Set MSI in Ingress, CSI, CNCC, & IR Azure secrets

Set the MSI client ID for ingress, cluster storage, cloud network config controller, and image registry secrets for the Azure platform. The client ID for each of these is associated with their service account through an Azure federated identity credential. Signed-off-by: Bryan Cox <[email protected]>
openshift · Nov 11, 2024 · fcf4e21 · fcf4e21
1 parent 9eb898d
commit fcf4e21
Showing 1 changed file with 18 additions and 10 deletions.
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
@@ -1404,25 +1404,30 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h
 		}
 
 		secretData := map[string][]byte{
-			"azure_client_id":       referenceCredentialsSecret.Data["AZURE_CLIENT_ID"],
-			"azure_client_secret":   referenceCredentialsSecret.Data["AZURE_CLIENT_SECRET"],
-			"azure_region":          []byte(hcp.Spec.Platform.Azure.Location),
-			"azure_resource_prefix": []byte(hcp.Name + "-" + hcp.Spec.InfraID),
-			"azure_resourcegroup":   []byte(hcp.Spec.Platform.Azure.ResourceGroupName),
-			"azure_subscription_id": referenceCredentialsSecret.Data["AZURE_SUBSCRIPTION_ID"],
-			"azure_tenant_id":       referenceCredentialsSecret.Data["AZURE_TENANT_ID"],
-		}
-
+			"azure_federated_token_file": []byte("/var/run/secrets/openshift/serviceaccount/token"),
+			"azure_region":               []byte(hcp.Spec.Platform.Azure.Location),
+			"azure_resource_prefix":      []byte(hcp.Name + "-" + hcp.Spec.InfraID),
+			"azure_resourcegroup":        []byte(hcp.Spec.Platform.Azure.ResourceGroupName),
+			"azure_subscription_id":      referenceCredentialsSecret.Data["AZURE_SUBSCRIPTION_ID"],
+			"azure_tenant_id":            referenceCredentialsSecret.Data["AZURE_TENANT_ID"],
+		}
+
+		// The ingress controller fails if this secret is not provided. The controller runs on the control plane side. In managed azure, we are
+		// overriding the Azure credentials authentication method to always use client certificate authentication. This secret is just created
+		// so that the ingress controller does not fail. The data in the secret is never used by the ingress controller due to the aforementioned
+		// override to use client certificate authentication.
 		ingressCredentialSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "openshift-ingress-operator", Name: "cloud-credentials"}}
 		if _, err := r.CreateOrUpdate(ctx, r.client, ingressCredentialSecret, func() error {
+			secretData["azure_client_id"] = []byte("fakeClientID")
 			ingressCredentialSecret.Data = secretData
 			return nil
 		}); err != nil {
-			errs = append(errs, fmt.Errorf("failed tom reconcile guest cluster ingress operator secret: %w", err))
+			errs = append(errs, fmt.Errorf("failed to reconcile guest cluster ingress operator secret: %w", err))
 		}
 
 		csiCredentialSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "openshift-cluster-csi-drivers", Name: "azure-disk-credentials"}}
 		if _, err := r.CreateOrUpdate(ctx, r.client, csiCredentialSecret, func() error {
+			secretData["azure_client_id"] = []byte(hcp.Spec.Platform.Azure.ManagedIdentities.DataPlane.DiskMSIClientID)
 			csiCredentialSecret.Data = secretData
 			return nil
 		}); err != nil {
@@ -1431,6 +1436,7 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h
 
 		imageRegistrySecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "openshift-image-registry", Name: "installer-cloud-credentials"}}
 		if _, err := r.CreateOrUpdate(ctx, r.client, imageRegistrySecret, func() error {
+			secretData["azure_client_id"] = []byte(hcp.Spec.Platform.Azure.ManagedIdentities.DataPlane.ImageRegistryMSIClientID)
 			imageRegistrySecret.Data = secretData
 			return nil
 		}); err != nil {
@@ -1439,6 +1445,7 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h
 
 		cloudNetworkConfigControllerSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "openshift-cloud-network-config-controller", Name: "cloud-credentials"}}
 		if _, err := r.CreateOrUpdate(ctx, r.client, cloudNetworkConfigControllerSecret, func() error {
+			secretData["azure_client_id"] = []byte(hcp.Spec.Platform.Azure.ManagedIdentities.DataPlane.CloudNetworkConfigMSIClientID)
 			cloudNetworkConfigControllerSecret.Data = secretData
 			return nil
 		}); err != nil {
@@ -1447,6 +1454,7 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h
 
 		csiDriverSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "openshift-cluster-csi-drivers", Name: "azure-file-credentials"}}
 		if _, err := r.CreateOrUpdate(ctx, r.client, csiDriverSecret, func() error {
+			secretData["azure_client_id"] = []byte(hcp.Spec.Platform.Azure.ManagedIdentities.DataPlane.FileMSIClientID)
 			csiDriverSecret.Data = secretData
 			return nil
 		}); err != nil {