Signed-off-by: Bryan Cox <[email protected]>
@bryan-cox bryan-cox force-pushed the HOSTEDCP-1542-cpo-changes-only branch from 69c685c to 22f0806 Compare January 20, 2025 15:25
@bryan-cox
Assign data plane role assignments for WI in AKS
c94c093 
This commit assigns the right role assignments for each data plane
component.

Signed-off-by: Bryan Cox <[email protected]>
@bryan-cox bryan-cox force-pushed the HOSTEDCP-1542-cpo-changes-only branch from 9b1fe55 to c94c093 Compare January 20, 2025 18:06
@Patryk-Stefanski
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 21, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 21, 2025

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit dc3f49c into openshift:main Jan 21, 2025
13 of 14 checks passed
@bryan-cox
Copy link
Member Author

/cherry-pick release-4.18

@openshift-cherrypick-robot
Copy link

@bryan-cox: #5361 failed to apply on top of branch "release-4.18":

Applying: Set GC Azure cloud creds secret for CSI & IR
Applying: Update SA RBAC for image registry & azure csi
Using index info to reconstruct a base tree...
M	control-plane-operator/controllers/hostedcontrolplane/configoperator/reconcile.go
M	control-plane-operator/hostedclusterconfigoperator/controllers/resources/rbac/reconcile.go
M	control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
Falling back to patching base and 3-way merge...
Auto-merging control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
CONFLICT (content): Merge conflict in control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
Auto-merging control-plane-operator/hostedclusterconfigoperator/controllers/resources/rbac/reconcile.go
Auto-merging control-plane-operator/controllers/hostedcontrolplane/configoperator/reconcile.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0002 Update SA RBAC for image registry & azure csi

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@bryan-cox bryan-cox deleted the HOSTEDCP-1542-cpo-changes-only branch January 21, 2025 15:39
@bryan-cox bryan-cox mentioned this pull request Jan 21, 2025
Merged
4 tasks
@bryan-cox bryan-cox changed the title HOSTEDCP-1542: Implement Workload Identity in Azure for Data Plane Components Part 4 OCPBUGS-48688: Implement Workload Identity in Azure for Data Plane Components Part 4 Jan 21, 2025
@openshift-ci-robot
Copy link

@bryan-cox: Jira Issue OCPBUGS-48688 is in an unrecognized state (ON_QA) and will not be moved to the MODIFIED state.

In response to this:

What this PR does / why we need it:
This PR is part 4 of implementing workload identity for data plane components in managed Azure. Specifically this PR only includes changes to the CPO.

The PR for part 3 is - #4587.

Which issue(s) this PR fixes:
Fixes HOSTEDCP-1542

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bryan-cox
Copy link
Member Author

/jira backport release-4.18

@openshift-ci-robot
Copy link

@bryan-cox: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.18

In response to this:

/jira backport release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot
Copy link

@openshift-ci-robot: #5361 failed to apply on top of branch "release-4.18":

Applying: Set GC Azure cloud creds secret for CSI & IR
Applying: Update SA RBAC for image registry & azure csi
Using index info to reconstruct a base tree...
M	control-plane-operator/controllers/hostedcontrolplane/configoperator/reconcile.go
M	control-plane-operator/hostedclusterconfigoperator/controllers/resources/rbac/reconcile.go
M	control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
Falling back to patching base and 3-way merge...
Auto-merging control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
CONFLICT (content): Merge conflict in control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
Auto-merging control-plane-operator/hostedclusterconfigoperator/controllers/resources/rbac/reconcile.go
Auto-merging control-plane-operator/controllers/hostedcontrolplane/configoperator/reconcile.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0002 Update SA RBAC for image registry & azure csi

In response to this:

@bryan-cox: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.18

In response to this:

/jira backport release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

[ART PR BUILD NOTIFIER]

Distgit: hypershift
This PR has been included in build ose-hypershift-container-v4.19.0-202501211738.p0.gdc3f49c.assembly.stream.el9.
All builds following this will include this PR.

@muraee muraee mentioned this pull request Jan 23, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@csrwng csrwng Awaiting requested review from csrwng

@enxebre enxebre Awaiting requested review from enxebre

Assignees

@Patryk-Stefanski Patryk-Stefanski

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cli Indicates the PR includes changes for CLI area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bryan-cox @openshift-ci-robot @Patryk-Stefanski @openshift-cherrypick-robot @openshift-bot @openshift-merge-robot