[WIP] feat: add controller that retrieves information about MSI based identities#4192
Open
miguelsorianod wants to merge 4 commits intomainfrom
Open
[WIP] feat: add controller that retrieves information about MSI based identities#4192miguelsorianod wants to merge 4 commits intomainfrom
miguelsorianod wants to merge 4 commits intomainfrom
Conversation
As part of it, we also introduce types to deserialize the azure runtime configuration file, as well as types to interact with the ResourceProviders azure client and read the FPA identity provided to the backend component.
We introduce inflight check that verifies that the Azure Resource Group part of the hcpcluster resourceid of the cluster being created exists. To create an hcpcluster the resource group where is to be created must exist beforehand.
…ation This commit also introduces the ability to authenticate as the cluster's service managed identity, which is required to be able to instantiate a user-assigned identities client that uses it, which has enough permissions to check the existence of the cluster-scoped user-provided azure managed identities associated to the cluster's operators. The service managed identity (SMI) is a cluster-scoped azure user-assigned managed identity. This identity is used to interact with Azure resources that are created and provided by the end-user. To get be able to authenticate as the cluster's managed identity, credentials need to be retrieved for them. To achieve that, this commit also introduces the ability to interact with Microsoft's Managed Identities Data Plane service. This service is only available in environments where Microsoft's First Party Application integration is available. For the environments where the First Party Application integration is not available we cannot communicate with the Managed Identities Data Plane service, so instead we use a mock implementation of the ManagedIdentitiesDataplaneClient that always returns a single Azure Service Principal identity representing a Managed Identity. This commit also introduces this mock client implementation.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: miguelsorianod The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@miguelsorianod: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR builds on top of #3820.
We add a controller that retrieves the Client ID and Principal ID associated to the following identities associated to an ARO-HCP Cluster:
We leverage Microsoft's Managed Identities Data Plane service to retrieve the information. When the service is not available (outside of AME tenants) the fake managed identities data plane client is leveraged which returns the information associated to the mock msi identity for all requests/responses to it. We do not directly use Azure Go SDK's UserAssignedIdentities client because on non AME tenants we cannot obtain credentials associated to them because of the Managed Identities Data Plane service not being available and us using the mock msi identity instead, whose information is returned by the fake managed identities data plane client.