add oidcIssuerProfile to AzureManagedControlPlane

kubernetes-sigs · Sep 8, 2023 · 3559662 · 3559662
1 parent b082981
commit 3559662
Show file tree

Hide file tree

Showing 13 changed files with 489 additions and 0 deletions.
diff --git a/api/v1beta1/azuremanagedcontrolplane_types.go b/api/v1beta1/azuremanagedcontrolplane_types.go
@@ -191,6 +191,10 @@ type AzureManagedControlPlaneSpec struct {
 	// Immutable.
 	// +optional
 	HTTPProxyConfig *HTTPProxyConfig `json:"httpProxyConfig,omitempty"`
+
+	// OIDCIssuerProfile is the OIDC issuer profile of the Managed Cluster.
+	// +optional
+	OIDCIssuerProfile *OIDCIssuerProfile `json:"oidcIssuerProfile,omitempty"`
 }
 
 // HTTPProxyConfig is the HTTP proxy configuration for the cluster.
@@ -349,6 +353,21 @@ type AzureManagedControlPlaneStatus struct {
 	// next reconciliation loop.
 	// +optional
 	LongRunningOperationStates Futures `json:"longRunningOperationStates,omitempty"`
+
+	// OIDCIssuerProfile is the OIDC issuer profile of the Managed Cluster.
+	// +optional
+	OIDCIssuerProfile *OIDCIssuerProfileStatus `json:"oidcIssuerProfile,omitempty"`
+}
+
+// OIDCIssuerProfileStatus is the OIDC issuer profile of the Managed Cluster.
+type OIDCIssuerProfileStatus struct {
+	// Enabled is whether the OIDC issuer is enabled.
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// IssuerURL is the OIDC issuer url of the Managed Cluster.
+	// +optional
+	IssuerURL *string `json:"issuerURL,omitempty"`
 }
 
 // AutoScalerProfile parameters to be applied to the cluster-autoscaler.
@@ -485,6 +504,16 @@ type Identity struct {
 	UserAssignedIdentityResourceID string `json:"userAssignedIdentityResourceID,omitempty"`
 }
 
+// OIDCIssuerProfile is the OIDC issuer profile of the Managed Cluster.
+// See also [AKS doc].
+//
+// [AKS doc]: https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer
+type OIDCIssuerProfile struct {
+	// Enabled is whether the OIDC issuer is enabled.
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:path=azuremanagedcontrolplanes,scope=Namespaced,categories=cluster-api,shortName=amcp
 // +kubebuilder:storageversion

diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook.go b/api/v1beta1/azuremanagedcontrolplane_webhook.go
@@ -280,6 +280,7 @@ func (m *AzureManagedControlPlane) Validate(cli client.Client) error {
 		m.validateManagedClusterNetwork,
 		m.validateAutoScalerProfile,
 		m.validateIdentity,
+		m.validateOIDCIssuerProfile,
 	}
 
 	var errs []error
@@ -713,3 +714,25 @@ func (m *AzureManagedControlPlane) validateIdentity(_ client.Client) error {
 
 	return nil
 }
+
+// validateOIDCIssuerProfile validates an OIDCIssuerProfile.
+func (m *AzureManagedControlPlane) validateOIDCIssuerProfile(_ client.Client) error {
+	var allErrs field.ErrorList
+
+	if m.Status.OIDCIssuerProfile != nil {
+		if ptr.Deref(m.Status.OIDCIssuerProfile.Enabled, false) && !ptr.Deref(ptr.Deref(m.Spec.OIDCIssuerProfile, OIDCIssuerProfile{}).Enabled, true) {
+			allErrs = append(allErrs,
+				field.Forbidden(
+					field.NewPath("Spec", "OIDCIssuerProfile", "Enabled"),
+					"cannot be disabled",
+				),
+			)
+		}
+	}
+
+	if len(allErrs) > 0 {
+		return kerrors.NewAggregate(allErrs.ToAggregate().Errors())
+	}
+
+	return nil
+}
diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook_test.go b/api/v1beta1/azuremanagedcontrolplane_webhook_test.go
@@ -662,6 +662,186 @@ func TestValidatingWebhook(t *testing.T) {
 			},
 			expectErr: true,
 		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled nil -> nil OK",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: nil,
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: nil,
+					},
+				},
+			},
+			expectErr: false,
+		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled nil -> false OK",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: nil,
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: ptr.To(false),
+					},
+				},
+			},
+			expectErr: false,
+		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled nil -> true OK",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: nil,
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: ptr.To(true),
+					},
+				},
+			},
+			expectErr: false,
+		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled false -> nil OK",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: ptr.To(false),
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: nil,
+					},
+				},
+			},
+			expectErr: false,
+		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled false -> false OK",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: ptr.To(false),
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: ptr.To(false),
+					},
+				},
+			},
+			expectErr: false,
+		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled false -> true OK",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: ptr.To(false),
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: ptr.To(true),
+					},
+				},
+			},
+			expectErr: false,
+		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled true -> nil OK",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: ptr.To(true),
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: nil,
+					},
+				},
+			},
+			expectErr: false,
+		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled true -> false err",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: ptr.To(true),
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: ptr.To(false),
+					},
+				},
+			},
+			expectErr: true,
+		},
+		{
+			name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled true -> true OK",
+			amcp: AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Status: AzureManagedControlPlaneStatus{
+					OIDCIssuerProfile: &OIDCIssuerProfileStatus{
+						Enabled: ptr.To(true),
+					},
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					Version: "v0.0.0",
+					OIDCIssuerProfile: &OIDCIssuerProfile{
+						Enabled: ptr.To(true),
+					},
+				},
+			},
+			expectErr: false,
+		},
 	}
 
 	for _, tt := range tests {

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/azure/scope/managedcontrolplane.go b/azure/scope/managedcontrolplane.go
@@ -588,6 +588,12 @@ func (s *ManagedControlPlaneScope) ManagedClusterSpec() azure.ResourceSpecGetter
 		}
 	}
 
+	if s.ControlPlane.Spec.OIDCIssuerProfile != nil {
+		managedClusterSpec.OIDCIssuerProfile = &managedclusters.OIDCIssuerProfile{
+			Enabled: s.ControlPlane.Spec.OIDCIssuerProfile.Enabled,
+		}
+	}
+
 	return &managedClusterSpec
 }
 
@@ -820,3 +826,8 @@ func (s *ManagedControlPlaneScope) PrivateEndpointSpecs() []azure.ResourceSpecGe
 
 	return privateEndpointSpecs
 }
+
+// SetOIDCIssuerProfileStatus sets the status for the OIDC issuer profile config.
+func (s *ManagedControlPlaneScope) SetOIDCIssuerProfileStatus(oidc *infrav1.OIDCIssuerProfileStatus) {
+	s.ControlPlane.Status.OIDCIssuerProfile = oidc
+}
diff --git a/azure/services/managedclusters/managedclusters.go b/azure/services/managedclusters/managedclusters.go
@@ -45,6 +45,7 @@ type ManagedClusterScope interface {
 	MakeEmptyKubeConfigSecret() corev1.Secret
 	GetKubeConfigData() []byte
 	SetKubeConfigData([]byte)
+	SetOIDCIssuerProfileStatus(*infrav1.OIDCIssuerProfileStatus)
 }
 
 // Service provides operations on azure resources.
@@ -112,6 +113,13 @@ func (s *Service) Reconcile(ctx context.Context) error {
 		if id := managedCluster.Properties.IdentityProfile[kubeletIdentityKey]; id != nil && id.ResourceID != nil {
 			s.Scope.SetKubeletIdentity(*id.ResourceID)
 		}
+
+		if managedCluster.Properties.OidcIssuerProfile != nil {
+			s.Scope.SetOIDCIssuerProfileStatus(&infrav1.OIDCIssuerProfileStatus{
+				Enabled:   managedCluster.Properties.OidcIssuerProfile.Enabled,
+				IssuerURL: managedCluster.Properties.OidcIssuerProfile.IssuerURL,
+			})
+		}
 	}
 	s.Scope.UpdatePutStatus(infrav1.ManagedClusterRunningCondition, serviceName, resultErr)
 	return resultErr