ARO-4373 generate keypair and oidc docs for miwi clusters

go.mod

@@ -80,6 +80,7 @@ require (
 	golang.org/x/sync v0.6.0
 	golang.org/x/text v0.14.0
 	golang.org/x/tools v0.19.0
+	gopkg.in/square/go-jose.v2 v2.6.0
 	k8s.io/api v0.29.1
 	k8s.io/apiextensions-apiserver v0.25.0
 	k8s.io/apimachinery v0.29.1
@@ -265,7 +266,6 @@ require (
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

pkg/cluster/cluster.go

@@ -84,6 +84,7 @@ type manager struct {
 	denyAssignments       authorization.DenyAssignmentClient
 	fpPrivateEndpoints    network.PrivateEndpointsClient
 	rpPrivateLinkServices network.PrivateLinkServicesClient
+	rpStorageAccounts     storage.Manager
 
 	dns     dns.Manager
 	storage storage.Manager
@@ -138,6 +139,8 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		return nil, err
 	}
 
+	// TODO: use msiAuthorizer instead of localFPAuthorizer, figure additional permissions needed
+	rpStorageAccounts := storage.NewManager(_env, _env.SubscriptionID(), localFPAuthorizer)
 	storage := storage.NewManager(_env, r.SubscriptionID, fpAuthorizer)
 
 	installViaHive, err := _env.LiveConfig().InstallViaHive(ctx)
@@ -179,6 +182,7 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		denyAssignments:       authorization.NewDenyAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
 		fpPrivateEndpoints:    network.NewPrivateEndpointsClient(_env.Environment(), _env.SubscriptionID(), localFPAuthorizer),
 		rpPrivateLinkServices: network.NewPrivateLinkServicesClient(_env.Environment(), _env.SubscriptionID(), msiAuthorizer),
+		rpStorageAccounts:     rpStorageAccounts,
 
 		dns:     dns.NewManager(_env, localFPAuthorizer),
 		storage: storage,

pkg/cluster/delete.go

@@ -441,6 +441,12 @@ func (m *manager) Delete(ctx context.Context) error {
 		return err
 	}
 
+	m.log.Printf("deleting OIDC configuration")
+	err = m.rpStorageAccounts.DeleteBlobContainer(ctx, m.env.ResourceGroup(), m.env.OIDCStorageAccountName(), env.OIDCBlobContainerPrefix+m.doc.ID)
+	if err != nil {
+		return err
+	}
+
 	m.log.Printf("deleting role assignments")
 	err = m.deleteRoleAssignments(ctx)
 	if err != nil {

pkg/cluster/deploybaseresources.go

@@ -14,6 +14,7 @@ import (
 
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
 	mgmtfeatures "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-07-01/features"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
@@ -24,6 +25,7 @@ import (
 	apisubnet "github.com/Azure/ARO-RP/pkg/api/util/subnet"
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/arm"
+	"github.com/Azure/ARO-RP/pkg/util/oidcbuilder"
 	"github.com/Azure/ARO-RP/pkg/util/stringutils"
 )
 
@@ -35,6 +37,35 @@ func (m *manager) createDNS(ctx context.Context) error {
 	return m.dns.Create(ctx, m.doc.OpenShiftCluster)
 }
 
+func (m *manager) createOIDC(ctx context.Context) error {
+	blobContainerName := env.OIDCBlobContainerPrefix + m.doc.ID
+	err := m.rpStorageAccounts.CreateBlobContainer(ctx, m.env.ResourceGroup(), m.env.OIDCStorageAccountName(), blobContainerName)
+	if err != nil {
+		return err
+	}
+
+	blobService, err := m.rpStorageAccounts.BlobService(ctx, m.env.ResourceGroup(), m.env.OIDCStorageAccountName(), mgmtstorage.Permissions("cw"), mgmtstorage.SignedResourceTypesO)
+	if err != nil {
+		return err
+	}
+
+	oidcBuilder := oidcbuilder.NewOIDCBuilder()
+	oidcBuilder.SetOIDCEndpointUrl(m.env.OIDCEndpoint(), blobContainerName)
+
+	err = oidcBuilder.EnsureOIDCDocs(ctx, blobContainerName, blobService)
+	if err != nil {
+		return err
+	}
+
+	m.doc, err = m.db.PatchWithLease(ctx, m.doc.Key, func(doc *api.OpenShiftClusterDocument) error {
+		doc.OpenShiftCluster.Properties.ClusterProfile.OIDCIssuer = api.OIDCIssuer(oidcBuilder.GetEndpointUrl())
+		doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = api.SecureString(oidcBuilder.GetPrivateKey())
+		return nil
+	})
+
+	return err
+}
+
 func (m *manager) ensureInfraID(ctx context.Context) (err error) {
 	if m.doc.OpenShiftCluster.Properties.InfraID != "" {
 		return err

pkg/cluster/install.go

@@ -275,6 +275,8 @@ func (m *manager) bootstrap() []steps.Step {
 		steps.Action(m.populateMTUSize),
 
 		steps.Action(m.createDNS),
+		// TODO: Add a condition on ServicePrincipalProfile to run createOIDC after testing
+		steps.Action(m.createOIDC),
 		steps.Action(m.initializeClusterSPClients), // must run before clusterSPObjectID
 
 		// TODO: this relies on an authorizer that isn't exposed in the manager

pkg/env/env.go

@@ -58,6 +58,7 @@ const (
 	ServiceKeyvaultSuffix            = "-svc"
 	RPPrivateEndpointPrefix          = "rp-pe-"
 	ProxyHostName                    = "PROXY_HOSTNAME"
+	OIDCBlobContainerPrefix          = "oic-"
 )
 
 // Interface is clunky and somewhat legacy and only used in the RP codebase (not

pkg/util/azureclient/mgmt/storage/blobcontainers.go

@@ -0,0 +1,31 @@
+package storage
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	"github.com/Azure/go-autorest/autorest"
+
+	"github.com/Azure/ARO-RP/pkg/util/azureclient"
+)
+
+type BlobContainersClient interface {
+	Get(ctx context.Context, resourceGroupName string, accountName string, containerName string) (mgmtstorage.BlobContainer, error)
+	Create(ctx context.Context, resourceGroupName string, accountName string, containerName string, blobContainer mgmtstorage.BlobContainer) (mgmtstorage.BlobContainer, error)
+	Delete(ctx context.Context, resourceGroupName string, accountName string, containerName string) (result autorest.Response, err error)
+}
+
+type blobContainersClient struct {
+	mgmtstorage.BlobContainersClient
+}
+
+func NewBlobContainersClient(environment *azureclient.AROEnvironment, subscriptionID string, authorizer autorest.Authorizer) *blobContainersClient {
+	client := mgmtstorage.NewBlobContainersClientWithBaseURI(environment.ResourceManagerEndpoint, subscriptionID)
+	client.Authorizer = authorizer
+	return &blobContainersClient{
+		BlobContainersClient: client,
+	}
+}

pkg/util/storage/manager.go

@@ -21,17 +21,21 @@ import (
 
 type Manager interface {
 	BlobService(ctx context.Context, resourceGroup, account string, p mgmtstorage.Permissions, r mgmtstorage.SignedResourceTypes) (*azstorage.BlobStorageClient, error)
+	CreateBlobContainer(ctx context.Context, resourceGroup string, account string, container string) error
+	DeleteBlobContainer(ctx context.Context, resourceGroupName string, accountName string, containerName string) error
 }
 
 type manager struct {
-	env             env.Core
+	env             env.Interface
 	storageAccounts storage.AccountsClient
+	blobContainers  storage.BlobContainersClient
 }
 
-func NewManager(env env.Core, subscriptionID string, authorizer autorest.Authorizer) Manager {
+func NewManager(env env.Interface, subscriptionID string, authorizer autorest.Authorizer) Manager {
 	return &manager{
 		env:             env,
 		storageAccounts: storage.NewAccountsClient(env.Environment(), subscriptionID, authorizer),
+		blobContainers:  storage.NewBlobContainersClient(env.Environment(), subscriptionID, authorizer),
 	}
 }
 
@@ -82,3 +86,41 @@ func (m *manager) BlobService(ctx context.Context, resourceGroup, account string
 
 	return &blobcli, nil
 }
+
+func (m *manager) CreateBlobContainer(ctx context.Context, resourceGroup string, account string, container string) error {
+	needToCreateBlobContainer := false
+	_, err := m.blobContainers.Get(
+		ctx,
+		resourceGroup,
+		account,
+		container)
+	if err != nil {
+		if detailedErr, ok := err.(autorest.DetailedError); !ok || detailedErr.StatusCode != http.StatusNotFound {
+			return err
+		}
+		needToCreateBlobContainer = true
+	}
+
+	if !needToCreateBlobContainer {
+		return nil
+	}
+
+	_, err = m.blobContainers.Create(
+		context.Background(),
+		resourceGroup,
+		account,
+		container,
+		mgmtstorage.BlobContainer{
+			ContainerProperties: &mgmtstorage.ContainerProperties{
+				PublicAccess: mgmtstorage.PublicAccessNone,
+			},
+		},
+	)
+
+	return err
+}
+
+func (m *manager) DeleteBlobContainer(ctx context.Context, resourceGroupName string, accountName string, containerName string) error {
+	_, err := m.blobContainers.Delete(ctx, resourceGroupName, accountName, containerName)
+	return err
+}