Skip to content

Commit

Permalink
add oidcIssuerProfile to AzureManagedControlPlane
Browse files Browse the repository at this point in the history
  • Loading branch information
nojnhuh committed Sep 14, 2023
1 parent b082981 commit 9ecdf98
Show file tree
Hide file tree
Showing 12 changed files with 357 additions and 2 deletions.
10 changes: 10 additions & 0 deletions api/v1beta1/azuremanagedcontrolplane_default.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,3 +144,13 @@ func (m *AzureManagedControlPlane) setDefaultAutoScalerProfile() {
m.Spec.AutoScalerProfile.SkipNodesWithSystemPods = (*SkipNodesWithSystemPods)(ptr.To(string(SkipNodesWithSystemPodsTrue)))
}
}

func (m *AzureManagedControlPlane) setDefaultOIDCIssuerProfile() {
if m.Spec.OIDCIssuerProfile == nil {
m.Spec.OIDCIssuerProfile = &OIDCIssuerProfile{}
}

if m.Spec.OIDCIssuerProfile.Enabled == nil {
m.Spec.OIDCIssuerProfile.Enabled = ptr.To(false)
}
}
25 changes: 25 additions & 0 deletions api/v1beta1/azuremanagedcontrolplane_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,10 @@ type AzureManagedControlPlaneSpec struct {
// Immutable.
// +optional
HTTPProxyConfig *HTTPProxyConfig `json:"httpProxyConfig,omitempty"`

// OIDCIssuerProfile is the OIDC issuer profile of the Managed Cluster.
// +optional
OIDCIssuerProfile *OIDCIssuerProfile `json:"oidcIssuerProfile,omitempty"`
}

// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
Expand Down Expand Up @@ -349,6 +353,17 @@ type AzureManagedControlPlaneStatus struct {
// next reconciliation loop.
// +optional
LongRunningOperationStates Futures `json:"longRunningOperationStates,omitempty"`

// OIDCIssuerProfile is the OIDC issuer profile of the Managed Cluster.
// +optional
OIDCIssuerProfile *OIDCIssuerProfileStatus `json:"oidcIssuerProfile,omitempty"`
}

// OIDCIssuerProfileStatus is the OIDC issuer profile of the Managed Cluster.
type OIDCIssuerProfileStatus struct {
// IssuerURL is the OIDC issuer url of the Managed Cluster.
// +optional
IssuerURL *string `json:"issuerURL,omitempty"`
}

// AutoScalerProfile parameters to be applied to the cluster-autoscaler.
Expand Down Expand Up @@ -485,6 +500,16 @@ type Identity struct {
UserAssignedIdentityResourceID string `json:"userAssignedIdentityResourceID,omitempty"`
}

// OIDCIssuerProfile is the OIDC issuer profile of the Managed Cluster.
// See also [AKS doc].
//
// [AKS doc]: https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer
type OIDCIssuerProfile struct {
// Enabled is whether the OIDC issuer is enabled.
// +optional
Enabled *bool `json:"enabled,omitempty"`
}

// +kubebuilder:object:root=true
// +kubebuilder:resource:path=azuremanagedcontrolplanes,scope=Namespaced,categories=cluster-api,shortName=amcp
// +kubebuilder:storageversion
Expand Down
24 changes: 24 additions & 0 deletions api/v1beta1/azuremanagedcontrolplane_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ func (mw *azureManagedControlPlaneWebhook) Default(ctx context.Context, obj runt
m.setDefaultSubnet()
m.setDefaultSku()
m.setDefaultAutoScalerProfile()
m.setDefaultOIDCIssuerProfile()

return nil
}
Expand Down Expand Up @@ -257,6 +258,10 @@ func (mw *azureManagedControlPlaneWebhook) ValidateUpdate(ctx context.Context, o
allErrs = append(allErrs, errs...)
}

if errs := m.validateOIDCIssuerProfileUpdate(old); len(errs) > 0 {
allErrs = append(allErrs, errs...)
}

if len(allErrs) == 0 {
return nil, m.Validate(mw.Client)
}
Expand Down Expand Up @@ -538,6 +543,25 @@ func (m *AzureManagedControlPlane) validateVirtualNetworkUpdate(old *AzureManage
return allErrs
}

// validateOIDCIssuerProfile validates an OIDCIssuerProfile.
func (m *AzureManagedControlPlane) validateOIDCIssuerProfileUpdate(old *AzureManagedControlPlane) field.ErrorList {
var allErrs field.ErrorList

if m.Spec.OIDCIssuerProfile != nil && old.Spec.OIDCIssuerProfile != nil {
if m.Spec.OIDCIssuerProfile.Enabled != nil && old.Spec.OIDCIssuerProfile.Enabled != nil &&
!*m.Spec.OIDCIssuerProfile.Enabled && *old.Spec.OIDCIssuerProfile.Enabled {
allErrs = append(allErrs,
field.Forbidden(
field.NewPath("Spec", "OIDCIssuerProfile", "Enabled"),
"cannot be disabled",
),
)
}
}

return allErrs
}

func (m *AzureManagedControlPlane) validateName(_ client.Client) error {
if lName := strings.ToLower(m.Name); strings.Contains(lName, "microsoft") ||
strings.Contains(lName, "windows") {
Expand Down
105 changes: 105 additions & 0 deletions api/v1beta1/azuremanagedcontrolplane_webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ func TestDefaultingWebhook(t *testing.T) {
g.Expect(amcp.Spec.VirtualNetwork.Subnet.Name).To(Equal("fooName"))
g.Expect(amcp.Spec.SKU.Tier).To(Equal(FreeManagedControlPlaneTier))
g.Expect(amcp.Spec.Identity.Type).To(Equal(ManagedControlPlaneIdentityTypeSystemAssigned))
g.Expect(*amcp.Spec.OIDCIssuerProfile.Enabled).To(BeFalse())

t.Logf("Testing amcp defaulting webhook with baseline")
netPlug := "kubenet"
Expand All @@ -70,6 +71,9 @@ func TestDefaultingWebhook(t *testing.T) {
amcp.Spec.VirtualNetwork.Name = "fooVnetName"
amcp.Spec.VirtualNetwork.Subnet.Name = "fooSubnetName"
amcp.Spec.SKU.Tier = PaidManagedControlPlaneTier
amcp.Spec.OIDCIssuerProfile = &OIDCIssuerProfile{
Enabled: ptr.To(true),
}

err = mcpw.Default(context.Background(), amcp)
g.Expect(err).NotTo(HaveOccurred())
Expand All @@ -82,6 +86,7 @@ func TestDefaultingWebhook(t *testing.T) {
g.Expect(amcp.Spec.VirtualNetwork.Name).To(Equal("fooVnetName"))
g.Expect(amcp.Spec.VirtualNetwork.Subnet.Name).To(Equal("fooSubnetName"))
g.Expect(amcp.Spec.SKU.Tier).To(Equal(PaidManagedControlPlaneTier))
g.Expect(*amcp.Spec.OIDCIssuerProfile.Enabled).To(BeTrue())
}

func TestValidatingWebhook(t *testing.T) {
Expand Down Expand Up @@ -1417,6 +1422,106 @@ func TestAzureManagedControlPlane_ValidateUpdate(t *testing.T) {
},
wantErr: true,
},
{
name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled false -> false OK",
oldAMCP: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
OIDCIssuerProfile: &OIDCIssuerProfile{
Enabled: ptr.To(false),
},
},
},
amcp: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
Version: "v0.0.0",
OIDCIssuerProfile: &OIDCIssuerProfile{
Enabled: ptr.To(false),
},
},
},
wantErr: false,
},
{
name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled false -> true OK",
oldAMCP: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
OIDCIssuerProfile: &OIDCIssuerProfile{
Enabled: ptr.To(false),
},
},
},
amcp: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
Version: "v0.0.0",
OIDCIssuerProfile: &OIDCIssuerProfile{
Enabled: ptr.To(true),
},
},
},
wantErr: false,
},
{
name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled true -> false err",
oldAMCP: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
OIDCIssuerProfile: &OIDCIssuerProfile{
Enabled: ptr.To(true),
},
},
},
amcp: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
Version: "v0.0.0",
OIDCIssuerProfile: &OIDCIssuerProfile{
Enabled: ptr.To(false),
},
},
},
wantErr: true,
},
{
name: "AzureManagedControlPlane OIDCIssuerProfile.Enabled true -> true OK",
oldAMCP: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
OIDCIssuerProfile: &OIDCIssuerProfile{
Enabled: ptr.To(true),
},
},
},
amcp: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
Version: "v0.0.0",
OIDCIssuerProfile: &OIDCIssuerProfile{
Enabled: ptr.To(true),
},
},
},
wantErr: false,
},
}
client := mockClient{ReturnError: false}
for _, tc := range tests {
Expand Down
50 changes: 50 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 11 additions & 0 deletions azure/scope/managedcontrolplane.go
Original file line number Diff line number Diff line change
Expand Up @@ -588,6 +588,12 @@ func (s *ManagedControlPlaneScope) ManagedClusterSpec() azure.ResourceSpecGetter
}
}

if s.ControlPlane.Spec.OIDCIssuerProfile != nil {
managedClusterSpec.OIDCIssuerProfile = &managedclusters.OIDCIssuerProfile{
Enabled: s.ControlPlane.Spec.OIDCIssuerProfile.Enabled,
}
}

return &managedClusterSpec
}

Expand Down Expand Up @@ -820,3 +826,8 @@ func (s *ManagedControlPlaneScope) PrivateEndpointSpecs() []azure.ResourceSpecGe

return privateEndpointSpecs
}

// SetOIDCIssuerProfileStatus sets the status for the OIDC issuer profile config.
func (s *ManagedControlPlaneScope) SetOIDCIssuerProfileStatus(oidc *infrav1.OIDCIssuerProfileStatus) {
s.ControlPlane.Status.OIDCIssuerProfile = oidc
}
8 changes: 8 additions & 0 deletions azure/services/managedclusters/managedclusters.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ type ManagedClusterScope interface {
MakeEmptyKubeConfigSecret() corev1.Secret
GetKubeConfigData() []byte
SetKubeConfigData([]byte)
SetOIDCIssuerProfileStatus(*infrav1.OIDCIssuerProfileStatus)
}

// Service provides operations on azure resources.
Expand Down Expand Up @@ -112,6 +113,13 @@ func (s *Service) Reconcile(ctx context.Context) error {
if id := managedCluster.Properties.IdentityProfile[kubeletIdentityKey]; id != nil && id.ResourceID != nil {
s.Scope.SetKubeletIdentity(*id.ResourceID)
}

s.Scope.SetOIDCIssuerProfileStatus(nil)
if managedCluster.Properties.OidcIssuerProfile != nil && managedCluster.Properties.OidcIssuerProfile.IssuerURL != nil {
s.Scope.SetOIDCIssuerProfileStatus(&infrav1.OIDCIssuerProfileStatus{
IssuerURL: managedCluster.Properties.OidcIssuerProfile.IssuerURL,
})
}
}
s.Scope.UpdatePutStatus(infrav1.ManagedClusterRunningCondition, serviceName, resultErr)
return resultErr
Expand Down
8 changes: 8 additions & 0 deletions azure/services/managedclusters/managedclusters_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,10 @@ func TestReconcile(t *testing.T) {
ResourceID: ptr.To("kubelet-id"),
},
},
OidcIssuerProfile: &armcontainerservice.ManagedClusterOIDCIssuerProfile{
Enabled: ptr.To(true),
IssuerURL: ptr.To("oidc issuer url"),
},
},
}, nil)
s.SetControlPlaneEndpoint(clusterv1.APIEndpoint{
Expand All @@ -79,6 +83,10 @@ func TestReconcile(t *testing.T) {
m.GetCredentials(gomockinternal.AContext(), "my-rg", "my-managedcluster").Return([]byte("credentials"), nil)
s.SetKubeConfigData([]byte("credentials"))
s.SetKubeletIdentity("kubelet-id")
s.SetOIDCIssuerProfileStatus(nil)
s.SetOIDCIssuerProfileStatus(&infrav1.OIDCIssuerProfileStatus{
IssuerURL: ptr.To("oidc issuer url"),
})
s.UpdatePutStatus(infrav1.ManagedClusterRunningCondition, serviceName, nil)
},
},
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 9ecdf98

Please sign in to comment.