reconcile azure identity for managed control plane

shysank · shysank · commit 8c678ebabcbe · 2021-06-16T14:43:01.000-07:00
diff --git a/controllers/azureidentity_controller.go b/controllers/azureidentity_controller.go
@@ -18,8 +18,12 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 	"time"
 
+	infraexpv1 "sigs.k8s.io/cluster-api-provider-azure/exp/api/v1alpha4"
+	"sigs.k8s.io/cluster-api-provider-azure/feature"
+
 	aadpodv1 "github.com/Azure/aad-pod-identity/pkg/apis/aadpodidentity/v1"
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
@@ -65,6 +69,17 @@ func (r *AzureIdentityReconciler) SetupWithManager(ctx context.Context, mgr ctrl
 		return errors.Wrap(err, "error creating controller")
 	}
 
+	// Add a watch on infraexpv1.AzureManagedControlPlane if aks is enabled.
+	if feature.Gates.Enabled(feature.AKS) {
+		if err = c.Watch(
+			&source.Kind{Type: &infraexpv1.AzureManagedControlPlane{}},
+			&handler.EnqueueRequestForObject{},
+			predicates.ResourceNotPausedAndHasFilterLabel(ctrl.LoggerFrom(ctx), r.WatchFilterValue),
+		); err != nil {
+			return errors.Wrap(err, "failed adding a watch for ready clusters")
+		}
+	}
+
 	// Add a watch on clusterv1.Cluster object for unpause notifications.
 	if err = c.Watch(
 		&source.Kind{Type: &clusterv1.Cluster{}},
@@ -96,20 +111,38 @@ func (r *AzureIdentityReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		))
 	defer span.End()
 
+	// identityOwner is the resource that created the identity. This could be either an AzureCluster or AzureManagedControlPlane (if AKS is enabled).
+	// check for AzureManagedControlPlane first and if it is not found, check for AzureManagedControlPlane.
+	var identityOwner interface{}
+
 	// Fetch the AzureCluster instance
 	azureCluster := &infrav1.AzureCluster{}
+	identityOwner = azureCluster
 	err := r.Get(ctx, req.NamespacedName, azureCluster)
-	if err != nil {
-		if apierrors.IsNotFound(err) {
+	if err != nil && apierrors.IsNotFound(err) {
+		if feature.Gates.Enabled(feature.AKS) {
+			// Fetch the AzureManagedControlPlane instance
+			azureManagedControlPlane := &infraexpv1.AzureManagedControlPlane{}
+			identityOwner = azureManagedControlPlane
+			err = r.Get(ctx, req.NamespacedName, azureManagedControlPlane)
+			if err != nil && apierrors.IsNotFound(err) {
+				r.Recorder.Eventf(azureCluster, corev1.EventTypeNormal, "AzureClusterObjectNotFound",
+					fmt.Sprintf("AzureCluster object %s/%s not found", req.Namespace, req.Name))
+				r.Recorder.Eventf(azureManagedControlPlane, corev1.EventTypeNormal, "AzureManagedControlPlaneObjectNotFound",
+					fmt.Sprintf("AzureManagedControlPlane object %s/%s not found", req.Namespace, req.Name))
+				log.Info("object was not found")
+				return reconcile.Result{}, nil
+			}
+		} else {
 			r.Recorder.Eventf(azureCluster, corev1.EventTypeNormal, "AzureClusterObjectNotFound", err.Error())
 			log.Info("object was not found")
 			return reconcile.Result{}, nil
 		}
+	}
+	if err != nil {
 		return reconcile.Result{}, err
 	}
 
-	log = log.WithValues("azurecluster", azureCluster.Name)
-
 	// get all the bindings
 	var bindings aadpodv1.AzureIdentityBindingList
 	if err := r.List(ctx, &bindings, client.InNamespace(system.GetManagerNamespace())); err != nil {
@@ -125,16 +158,36 @@ func (r *AzureIdentityReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		clusterNamespace := binding.ObjectMeta.Labels[infrav1.ClusterLabelNamespace]
 
 		key := client.ObjectKey{Name: clusterName, Namespace: clusterNamespace}
-		azCluster := &infrav1.AzureCluster{}
-		if err := r.Get(ctx, key, azCluster); err != nil {
-			if apierrors.IsNotFound(err) {
-				bindingsToDelete = append(bindingsToDelete, b)
-				continue
-			} else {
-				return ctrl.Result{}, errors.Wrap(err, "failed to get AzureCluster")
+		var expectedIdentityName string
+
+		// only delete bindings when the identity owner type is not found.
+		// we should not delete an identity when azureCluster is not found because it could have been created by AzureManagedControlPlane.
+		switch identityOwner.(type) {
+		case infrav1.AzureCluster:
+			azCluster := &infrav1.AzureCluster{}
+			if err := r.Get(ctx, key, azCluster); err != nil {
+				if apierrors.IsNotFound(err) {
+					bindingsToDelete = append(bindingsToDelete, b)
+					continue
+				} else {
+					return ctrl.Result{}, errors.Wrap(err, "failed to get AzureCluster")
+				}
+			}
+			expectedIdentityName = identity.GetAzureIdentityName(azCluster.Name, azCluster.Namespace, azCluster.Spec.IdentityRef.Name)
+		case infraexpv1.AzureManagedControlPlane:
+			azManagedControlPlane := &infraexpv1.AzureManagedControlPlane{}
+			if err := r.Get(ctx, key, azManagedControlPlane); err != nil {
+				if apierrors.IsNotFound(err) {
+					bindingsToDelete = append(bindingsToDelete, b)
+					continue
+				} else {
+					return ctrl.Result{}, errors.Wrap(err, "failed to get AzureManagedControlPlane")
+				}
 			}
+			expectedIdentityName = identity.GetAzureIdentityName(azManagedControlPlane.Name, azManagedControlPlane.Namespace,
+				azManagedControlPlane.Spec.IdentityRef.Name)
 		}
-		expectedIdentityName := identity.GetAzureIdentityName(azCluster.Name, azCluster.Namespace, azCluster.Spec.IdentityRef.Name)
+
 		if binding.Spec.AzureIdentity != expectedIdentityName {
 			bindingsToDelete = append(bindingsToDelete, b)
 		}
@@ -145,7 +198,7 @@ func (r *AzureIdentityReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		binding := bindingToDelete
 		identityName := binding.Spec.AzureIdentity
 		if err := r.Client.Delete(ctx, &binding); err != nil {
-			r.Recorder.Eventf(azureCluster, corev1.EventTypeWarning, "Error reconciling AzureIdentity for AzureCluster", err.Error())
+			r.Recorder.Eventf(azureCluster, corev1.EventTypeWarning, "Error reconciling AzureIdentity", err.Error())
 			log.Error(err, "failed to delete AzureIdentityBinding")
 			return ctrl.Result{}, err
 		}
@@ -155,7 +208,7 @@ func (r *AzureIdentityReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 			return ctrl.Result{}, err
 		}
 		if err := r.Client.Delete(ctx, azureIdentity); err != nil {
-			r.Recorder.Eventf(azureCluster, corev1.EventTypeWarning, "Error reconciling AzureIdentity for AzureCluster", err.Error())
+			r.Recorder.Eventf(azureCluster, corev1.EventTypeWarning, "Error reconciling AzureIdentity", err.Error())
 			log.Error(err, "failed to delete AzureIdentity")
 			return ctrl.Result{}, err
 		}
