Add azureclusteridentity to templates

Author: nader-ziada

Tiltfile

@@ -169,6 +169,19 @@ def capz():
 
     k8s_yaml(blob(yaml))
 
+def create_identity_secret():
+    #create secret for identity password
+    local("kubectl delete secret cluster-identity-secret --ignore-not-found=true")
+
+    os.putenv('AZURE_CLUSTER_IDENTITY_SECRET_NAME', 'cluster-identity-secret')
+    os.putenv('AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE', 'default')
+    os.putenv('CLUSTER_IDENTITY_NAME', 'cluster-identity')
+
+    substitutions = settings.get("kustomize_substitutions", {})
+    os.putenv('AZURE_CLIENT_SECRET_B64', substitutions.get("AZURE_CLIENT_SECRET_B64"))
+
+    local("cat templates/azure-cluster-identity/secret.yaml | " + envsubst_cmd + " | kubectl apply -f -", quiet=True)
+
 def create_crs():
     # create config maps
     local("kubectl delete configmaps calico-addon --ignore-not-found=true")
@@ -324,6 +337,8 @@ if settings.get("deploy_cert_manager"):
 
 deploy_capi()
 
+create_identity_secret()
+
 capz()
 
 waitforsystem()

azure/scope/identity.go

@@ -142,6 +142,12 @@ func (p *AzureCredentialsProvider) GetAuthorizer(ctx context.Context, resourceMa
 	if err != nil {
 		return nil, err
 	}
+
+	// AzureIdentity and AzureIdentityBinding will no longer have an OwnerRef starting from capz release v0.5.0 because of the following:
+	// In Kubenetes v1.20+, if the garbage collector detects an invalid cross-namespace ownerReference, or a cluster-scoped dependent with
+	// an ownerReference referencing a namespaced kind, a warning Event with a reason of OwnerRefInvalidNamespace and an involvedObject
+	// of the invalid dependent is reported. You can check for that kind of Event by running kubectl get events -A --field-selector=reason=OwnerRefInvalidNamespace.
+
 	copiedIdentity := &aadpodv1.AzureIdentity{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "AzureIdentity",
@@ -158,7 +164,6 @@ func (p *AzureCredentialsProvider) GetAuthorizer(ctx context.Context, resourceMa
 				infrav1.ClusterLabelNamespace:               clusterMeta.Namespace,
 				clusterctl.ClusterctlMoveHierarchyLabelName: "true",
 			},
-			OwnerReferences: clusterMeta.OwnerReferences,
 		},
 		Spec: aadpodv1.AzureIdentitySpec{
 			Type:           azureIdentityType,
@@ -186,7 +191,6 @@ func (p *AzureCredentialsProvider) GetAuthorizer(ctx context.Context, resourceMa
 				infrav1.ClusterLabelNamespace:               clusterMeta.Namespace,
 				clusterctl.ClusterctlMoveHierarchyLabelName: "true",
 			},
-			OwnerReferences: clusterMeta.OwnerReferences,
 		},
 		Spec: aadpodv1.AzureIdentityBindingSpec{
 			AzureIdentity: copiedIdentity.Name,

hack/create-identity-secret.sh

@@ -16,6 +16,7 @@
 set -o errexit
 set -o nounset
 set -o pipefail
+set +o xtrace
 
 REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
 cd "${REPO_ROOT}" || exit 1
@@ -25,11 +26,9 @@ source "${REPO_ROOT}/hack/ensure-kubectl.sh"
 # shellcheck source=hack/parse-prow-creds.sh
 source "${REPO_ROOT}/hack/parse-prow-creds.sh"
 
-export CLUSTER_IDENTITY_SECRET_NAME="cluster-identity-secret"
+export AZURE_CLUSTER_IDENTITY_SECRET_NAME="cluster-identity-secret"
 export CLUSTER_IDENTITY_NAME=${CLUSTER_IDENTITY_NAME:="cluster-identity"} 
 export AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE="default"
-export AZURE_CLUSTER_IDENTITY_CLIENT_ID="${AZURE_CLIENT_ID}"
 
-kubectl create secret generic "${CLUSTER_IDENTITY_SECRET_NAME}" --from-literal=clientSecret="${AZURE_CLIENT_SECRET}"
-
-kubectl label secret "${CLUSTER_IDENTITY_SECRET_NAME}" "clusterctl.cluster.x-k8s.io/move-hierarchy"="true"
+kubectl create secret generic "${AZURE_CLUSTER_IDENTITY_SECRET_NAME}" --from-literal=clientSecret="${AZURE_CLIENT_SECRET}"
+kubectl label secret "${AZURE_CLUSTER_IDENTITY_SECRET_NAME}" "clusterctl.cluster.x-k8s.io/move-hierarchy=true" --overwrite=true

hack/gen-flavors.sh

@@ -25,7 +25,7 @@ flavors_dir="${root}/templates/flavors/"
 ci_dir="${root}/templates/test/ci/"
 dev_dir="${root}/templates/test/dev/"
 
-find "${flavors_dir}"* -maxdepth 0 -type d -print0 | xargs -0 -I {} basename {} | grep -v base | xargs -I {} sh -c "${kustomize} build --reorder none ${flavors_dir}{} > ${root}/templates/cluster-template-{}.yaml"
+find "${flavors_dir}"* -maxdepth 0 -type d -print0 | xargs -0 -I {} basename {} | grep -v base | xargs -I {} sh -c "${kustomize} build --load-restrictor LoadRestrictionsNone --reorder none ${flavors_dir}{} > ${root}/templates/cluster-template-{}.yaml"
 # move the default template to the default file expected by clusterctl
 mv "${root}/templates/cluster-template-default.yaml" "${root}/templates/cluster-template.yaml"
 

…test/ci/prow/azure-cluster-identity.yaml …ter-identity/azure-cluster-identity.yamltemplates/test/ci/prow/azure-cluster-identity.yaml renamed to templates/azure-cluster-identity/azure-cluster-identity.yaml templates/test/ci/prow/azure-cluster-identity.yaml renamed to templates/azure-cluster-identity/azure-cluster-identity.yaml

@@ -7,5 +7,5 @@ spec:
   type: ServicePrincipal
   allowedNamespaces: {}
   tenantID: "${AZURE_TENANT_ID}"
-  clientID: "${AZURE_CLUSTER_IDENTITY_CLIENT_ID}"
+  clientID: "${AZURE_CLIENT_ID}"
   clientSecret: {"name":"${AZURE_CLUSTER_IDENTITY_SECRET_NAME}","namespace":"${AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE}"}

…i/patches/azurecluster-identity-ref.yaml …-identity/azurecluster-identity-ref.yamltemplates/test/ci/patches/azurecluster-identity-ref.yaml renamed to templates/azure-cluster-identity/azurecluster-identity-ref.yaml templates/test/ci/patches/azurecluster-identity-ref.yaml renamed to templates/azure-cluster-identity/azurecluster-identity-ref.yaml

@@ -0,0 +1,3 @@
+namespace: default
+resources:
+  - azure-cluster-identity.yaml

templates/azure-cluster-identity/kustomization.yaml

@@ -1,12 +1,10 @@
----
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
-kind: AzureCluster
+kind: AzureManagedControlPlane
 metadata:
   name: ${CLUSTER_NAME}
 spec:
   identityRef: 
     apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
     kind: AzureClusterIdentity
     name: "${CLUSTER_IDENTITY_NAME}"
-    namespace: "${CLUSTER_IDENTITY_NAMESPACE}"
 

…y/patches/azurecluster-identity-ref.yaml …ty/managedazurecluster-identity-ref.yamltemplates/flavors/multi-tenancy/patches/azurecluster-identity-ref.yaml renamed to templates/azure-cluster-identity/managedazurecluster-identity-ref.yaml templates/flavors/multi-tenancy/patches/azurecluster-identity-ref.yaml renamed to templates/azure-cluster-identity/managedazurecluster-identity-ref.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${AZURE_CLUSTER_IDENTITY_SECRET_NAME}
+  annotations:
+    clusterctl.cluster.x-k8s.io/move-hierarchy: "true"
+type: Opaque
+data:
+  clientSecret: ${AZURE_CLIENT_SECRET_B64}

templates/azure-cluster-identity/secret.yaml

@@ -25,6 +25,10 @@ metadata:
   name: ${CLUSTER_NAME}
   namespace: default
 spec:
+  identityRef:
+    apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
+    kind: AzureClusterIdentity
+    name: ${CLUSTER_IDENTITY_NAME}
   location: ${AZURE_LOCATION}
   networkSpec:
     vnet:
@@ -202,3 +206,17 @@ spec:
             cloud-provider: azure
           name: '{{ ds.meta_data["local_hostname"] }}'
       useExperimentalRetryJoin: true
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
+kind: AzureClusterIdentity
+metadata:
+  name: ${CLUSTER_IDENTITY_NAME}
+  namespace: default
+spec:
+  allowedNamespaces: {}
+  clientID: ${AZURE_CLIENT_ID}
+  clientSecret:
+    name: ${AZURE_CLUSTER_IDENTITY_SECRET_NAME}
+    namespace: ${AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE}
+  tenantID: ${AZURE_TENANT_ID}
+  type: ServicePrincipal