Add ephemeral creds jobs for Hypershift AKS (openshift#58325)

Signed-off-by: Feilian Xie <[email protected]>

Author: fxierh

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly.yaml

@@ -1510,6 +1510,16 @@ tests:
     test:
     - chain: openshift-e2e-test-hypershift-qe
     workflow: cucushift-installer-rehearse-azure-aks-hypershift-disaster-recovery-infra-guest
+- as: azure-aks-hypershift-ephemeral-creds-guest-f7
+  cron: 4 23 1,9,17,24 * *
+  steps:
+    cluster_profile: azure-qe
+    env:
+      TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive&
+      TEST_TIMEOUT: "30"
+    test:
+    - chain: openshift-e2e-test-hypershift-qe
+    workflow: cucushift-installer-rehearse-azure-aks-hypershift-ephemeral-creds-guest
 - as: azure-aks-hypershift-etcd-disk-encryption-guest-f7
   cron: 21 9 5,12,19,26 * *
   steps:

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml

@@ -1424,6 +1424,16 @@ tests:
     test:
     - chain: openshift-e2e-test-hypershift-qe
     workflow: cucushift-installer-rehearse-azure-aks-hypershift-disaster-recovery-infra-guest
+- as: azure-aks-hypershift-ephemeral-creds-guest-f7
+  cron: 22 15 4,12,20,27 * *
+  steps:
+    cluster_profile: azure-qe
+    env:
+      TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive&
+      TEST_TIMEOUT: "30"
+    test:
+    - chain: openshift-e2e-test-hypershift-qe
+    workflow: cucushift-installer-rehearse-azure-aks-hypershift-ephemeral-creds-guest
 - as: azure-aks-hypershift-etcd-disk-encryption-guest-f7
   cron: 0 15 9,16,23,30 * *
   steps:

ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17-periodics.yaml

@@ -24093,6 +24093,88 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 4 23 1,9,17,24 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.17
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: azure4
+    ci-operator.openshift.io/cloud-cluster-profile: azure-qe
+    ci-operator.openshift.io/variant: amd64-nightly
+    ci.openshift.io/generator: prowgen
+    job-release: "4.17"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=azure-aks-hypershift-ephemeral-creds-guest-f7
+      - --variant=amd64-nightly
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 21 9 5,12,19,26 * *

ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18-periodics.yaml

@@ -24317,6 +24317,88 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 22 15 4,12,20,27 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.18
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: azure4
+    ci-operator.openshift.io/cloud-cluster-profile: azure-qe
+    ci-operator.openshift.io/variant: amd64-nightly
+    ci.openshift.io/generator: prowgen
+    job-release: "4.18"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=azure-aks-hypershift-ephemeral-creds-guest-f7
+      - --variant=amd64-nightly
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 0 15 9,16,23,30 * *

ci-operator/step-registry/azure/deprovision/sp-and-custom-role/azure-deprovision-sp-and-custom-role-commands.sh

@@ -34,7 +34,7 @@ if [[ -f "${SHARED_DIR}/azure_sp_id" ]]; then
     echo "Deleting sp..."
     sp_ids=$(< "${SHARED_DIR}/azure_sp_id")
     for sp_id in ${sp_ids}; do
-        cmd="az ad sp delete --id ${sp_id}"
+        cmd="az ad app delete --id ${sp_id}"
         run_command "${cmd}"
     done
 fi

ci-operator/step-registry/azure/provision/service-principal/hypershift/OWNERS

@@ -0,0 +1,7 @@
+approvers:
+- patrickdillon
+- yunjiang29
+- MayXuQQ
+- jianlinliu
+- jinyunma
+- fxierh

ci-operator/step-registry/azure/provision/service-principal/hypershift/azure-provision-service-principal-hypershift-commands.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+AZURE_AUTH_LOCATION="${CLUSTER_PROFILE_DIR}/osServicePrincipal.json"
+AZURE_AUTH_CLIENT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientId)"
+AZURE_AUTH_CLIENT_SECRET="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientSecret)"
+AZURE_AUTH_SUBSCRIPTION_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .subscriptionId)"
+AZURE_AUTH_TENANT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .tenantId)"
+
+az --version
+az cloud set --name AzureCloud
+az login --service-principal -u "${AZURE_AUTH_CLIENT_ID}" -p "${AZURE_AUTH_CLIENT_SECRET}" --tenant "${AZURE_AUTH_TENANT_ID}" --output none
+
+set -x
+
+SP_NAME_PREFIX="${NAMESPACE}-${UNIQUE_HASH}"
+KV_NAME=$(<"${SHARED_DIR}/azure_keyvault_name")
+RG_NSG=$(<"${SHARED_DIR}/resourcegroup_nsg")
+RG_VNET=$(<"${SHARED_DIR}/resourcegroup_vnet")
+RG_HC=$(<"${SHARED_DIR}/resourcegroup")
+COMPONENTS="azure-disk azure-file ciro cloud-provider cncc cpo ingress capz"
+
+declare -A component_to_client_id
+declare -A component_to_cert_name
+
+for component in $COMPONENTS; do
+    name="${SP_NAME_PREFIX}-${component}"
+    scopes="/subscriptions/$AZURE_AUTH_SUBSCRIPTION_ID/resourceGroups/$RG_HC"
+    if [[ $component == ingress ]]; then
+        scopes+=" /subscriptions/$AZURE_AUTH_SUBSCRIPTION_ID/resourceGroups/$RG_VNET"
+    elif [[ $component == cloud-provider ]]; then
+        scopes+=" /subscriptions/$AZURE_AUTH_SUBSCRIPTION_ID/resourceGroups/$RG_NSG"
+    fi
+
+    client_id="$(eval "az ad sp create-for-rbac --name $name --role Contributor --scopes $scopes --create-cert --cert $name --keyvault $KV_NAME --output json --only-show-errors" | jq -r '.appId')"
+    echo "$client_id" >> "${SHARED_DIR}/azure_sp_id"
+
+    component_to_client_id+=(["$component"]="$client_id")
+    component_to_cert_name+=(["$component"]="$name")
+done
+
+cat <<EOF >"${SHARED_DIR}"/hypershift_azure_mi_file.json
+{
+    "managedIdentitiesKeyVault": {
+        "name": "$KV_NAME",
+        "tenantID": "$AZURE_AUTH_TENANT_ID"
+    },
+    "cloudProvider": {
+        "clientID": "${component_to_client_id[cloud-provider]}",
+        "certificateName": "${component_to_cert_name[cloud-provider]}"
+    },
+    "nodePoolManagement": {
+        "clientID": "${component_to_client_id[capz]}",
+        "certificateName": "${component_to_cert_name[capz]}"
+    },
+    "controlPlaneOperator": {
+        "clientID": "${component_to_client_id[cpo]}",
+        "certificateName": "${component_to_cert_name[cpo]}"
+    },
+    "imageRegistry": {
+        "clientID": "${component_to_client_id[ciro]}",
+        "certificateName": "${component_to_cert_name[ciro]}"
+    },
+    "ingress": {
+        "clientID": "${component_to_client_id[ingress]}",
+        "certificateName": "${component_to_cert_name[ingress]}"
+    },
+    "network": {
+        "clientID": "${component_to_client_id[cncc]}",
+        "certificateName": "${component_to_cert_name[cncc]}"
+    },
+    "disk": {
+        "clientID": "${component_to_client_id[azure-disk]}",
+        "certificateName": "${component_to_cert_name[azure-disk]}"
+    },
+    "file": {
+        "clientID": "${component_to_client_id[azure-file]}",
+        "certificateName": "${component_to_cert_name[azure-file]}"
+    }
+}
+EOF

ci-operator/step-registry/azure/provision/service-principal/hypershift/azure-provision-service-principal-hypershift-ref.metadata.json

@@ -0,0 +1,13 @@
+{
+	"path": "azure/provision/service-principal/hypershift/azure-provision-service-principal-hypershift-ref.yaml",
+	"owners": {
+		"approvers": [
+			"patrickdillon",
+			"yunjiang29",
+			"MayXuQQ",
+			"jianlinliu",
+			"jinyunma",
+			"fxierh"
+		]
+	}
+}

ci-operator/step-registry/azure/provision/service-principal/hypershift/azure-provision-service-principal-hypershift-ref.yaml

@@ -0,0 +1,15 @@
+ref:
+  as: azure-provision-service-principal-hypershift
+  from_image:
+    namespace: ocp
+    name: "4.16"
+    tag: upi-installer
+  timeout: 20m
+  grace_period: 2m
+  commands: azure-provision-service-principal-hypershift-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+  documentation: |-
+    Creates SPs required for Hypershift control plane components to authenticate to the cloud provider as MIs. 

ci-operator/step-registry/azure/provision/vault-key/azure-provision-vault-key-commands.sh

@@ -56,7 +56,7 @@ az role assignment create --assignee "$SP_ID" --scope "$KV_ID" --role "Key Vault
 echo "Creating Keys within the KeyVault"
 KEYVAULT_KEY_NAME="${KV_BASE_NAME}-key"
 poll "az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME --protection software"
-KEYVAULT_KEY_URL="$(az keyvault key show --vault-name "$KEYVAULT_NAME" --name "$KEYVAULT_KEY_NAME" --query 'key.kid' -o tsv)"
+poll "KEYVAULT_KEY_URL=\$(az keyvault key show --vault-name \"$KEYVAULT_NAME\" --name \"$KEYVAULT_KEY_NAME\" --query 'key.kid' -o tsv)"
 
 echo "Saving relevant info to \$SHARED_DIR"
 # Key URL format: https://<KEYVAULT_NAME>.vault.azure.net/keys/<KEYVAULT_KEY_NAME>/<KEYVAULT_KEY_VERSION>