From 3a0573d6ede47bee1a521e436c3edfdac98de525 Mon Sep 17 00:00:00 2001 From: James Sturtevant Date: Thu, 24 Mar 2022 16:27:07 -0700 Subject: [PATCH] Use a specific template for gMSA --- .../ci/patches/windows-gmsa-identity.yaml | 0 test/e2e/config/azure-dev.yaml | 1 - test/e2e/gmsa.go | 61 +------------------ 3 files changed, 1 insertion(+), 61 deletions(-) delete mode 100644 templates/test/ci/patches/windows-gmsa-identity.yaml diff --git a/templates/test/ci/patches/windows-gmsa-identity.yaml b/templates/test/ci/patches/windows-gmsa-identity.yaml deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/test/e2e/config/azure-dev.yaml b/test/e2e/config/azure-dev.yaml index a68d7876be40..a499c788b516 100644 --- a/test/e2e/config/azure-dev.yaml +++ b/test/e2e/config/azure-dev.yaml @@ -215,7 +215,6 @@ variables: SECURITY_SCAN_CONTAINER: "${SECURITY_SCAN_CONTAINER:-quay.io/armosec/kubescape:v1.0.138}" # GMSA GMSA_KEYVAULT_URL: "https://${CI_RG}-gmsa.vault.azure.net" - GMSA_IDENTITY_ID: "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/gmsa-user-identity" GMSA_DNS_IP: "${GMSA_DNS_IP}" GMSA_ID: "${GMSA_ID}" diff --git a/test/e2e/gmsa.go b/test/e2e/gmsa.go index 2ce06757111a..06f4baa0fff4 100644 --- a/test/e2e/gmsa.go +++ b/test/e2e/gmsa.go @@ -30,7 +30,6 @@ import ( "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2021-02-01/network" "github.com/Azure/go-autorest/autorest/azure" "github.com/Azure/go-autorest/autorest/azure/auth" - "github.com/Azure/go-autorest/autorest/to" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" @@ -101,11 +100,10 @@ func configureGmsa(ctx context.Context, workloadProxy, bootstrapClusterProxy fra gmsaNode, windowsNodes := labelGmsaTestNode(ctx, workloadProxy) dropGmsaSpecOnTestNode(gmsaNode, clusterHostName, gmsaSpecFile) configureCoreDNS(ctx, workloadProxy, config) - peerDomainVnet(ctx, config, clusterName, subId, networkClient) for _, n := range windowsNodes.Items { hostname := getHostName(&n) - setUpWorkerNodeIdentities(ctx, vmClient, clusterName, hostname, config) + // until https://github.com/kubernetes-sigs/cluster-api-provider-azure/issues/2182 updateWorkerNodeDNS(config, clusterHostName, hostname) } @@ -122,35 +120,6 @@ func updateWorkerNodeDNS(config *clusterctl.E2EConfig, clusterHostName string, w Expect(err).NotTo(HaveOccurred()) } -func peerDomainVnet(ctx context.Context, config *clusterctl.E2EConfig, rgName string, subId string, networkClient network.VirtualNetworkPeeringsClient) { - gmsaRG := "gmsa-dc-" + config.GetVariable("GMSA_ID") - gmsaDomainNetwork := "dc-" + config.GetVariable("GMSA_ID") + "-vnet" - clusterVnetName := rgName + "-vnet" - - fmt.Fprintf(GinkgoWriter, "INFO: Peer networks %s\n", config.GetVariable("GMSA_DNS_IP")) - gmsaVnetId := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/virtualNetworks/%s", subId, gmsaRG, gmsaDomainNetwork) - gmsaPeering := network.VirtualNetworkPeering{ - VirtualNetworkPeeringPropertiesFormat: &network.VirtualNetworkPeeringPropertiesFormat{ - RemoteVirtualNetwork: &network.SubResource{ - ID: to.StringPtr(gmsaVnetId), - }, - }, - } - _, err := networkClient.CreateOrUpdate(ctx, rgName, clusterVnetName, "gmsa-peering", gmsaPeering, network.SyncRemoteAddressSpaceTrue) - Expect(err).NotTo(HaveOccurred()) - - clusterVnetId := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/virtualNetworks/%s", subId, rgName, clusterVnetName) - clusterPeering := network.VirtualNetworkPeering{ - VirtualNetworkPeeringPropertiesFormat: &network.VirtualNetworkPeeringPropertiesFormat{ - RemoteVirtualNetwork: &network.SubResource{ - ID: to.StringPtr(clusterVnetId), - }, - }, - } - _, err = networkClient.CreateOrUpdate(ctx, gmsaRG, gmsaDomainNetwork, "gmsa-cluster-peering", clusterPeering, network.SyncRemoteAddressSpaceTrue) - Expect(err).NotTo(HaveOccurred()) -} - func configureCoreDNS(ctx context.Context, workloadProxy framework.ClusterProxy, config *clusterctl.E2EConfig) { fmt.Fprintf(GinkgoWriter, "INFO: Update coredns with domain ip %s\n", config.GetVariable("GMSA_DNS_IP")) @@ -221,34 +190,6 @@ func labelGmsaTestNode(ctx context.Context, workloadProxy framework.ClusterProxy return gmsaNode, windowsNodes } -func setUpWorkerNodeIdentities(ctx context.Context, vmClient compute.VirtualMachinesClient, rgName string, hostname string, config *clusterctl.E2EConfig) { - fmt.Fprintf(GinkgoWriter, "INFO: Assigning gmsa identity to cluster vms\n") - vm, err := vmClient.Get(ctx, rgName, hostname, "") - Expect(err).NotTo(HaveOccurred()) - existingIdentities := map[string]*compute.VirtualMachineIdentityUserAssignedIdentitiesValue{} - if vm.Identity != nil && (*vm.Identity).UserAssignedIdentities != nil { - existingIdentities = (*vm.Identity).UserAssignedIdentities - } - - gmsaIdentity := config.GetVariable("GMSA_IDENTITY_ID") - _, exists := existingIdentities[gmsaIdentity] - if !exists { - userIdentitiesMap := make(map[string]*compute.VirtualMachineIdentityUserAssignedIdentitiesValue, len(existingIdentities)+1) - // copy over existing so we don't overwrite - for key, _ := range existingIdentities { - userIdentitiesMap[key] = &compute.VirtualMachineIdentityUserAssignedIdentitiesValue{} - } - // add gmsa identity - userIdentitiesMap[gmsaIdentity] = &compute.VirtualMachineIdentityUserAssignedIdentitiesValue{} - vmClient.Update(ctx, rgName, *vm.Name, compute.VirtualMachineUpdate{ - Identity: &compute.VirtualMachineIdentity{ - Type: compute.ResourceIdentityTypeUserAssigned, - UserAssignedIdentities: userIdentitiesMap, - }, - }) - } -} - func getHostName(gmsaNode *corev1.Node) string { hostname := "" for _, address := range gmsaNode.Status.Addresses {