UPSTREAM: <carry>: Patch ASO Deployment arguments

Signed-off-by: Nolan Brubaker <[email protected]>

Author: nrb

openshift/Makefile

@@ -22,4 +22,4 @@ ocp-manifests: $(RELEASE_DIR) $(KUSTOMIZE) check-env ## Builds openshift specifi
 	$(KUSTOMIZE) build > infrastructure-components.yaml
 	# Generate provider manifests.
 	# TODO: load the provider-version dynamically at rebase time when this is invoked by the Rebase Bot during one of its lifecycle hooks.
-	cd tools && $(MANIFESTS_GEN) --provider-name "azure" --provider-type "InfrastructureProvider" --provider-version "${PROVIDER_VERSION}" --base-path "../../" --manifests-path "../manifests"
+	cd tools && $(MANIFESTS_GEN) --provider-name "azure" --provider-type "InfrastructureProvider" --provider-version "${PROVIDER_VERSION}" --base-path "../../" --manifests-path "../manifests" --kustomize-dir="openshift"

openshift/infrastructure-components-openshift.yaml

@@ -15620,7 +15620,7 @@ spec:
         - --health-addr=:8081
         - --enable-leader-election
         - --v=2
-        - --crd-pattern=${ADDITIONAL_ASO_CRDS:= }
+        - --crd-management=none
         - --webhook-port=9443
         - --webhook-cert-dir=/tmp/k8s-webhook-server/serving-certs
         env:
@@ -80117,3 +80117,43 @@ status:
     plural: ""
   conditions: null
   storedVersions: null
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: openshift-cluster-api-protect-azurecluster
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - infrastructure.cluster.x-k8s.io
+      apiVersions:
+      - '*'
+      operations:
+      - DELETE
+      resources:
+      - azureclusters
+  paramKind:
+    apiVersion: config.openshift.io/v1
+    kind: Infrastructure
+  validations:
+  - expression: '!(oldObject.metadata.name == params.status.infrastructureName)'
+    message: InfraCluster resources with metadata.name corresponding to the cluster
+      infrastructureName cannot be deleted.
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: openshift-cluster-api-protect-azurecluster
+spec:
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        kubernetes.io/metadata.name: openshift-cluster-api
+  paramRef:
+    name: cluster
+    parameterNotFoundAction: Deny
+  policyName: openshift-cluster-api-protect-azurecluster
+  validationActions:
+  - Deny

openshift/infrastructure-components.yaml

@@ -67511,7 +67511,7 @@ spec:
         - --health-addr=:8081
         - --enable-leader-election
         - --v=2
-        - --crd-pattern=${ADDITIONAL_ASO_CRDS:= }
+        - --crd-management=none
         - --webhook-port=9443
         - --webhook-cert-dir=/tmp/k8s-webhook-server/serving-certs
         env:

openshift/kustomization.yaml

@@ -3,3 +3,7 @@ kind: Kustomization
 
 resources:
 - ../config/default
+
+# This field is deprecated in Kustomize v5; however, we rely on an earlier version and cannot use `patches` yet.
+patchesStrategicMerge:
+- ./patches/aso-disable-crds.yaml

openshift/manifests/0000_30_cluster-api_04_cm.infrastructure-azure.yaml

@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: azureserviceoperator-controller-manager
+  namespace: azureserviceoperator-system # This patch is processed before manifests-gen updates the namespace
+spec:
+  template:
+    spec:
+     containers:
+     - name: manager
+       args:
+       - --metrics-addr=:8080
+       - --health-addr=:8081
+       - --enable-leader-election
+       - --v=2
+       - --crd-management=none
+       - --webhook-port=9443
+       - --webhook-cert-dir=/tmp/k8s-webhook-server/serving-certs