diff --git a/pkg/util/cluster/cluster.go b/pkg/util/cluster/cluster.go index b71b546407c..828c0ee0121 100644 --- a/pkg/util/cluster/cluster.go +++ b/pkg/util/cluster/cluster.go @@ -44,6 +44,7 @@ import ( redhatopenshift20230904 "github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/redhatopenshift/2023-09-04/redhatopenshift" utilgraph "github.com/Azure/ARO-RP/pkg/util/graph" "github.com/Azure/ARO-RP/pkg/util/rbac" + "github.com/Azure/ARO-RP/pkg/util/rolesets" "github.com/Azure/ARO-RP/pkg/util/uuid" "github.com/Azure/ARO-RP/pkg/util/version" ) @@ -461,7 +462,12 @@ func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterN return err } - err = c.insertDefaultVersionIntoCosmosdb(ctx) + err = c.insertDefaultVersionIntoCosmosdb() + if err != nil { + return err + } + + err = c.insertPlatformWorkloadIdentityRoleSetsIntoCosmosdb() if err != nil { return err } @@ -524,7 +530,7 @@ func (c *Cluster) registerSubscription(ctx context.Context) error { return resp.Body.Close() } -func (c *Cluster) insertDefaultVersionIntoCosmosdb(ctx context.Context) error { +func (c *Cluster) insertDefaultVersionIntoCosmosdb() error { defaultVersion := version.DefaultInstallStream b, err := json.Marshal(&api.OpenShiftVersion{ Properties: api.OpenShiftVersionProperties{ @@ -563,6 +569,37 @@ func (c *Cluster) insertDefaultVersionIntoCosmosdb(ctx context.Context) error { return resp.Body.Close() } +func (c *Cluster) insertPlatformWorkloadIdentityRoleSetsIntoCosmosdb() error { + defaultRoleSet := rolesets.DefaultPlatformWorkloadIdentityRoleSet + b, err := json.Marshal(&api.PlatformWorkloadIdentityRoleSetDocument{ + PlatformWorkloadIdentityRoleSet: &defaultRoleSet, + }) + if err != nil { + return err + } + + req, err := http.NewRequest(http.MethodPut, "https://localhost:8443/platformworkloadidentityrolesets/", bytes.NewReader(b)) + if err != nil { + return err + } + req.Header.Set("Content-Type", "application/json") + + cli := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + }, + } + + resp, err := cli.Do(req) + if err != nil { + return err + } + + return resp.Body.Close() +} + func (c *Cluster) fixupNSGs(ctx context.Context, vnetResourceGroup, clusterName string) error { timeoutCtx, cancel := context.WithTimeout(ctx, 10*time.Minute) defer cancel() diff --git a/pkg/util/rolesets/const.go b/pkg/util/rolesets/const.go new file mode 100644 index 00000000000..82f2c143dc4 --- /dev/null +++ b/pkg/util/rolesets/const.go @@ -0,0 +1,81 @@ +package rolesets + +import ( + "github.com/Azure/ARO-RP/pkg/api" +) + +var DefaultPlatformWorkloadIdentityRoleSet = api.PlatformWorkloadIdentityRoleSet{ + Properties: api.PlatformWorkloadIdentityRoleSetProperties{ + OpenShiftVersion: "4.14", + PlatformWorkloadIdentityRoles: []api.PlatformWorkloadIdentityRole{ + { + OperatorName: "CloudControllerManager", + RoleDefinitionName: "Azure RedHat OpenShift Cloud Controller Manager Role", + RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/a1f96423-95ce-4224-ab27-4e3dc72facd4", + ServiceAccounts: []string{ + "openshift-cloud-controller-manager:cloud-controller-manager", + }, + }, + { + OperatorName: "ClusterIngressOperator", + RoleDefinitionName: "Azure RedHat OpenShift Cluster Ingress Operator Role", + RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/0336e1d3-7a87-462b-b6db-342b63f7802c", + ServiceAccounts: []string{ + "openshift-ingress-operator:ingress-operator", + }, + }, + { + OperatorName: "MachineApiOperator", + RoleDefinitionName: "Azure RedHat OpenShift Machine API Operator Role", + RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/0358943c-7e01-48ba-8889-02cc51d78637", + ServiceAccounts: []string{ + "openshift-machine-api:machine-api-operator", + }, + }, + { + OperatorName: "StorageOperator", + RoleDefinitionName: "Azure RedHat OpenShift Storage Operator Role", + RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/5b7237c5-45e1-49d6-bc18-a1f62f400748", + ServiceAccounts: []string{ + "openshift-cluster-csi-drivers:azure-disk-csi-driver-operator", + "openshift-cluster-csi-drivers:azure-disk-csi-driver-controller-sa", + }, + }, + { + OperatorName: "NetworkOperator", + RoleDefinitionName: "Azure RedHat OpenShift Network Operator Role", + RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/be7a6435-15ae-4171-8f30-4a343eff9e8f", + ServiceAccounts: []string{ + "openshift-cloud-network-config-controller:cloud-network-config-controller", + }, + }, + { + OperatorName: "ImageRegistryOperator", + RoleDefinitionName: "Azure RedHat OpenShift Image Registry Operator Role", + RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/8b32b316-c2f5-4ddf-b05b-83dacd2d08b5", + ServiceAccounts: []string{ + "openshift-image-registry:cluster-image-registry-operator", + "openshift-image-registry:registry", + }, + }, + { + OperatorName: "AzureFilesStorageOperator", + RoleDefinitionName: "Azure RedHat OpenShift Azure Files Storage Operator Role", + RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/0d7aedc0-15fd-4a67-a412-efad370c947e", + ServiceAccounts: []string{ + "openshift-cluster-csi-drivers:azure-file-csi-driver-operator", + "openshift-cluster-csi-drivers:azure-file-csi-driver-controller-sa", + "openshift-cluster-csi-drivers:azure-file-csi-driver-node-sa", + }, + }, + { + OperatorName: "ServiceOperator", + RoleDefinitionName: "Azure RedHat OpenShift Service Operator", + RoleDefinitionID: "/providers/Microsoft.Authorization/roleDefinitions/4436bae4-7702-4c84-919b-c4069ff25ee2", + ServiceAccounts: []string{ + "openshift-azure-operator:aro-operator-master", + }, + }, + }, + }, +}