diff --git a/data/data/install.openshift.io_installconfigs.yaml b/data/data/install.openshift.io_installconfigs.yaml index 71d997af75..8aa3846d61 100644 --- a/data/data/install.openshift.io_installconfigs.yaml +++ b/data/data/install.openshift.io_installconfigs.yaml @@ -183,28 +183,6 @@ spec: and assigned to the VM Identity can only be set for control-plane nodes. properties: - systemAssignedIdentityRole: - description: |- - SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity. - SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration - feature gate and may only be assigned on control-plane nodes. - properties: - definitionID: - description: |- - DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role. - Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles - type: string - name: - description: |- - Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID. - If not specified, a random UUID will be generated. - type: string - scope: - description: |- - Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance. - If not specified, the scope will be the subscription. - type: string - type: object type: description: Type specifies the type of identity to be used. @@ -1419,28 +1397,6 @@ spec: and assigned to the VM Identity can only be set for control-plane nodes. properties: - systemAssignedIdentityRole: - description: |- - SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity. - SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration - feature gate and may only be assigned on control-plane nodes. - properties: - definitionID: - description: |- - DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role. - Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles - type: string - name: - description: |- - Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID. - If not specified, a random UUID will be generated. - type: string - scope: - description: |- - Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance. - If not specified, the scope will be the subscription. - type: string - type: object type: description: Type specifies the type of identity to be used. @@ -2594,28 +2550,6 @@ spec: and assigned to the VM Identity can only be set for control-plane nodes. properties: - systemAssignedIdentityRole: - description: |- - SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity. - SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration - feature gate and may only be assigned on control-plane nodes. - properties: - definitionID: - description: |- - DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role. - Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles - type: string - name: - description: |- - Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID. - If not specified, a random UUID will be generated. - type: string - scope: - description: |- - Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance. - If not specified, the scope will be the subscription. - type: string - type: object type: description: Type specifies the type of identity to be used. @@ -4279,28 +4213,6 @@ spec: and assigned to the VM Identity can only be set for control-plane nodes. properties: - systemAssignedIdentityRole: - description: |- - SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity. - SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration - feature gate and may only be assigned on control-plane nodes. - properties: - definitionID: - description: |- - DefinitionID is the ID of the role definition to create for a system assigned identity. It can be an Azure built-in role or a custom role. - Refer to built-in roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles - type: string - name: - description: |- - Name is the name of the role assignment to create for a system assigned identity. It can be any valid UUID. - If not specified, a random UUID will be generated. - type: string - scope: - description: |- - Scope is the scope that the role assignment or definition applies to. The scope can be any REST resource instance. - If not specified, the scope will be the subscription. - type: string - type: object type: description: Type specifies the type of identity to be used. diff --git a/pkg/asset/machines/azure/azuremachines.go b/pkg/asset/machines/azure/azuremachines.go index cce7d4a9a9..5ff03bcaea 100644 --- a/pkg/asset/machines/azure/azuremachines.go +++ b/pkg/asset/machines/azure/azuremachines.go @@ -175,9 +175,8 @@ func GenerateMachines(clusterID, resourceGroup, subscriptionID string, in *Machi AcceleratedNetworking: ptr.To(mpool.VMNetworkingType == string(azure.VMnetworkingTypeAccelerated) || mpool.VMNetworkingType == string(azure.AcceleratedNetworkingEnabled)), }, }, - Identity: mpool.Identity.Type, - UserAssignedIdentities: userAssignedIdentities, - SystemAssignedIdentityRole: mpool.Identity.SystemAssignedIdentityRole, + Identity: mpool.Identity.Type, + UserAssignedIdentities: userAssignedIdentities, }, } azureMachine.SetGroupVersionKind(capz.GroupVersion.WithKind("AzureMachine")) @@ -234,7 +233,6 @@ func GenerateMachines(clusterID, resourceGroup, subscriptionID string, in *Machi SecurityProfile: securityProfile, Identity: mpool.Identity.Type, UserAssignedIdentities: userAssignedIdentities, - SystemAssignedIdentityRole: mpool.Identity.SystemAssignedIdentityRole, }, } bootstrapAzureMachine.SetGroupVersionKind(capz.GroupVersion.WithKind("AzureMachine")) diff --git a/pkg/types/azure/machinepool.go b/pkg/types/azure/machinepool.go index bb2f091763..b43522da1d 100644 --- a/pkg/types/azure/machinepool.go +++ b/pkg/types/azure/machinepool.go @@ -240,12 +240,6 @@ type VMIdentity struct { // Supplying more than one user-assigned identity is an experimental feature // which may be enabled with the MachineAPIMigration feature gate. UserAssignedIdentities []UserAssignedIdentity `json:"userAssignedIdentities"` - - // SystemAssignedIdentityRole defines the role and scope to assign to the system-assigned identity. - // SystemAssignedIdentity is an experimental feature which may be enabled with the MachineAPIMigration - // feature gate and may only be assigned on control-plane nodes. - // +optional - SystemAssignedIdentityRole *capz.SystemAssignedIdentityRole `json:"systemAssignedIdentityRole,omitempty"` } // UserAssignedIdentity contains the fields that comprise a user-assigned identity. diff --git a/pkg/types/azure/validation/featuregates.go b/pkg/types/azure/validation/featuregates.go index 808060a7b4..618a4b2dda 100644 --- a/pkg/types/azure/validation/featuregates.go +++ b/pkg/types/azure/validation/featuregates.go @@ -2,7 +2,6 @@ package validation import ( "k8s.io/apimachinery/pkg/util/validation/field" - capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1" features "github.com/openshift/api/features" "github.com/openshift/installer/pkg/types" @@ -15,16 +14,6 @@ func GatedFeatures(c *types.InstallConfig) []featuregates.GatedInstallConfigFeat cp := c.ControlPlane.Platform defMp := c.Platform.Azure.DefaultMachinePlatform return []featuregates.GatedInstallConfigFeature{ - { - FeatureGateName: features.FeatureGateMachineAPIMigration, - Condition: cp.Azure != nil && cp.Azure.Identity != nil && cp.Azure.Identity.Type == capz.VMIdentitySystemAssigned, - Field: field.NewPath("controlPlane", "azure", "identity", "systemAssignedIdentityRole"), - }, - { - FeatureGateName: features.FeatureGateMachineAPIMigration, - Condition: defMp != nil && defMp.Identity != nil && defMp.Identity.Type == capz.VMIdentitySystemAssigned, - Field: field.NewPath("platform", "azure", "defaultMachinePlatform", "identity", "systemAssignedIdentityRole"), - }, { FeatureGateName: features.FeatureGateMachineAPIMigration, Condition: cp.Azure != nil && cp.Azure.Identity != nil && cp.Azure.Identity.UserAssignedIdentities != nil && len(cp.Azure.Identity.UserAssignedIdentities) > 1, diff --git a/pkg/types/azure/validation/machinepool.go b/pkg/types/azure/validation/machinepool.go index 87304fd5a9..eb084172ac 100644 --- a/pkg/types/azure/validation/machinepool.go +++ b/pkg/types/azure/validation/machinepool.go @@ -4,7 +4,6 @@ import ( "fmt" "sort" - "github.com/google/uuid" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1" @@ -233,15 +232,11 @@ func validateIdentity(poolName string, p *azure.MachinePool, fldPath *field.Path return append(errs, field.Required(fldPath.Child("type"), "type must be specified if using identity")) } - if id.Type != capz.VMIdentityNone && id.Type != capz.VMIdentitySystemAssigned && id.Type != capz.VMIdentityUserAssigned { - supportedValues := []capz.VMIdentity{capz.VMIdentityNone, capz.VMIdentitySystemAssigned, capz.VMIdentityUserAssigned} + if id.Type != capz.VMIdentityNone && id.Type != capz.VMIdentityUserAssigned { + supportedValues := []capz.VMIdentity{capz.VMIdentityNone, capz.VMIdentityUserAssigned} return append(errs, field.NotSupported(fldPath.Child("type"), id.Type, supportedValues)) } - if id.SystemAssignedIdentityRole != nil && id.Type != capz.VMIdentitySystemAssigned { - errs = append(errs, field.Invalid(fldPath.Child("type"), id.Type, "systemAssignedIdentityRole may only be used with type: SystemAssigned")) - } - if id.Type == capz.VMIdentityUserAssigned && len(id.UserAssignedIdentities) == 0 { errs = append(errs, field.Required(fldPath.Child("userAssignedIdentities"), "userAssignedIdentities must be specified when using type: UserAssigned")) } @@ -250,10 +245,5 @@ func validateIdentity(poolName string, p *azure.MachinePool, fldPath *field.Path errs = append(errs, field.Invalid(fldPath.Child("type"), id.Type, "userAssignedIdentities may only be used with type: UserAssigned")) } - if s := id.SystemAssignedIdentityRole; s != nil && uuid.Validate(s.Name) != nil { - errMsg := "name must be a valid UUID, please provide a valid UUID or leave name black to have one generated for you" - errs = append(errs, field.Invalid(fldPath.Child("systemAssignedIdentityRole", "name"), s.Name, errMsg)) - } - return errs } diff --git a/pkg/types/azure/validation/machinepool_test.go b/pkg/types/azure/validation/machinepool_test.go index 408bd946b4..47dc937580 100644 --- a/pkg/types/azure/validation/machinepool_test.go +++ b/pkg/types/azure/validation/machinepool_test.go @@ -631,40 +631,22 @@ func TestValidateMachinePool(t *testing.T) { }, }, }, - expected: `^test-path.identity.type: Unsupported value: "unrecognized": supported values: "None", "SystemAssigned", "UserAssigned"$`, + expected: `^test-path.identity.type: Unsupported value: "unrecognized": supported values: "None", "UserAssigned"$`, }, { - name: "azure VM system-assigned identity name must be a valid UUID", + name: "azure VM SystemAssignedIdentity is not allowed", azurePlatform: azure.PublicCloud, pool: &types.MachinePool{ Name: "", Platform: types.MachinePoolPlatform{ Azure: &azure.MachinePool{ Identity: &azure.VMIdentity{ - Type: capz.VMIdentitySystemAssigned, - SystemAssignedIdentityRole: &capz.SystemAssignedIdentityRole{ - Name: "not valid", - }, + Type: "SystemAssigned", }, }, }, }, - expected: `^test-path.identity.systemAssignedIdentityRole.name: Invalid value: "not valid": name must be a valid UUID, please provide a valid UUID or leave name black to have one generated for you$`, - }, - { - name: "azure VM system-assigned identity cannot be used on compute nodes", - azurePlatform: azure.PublicCloud, - pool: &types.MachinePool{ - Name: "worker", - Platform: types.MachinePoolPlatform{ - Azure: &azure.MachinePool{ - Identity: &azure.VMIdentity{ - Type: capz.VMIdentitySystemAssigned, - }, - }, - }, - }, - expected: `^test-path.identity.type: Invalid value: "SystemAssigned": only user-assigned identities are supported for compute nodes$`, + expected: `^test-path.identity.type: Unsupported value: "SystemAssigned": supported values: "None", "UserAssigned"$`, }, { name: "azure VM identity cannot mismatch type and field", @@ -674,13 +656,13 @@ func TestValidateMachinePool(t *testing.T) { Platform: types.MachinePoolPlatform{ Azure: &azure.MachinePool{ Identity: &azure.VMIdentity{ - Type: capz.VMIdentitySystemAssigned, + Type: capz.VMIdentityNone, UserAssignedIdentities: []azure.UserAssignedIdentity{}, }, }, }, }, - expected: `^test-path.identity.type: Invalid value: "SystemAssigned": userAssignedIdentities may only be used with type: UserAssigned$`, + expected: `^test-path.identity.type: Invalid value: "None": userAssignedIdentities may only be used with type: UserAssigned$`, }, { name: "azure VM identity must have user assigned identities when type==UserAssigned",