openshift/installer
1
0
Fork 0
mirror of https://github.com/openshift/installer.git synced 2026-02-06 09:47:02 +01:00
Code Issues Releases Activity

pkg/types/azure: remove SystemAssigned ID

Browse Source 
SystemAssigned Identities are not supported in any capacity in MAPZ.
Due to that they were feature gated for future CAPZ->MAPZ transition.
The CAPZ Identity API creates further issues in that, the value to be
used for name/scope is unclear and when deleting clusters the
role assignment of the identity is leaked.

No users have asked for this functionality, so lets revert it to
reduce our complexity and load.
This commit is contained in:
Patrick Dillon
2025-03-26 11:31:36 -04:00
parent fb99a993dc
commit 11f006de5a
6 changed files with 10 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
data/data/install.openshift.io_installconfigs.yaml
View File

@@ -183,28 +183,6 @@ spec:
and assigned to the VM
Identity can only be set for control-plane nodes.
properties:
systemAssignedIdentityRole:
description: |-
SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity.
SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration
feature gate and may only be assigned on control-plane nodes.
properties:
definitionID:
description: |-
DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role.
Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
type: string
name:
description: |-
Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID.
If not specified, a random UUID will be generated.
type: string
scope:
description: |-
Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance.
If not specified, the scope will be the subscription.
type: string
type: object
type:
description: Type specifies the type of identity to be
used.
@@ -1419,28 +1397,6 @@ spec:
and assigned to the VM
Identity can only be set for control-plane nodes.
properties:
systemAssignedIdentityRole:
description: |-
SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity.
SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration
feature gate and may only be assigned on control-plane nodes.
properties:
definitionID:
description: |-
DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role.
Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
type: string
name:
description: |-
Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID.
If not specified, a random UUID will be generated.
type: string
scope:
description: |-
Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance.
If not specified, the scope will be the subscription.
type: string
type: object
type:
description: Type specifies the type of identity to
be used.
@@ -2594,28 +2550,6 @@ spec:
and assigned to the VM
Identity can only be set for control-plane nodes.
properties:
systemAssignedIdentityRole:
description: |-
SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity.
SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration
feature gate and may only be assigned on control-plane nodes.
properties:
definitionID:
description: |-
DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role.
Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
type: string
name:
description: |-
Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID.
If not specified, a random UUID will be generated.
type: string
scope:
description: |-
Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance.
If not specified, the scope will be the subscription.
type: string
type: object
type:
description: Type specifies the type of identity to be
used.
@@ -4279,28 +4213,6 @@ spec:
and assigned to the VM
Identity can only be set for control-plane nodes.
properties:
systemAssignedIdentityRole:
description: |-
SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity.
SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration
feature gate and may only be assigned on control-plane nodes.
properties:
definitionID:
description: |-
DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role.
Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
type: string
name:
description: |-
Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID.
If not specified, a random UUID will be generated.
type: string
scope:
description: |-
Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance.
If not specified, the scope will be the subscription.
type: string
type: object
type:
description: Type specifies the type of identity to be
used.

6
pkg/asset/machines/azure/azuremachines.go
View File

@@ -175,9 +175,8 @@ func GenerateMachines(clusterID, resourceGroup, subscriptionID string, in *Machi
AcceleratedNetworking: ptr.To(mpool.VMNetworkingType == string(azure.VMnetworkingTypeAccelerated) || mpool.VMNetworkingType == string(azure.AcceleratedNetworkingEnabled)),
},
},
Identity: mpool.Identity.Type,
UserAssignedIdentities: userAssignedIdentities,
SystemAssignedIdentityRole: mpool.Identity.SystemAssignedIdentityRole,
Identity: mpool.Identity.Type,
UserAssignedIdentities: userAssignedIdentities,
},
}
azureMachine.SetGroupVersionKind(capz.GroupVersion.WithKind("AzureMachine"))
@@ -234,7 +233,6 @@ func GenerateMachines(clusterID, resourceGroup, subscriptionID string, in *Machi
SecurityProfile: securityProfile,
Identity: mpool.Identity.Type,
UserAssignedIdentities: userAssignedIdentities,
SystemAssignedIdentityRole: mpool.Identity.SystemAssignedIdentityRole,
},
}
bootstrapAzureMachine.SetGroupVersionKind(capz.GroupVersion.WithKind("AzureMachine"))

6
pkg/types/azure/machinepool.go
View File

@@ -240,12 +240,6 @@ type VMIdentity struct {
// Supplying more than one user-assigned identity is an experimental feature
// which may be enabled with the MachineAPIMigration feature gate.
UserAssignedIdentities []UserAssignedIdentity `json:"userAssignedIdentities"`
// SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity.
// SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration
// feature gate and may only be assigned on control-plane nodes.
// +optional
SystemAssignedIdentityRole *capz.SystemAssignedIdentityRole `json:"systemAssignedIdentityRole,omitempty"`
}
// UserAssignedIdentity contains the fields that comprise a user-assigned identity.

11
pkg/types/azure/validation/featuregates.go
View File

@@ -2,7 +2,6 @@ package validation
import (
"k8s.io/apimachinery/pkg/util/validation/field"
capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
features "github.com/openshift/api/features"
"github.com/openshift/installer/pkg/types"
@@ -15,16 +14,6 @@ func GatedFeatures(c *types.InstallConfig) []featuregates.GatedInstallConfigFeat
cp := c.ControlPlane.Platform
defMp := c.Platform.Azure.DefaultMachinePlatform
return []featuregates.GatedInstallConfigFeature{
{
FeatureGateName: features.FeatureGateMachineAPIMigration,
Condition: cp.Azure != nil && cp.Azure.Identity != nil && cp.Azure.Identity.Type == capz.VMIdentitySystemAssigned,
Field: field.NewPath("controlPlane", "azure", "identity", "systemAssignedIdentityRole"),
},
{
FeatureGateName: features.FeatureGateMachineAPIMigration,
Condition: defMp != nil && defMp.Identity != nil && defMp.Identity.Type == capz.VMIdentitySystemAssigned,
Field: field.NewPath("platform", "azure", "defaultMachinePlatform", "identity", "systemAssignedIdentityRole"),
},
{
FeatureGateName: features.FeatureGateMachineAPIMigration,
Condition: cp.Azure != nil && cp.Azure.Identity != nil && cp.Azure.Identity.UserAssignedIdentities != nil && len(cp.Azure.Identity.UserAssignedIdentities) > 1,

14
pkg/types/azure/validation/machinepool.go
View File

@@ -4,7 +4,6 @@ import (
"fmt"
"sort"
"github.com/google/uuid"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
@@ -233,15 +232,11 @@ func validateIdentity(poolName string, p *azure.MachinePool, fldPath *field.Path
return append(errs, field.Required(fldPath.Child("type"), "type must be specified if using identity"))
}
if id.Type != capz.VMIdentityNone && id.Type != capz.VMIdentitySystemAssigned && id.Type != capz.VMIdentityUserAssigned {
supportedValues := []capz.VMIdentity{capz.VMIdentityNone, capz.VMIdentitySystemAssigned, capz.VMIdentityUserAssigned}
if id.Type != capz.VMIdentityNone && id.Type != capz.VMIdentityUserAssigned {
supportedValues := []capz.VMIdentity{capz.VMIdentityNone, capz.VMIdentityUserAssigned}
return append(errs, field.NotSupported(fldPath.Child("type"), id.Type, supportedValues))
}
if id.SystemAssignedIdentityRole != nil && id.Type != capz.VMIdentitySystemAssigned {
errs = append(errs, field.Invalid(fldPath.Child("type"), id.Type, "systemAssignedIdentityRole may only be used with type: SystemAssigned"))
}
if id.Type == capz.VMIdentityUserAssigned && len(id.UserAssignedIdentities) == 0 {
errs = append(errs, field.Required(fldPath.Child("userAssignedIdentities"), "userAssignedIdentities must be specified when using type: UserAssigned"))
}
@@ -250,10 +245,5 @@ func validateIdentity(poolName string, p *azure.MachinePool, fldPath *field.Path
errs = append(errs, field.Invalid(fldPath.Child("type"), id.Type, "userAssignedIdentities may only be used with type: UserAssigned"))
}
if s := id.SystemAssignedIdentityRole; s != nil && uuid.Validate(s.Name) != nil {
errMsg := "name must be a valid UUID, please provide a valid UUID or leave name black to have one generated for you"
errs = append(errs, field.Invalid(fldPath.Child("systemAssignedIdentityRole", "name"), s.Name, errMsg))
}
return errs
}

30
pkg/types/azure/validation/machinepool_test.go
View File

@@ -631,40 +631,22 @@ func TestValidateMachinePool(t *testing.T) {
},
},
},
expected: `^test-path.identity.type: Unsupported value: "unrecognized": supported values: "None", "SystemAssigned", "UserAssigned"$`,
expected: `^test-path.identity.type: Unsupported value: "unrecognized": supported values: "None", "UserAssigned"$`,
},
{
name: "azure VM system-assigned identity name must be a valid UUID",
name: "azure VM SystemAssignedIdentity is not allowed",
azurePlatform: azure.PublicCloud,
pool: &types.MachinePool{
Name: "",
Platform: types.MachinePoolPlatform{
Azure: &azure.MachinePool{
Identity: &azure.VMIdentity{
Type: capz.VMIdentitySystemAssigned,
SystemAssignedIdentityRole: &capz.SystemAssignedIdentityRole{
Name: "not valid",
},
Type: "SystemAssigned",
},
},
},
},
expected: `^test-path.identity.systemAssignedIdentityRole.name: Invalid value: "not valid": name must be a valid UUID, please provide a valid UUID or leave name black to have one generated for you$`,
},
{
name: "azure VM system-assigned identity cannot be used on compute nodes",
azurePlatform: azure.PublicCloud,
pool: &types.MachinePool{
Name: "worker",
Platform: types.MachinePoolPlatform{
Azure: &azure.MachinePool{
Identity: &azure.VMIdentity{
Type: capz.VMIdentitySystemAssigned,
},
},
},
},
expected: `^test-path.identity.type: Invalid value: "SystemAssigned": only user-assigned identities are supported for compute nodes$`,
expected: `^test-path.identity.type: Unsupported value: "SystemAssigned": supported values: "None", "UserAssigned"$`,
},
{
name: "azure VM identity cannot mismatch type and field",
@@ -674,13 +656,13 @@ func TestValidateMachinePool(t *testing.T) {
Platform: types.MachinePoolPlatform{
Azure: &azure.MachinePool{
Identity: &azure.VMIdentity{
Type: capz.VMIdentitySystemAssigned,
Type: capz.VMIdentityNone,
UserAssignedIdentities: []azure.UserAssignedIdentity{},
},
},
},
},
expected: `^test-path.identity.type: Invalid value: "SystemAssigned": userAssignedIdentities may only be used with type: UserAssigned$`,
expected: `^test-path.identity.type: Invalid value: "None": userAssignedIdentities may only be used with type: UserAssigned$`,
},
{
name: "azure VM identity must have user assigned identities when type==UserAssigned",