Merge branch 'master' into azoppiserpa/ARO-4222

.gdn/.gdnsuppress

@@ -225,20 +225,6 @@
       "expirationDate": null,
       "type": null
     },
-    "20cd31403587ea29d121d28ac3ef7d9b6a7b922baaf817f79ba4ccf0d5730b43": {
-      "signature": "20cd31403587ea29d121d28ac3ef7d9b6a7b922baaf817f79ba4ccf0d5730b43",
-      "alternativeSignatures": [],
-      "target": "portal/v1/build/main.js.LICENSE.txt",
-      "memberOf": [
-        "default"
-      ],
-      "tool": "policheck",
-      "ruleId": "166862",
-      "justification": null,
-      "createdDate": "2022-07-14 16:28:44Z",
-      "expirationDate": null,
-      "type": null
-    },
     "9c277a79f4467e0f7fc8eaeac774f9680776f80a1acfee7a0e3331dde2f7ef6d": {
       "signature": "9c277a79f4467e0f7fc8eaeac774f9680776f80a1acfee7a0e3331dde2f7ef6d",
       "alternativeSignatures": [],

.gitignore

@@ -30,7 +30,6 @@ gomock_reflect_*
 /e2e-report.xml
 /deploy/config.yaml
 **/*.swp
-/portal/v1/node_modules/
 /portal/v2/node_modules/
 portal/v2/.vscode/
 .idea*
@@ -43,3 +42,4 @@ megalinter-reports/
 /jq
 /portalauth
 .kiota.log
+/clusterapp.env

.pipelines/e2e.yml

@@ -51,6 +51,7 @@ jobs:
 
           export CI=true
           . ./hack/e2e/run-rp-and-e2e.sh
+          get_cluster_sp
           deploy_e2e_db
         displayName: Setup (Azure)
 

.sha256sum

@@ -6,4 +6,4 @@ b1f1de0fe40d05de90742b17928968923b936adc294000f58974f50a297581dd  swagger/redhat
 c023515341196746454c0ae7af077d40d3ec13f6b88b33cb558f0a7ab17a5a24  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2023-07-01-preview/redhatopenshift.json
 440748951dd1c3b34b5ccbdcb7cd966e3b89490887a1f1d64429561fad789515  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/stable/2023-09-04/redhatopenshift.json
 74a46fdde6ceb0121fe1515c7e11e902dd921b54cffe693307fb02b3dc88f26e  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/stable/2023-11-22/redhatopenshift.json
-f6d5633ec3a909b6daba501cd9c13e5619a3506ed868776c9659c1c3d6c0e2c9  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2024-08-12-preview/redhatopenshift.json
+a27184734436629e24b344c3b5c015437f144e18e7eddce7e252a1ed4cda7bca  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2024-08-12-preview/redhatopenshift.json

Makefile

@@ -167,7 +167,7 @@ run-portal:
 	go run -ldflags "-X github.com/Azure/ARO-RP/pkg/util/version.GitCommit=$(VERSION)" ./cmd/aro portal
 
 build-portal:
-	cd portal/v1 && npm install && npm run build && cd ../v2 && npm install && npm run build
+	cd portal/v2 && npm install && npm run build
 
 pyenv:
 	python3 -m venv pyenv

cmd/aro/mirror.go

@@ -87,8 +87,8 @@ func mirror(ctx context.Context, log *logrus.Entry) error {
 		srcAcrGeneva := "linuxgeneva-microsoft" + acrDomainSuffix
 		mirrorImages := []string{
 			// https://eng.ms/docs/products/geneva/collect/references/linuxcontainers
-			srcAcrGeneva + "/distroless/genevamdm:2.2023.1118.1225-d7e0d6-20231118t1338",
-			srcAcrGeneva + "/distroless/genevamdsd:mariner_20231129.1",
+			srcAcrGeneva + "/distroless/genevamdm:2.2024.328.1744-c5fb79-20240328t1935",
+			srcAcrGeneva + "/distroless/genevamdsd:mariner_20240327.2",
 		}
 		for _, ref := range mirrorImages {
 			log.Printf("mirroring %s -> %s", ref, pkgmirror.DestLastIndex(dstAcr+acrDomainSuffix, ref))
@@ -103,8 +103,8 @@ func mirror(ctx context.Context, log *logrus.Entry) error {
 
 	for _, ref := range []string{
 
-		// https://mcr.microsoft.com/en-us/product/cbl-mariner/base/azure-cli/about
-		"mcr.microsoft.com/cbl-mariner/base/azure-cli:2",
+		// https://mcr.microsoft.com/en-us/product/azure-cli/about
+		"mcr.microsoft.com/azure-cli:cbl-mariner2.0",
 
 		// https://catalog.redhat.com/software/containers/rhel8/support-tools/5ba3eaf9bed8bd6ee819b78b
 		// https://catalog.redhat.com/software/containers/rhel9/support-tools/615be213075b022acc111bf9

docs/admin-portal.md

@@ -10,7 +10,7 @@ The front end is developed using react and typescript. The back end api is writt
 
 The portal front end lives in the top level directory of the ARO-RP repo within the `portal` directory. The portal back end exists within `pkg/portal`
 
-The front end code is compiled into go code using the bindata golang module. This front end code is then served through the RP.
+The front end code is built into the `aro` binary (via go embed) and the static files are served by `aro portal`.
 
 The admin portal also serves a static Prometheus web frontend. The contents are taken from a Prometheus release's web-ui artifact (e.g. [2.48](https://github.com/prometheus/prometheus/releases/download/v2.48.0/prometheus-web-ui-2.48.0.tar.gz)), and the static/react subdirectory is mirrored to this repository's pkg/portal/assets/prometheus-ui directory.
 

docs/dbtoken-service.md

@@ -3,7 +3,7 @@
 ## Introduction
 
 Cosmos DB access control is described
-[https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data](here).
+[here](https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data).
 In brief, there are three options:
 
 1. use r/w or r/o primary keys, which grant access to the whole database account

docs/deploy-development-rp.md

@@ -112,13 +112,18 @@
    OR use the create utility:
 
    ```bash
+   # Create the application to run the cluster as and load it
+   CLUSTER=<cluster-name> go run ./hack/cluster createapp
+   source clusterapp.env
+   # Create the cluster
    CLUSTER=<cluster-name> go run ./hack/cluster create
    ```
 
    Later the cluster can be deleted as follows:
 
    ```bash
    CLUSTER=<cluster-name> go run ./hack/cluster delete
+   CLUSTER=<cluster-name> go run ./hack/cluster deleteapp
    ```
 
    By default, a public cluster will be created. In order to create a private cluster, set the `PRIVATE_CLUSTER` environment variable to `true` prior to creation. Internet access from the cluster can also be restricted by setting the `NO_INTERNET` environment variable to `true`.

hack/cluster/cluster.go

@@ -25,7 +25,7 @@ const (
 
 func run(ctx context.Context, log *logrus.Entry) error {
 	if len(os.Args) != 2 {
-		return fmt.Errorf("usage: CLUSTER=x %s {create,delete}", os.Args[0])
+		return fmt.Errorf("usage: CLUSTER=x %s {create,createApp,deleteApp,delete}", os.Args[0])
 	}
 
 	if err := env.ValidateVars(Cluster); err != nil {
@@ -59,6 +59,10 @@ func run(ctx context.Context, log *logrus.Entry) error {
 	switch strings.ToLower(os.Args[1]) {
 	case "create":
 		return c.Create(ctx, vnetResourceGroup, clusterName, osClusterVersion)
+	case "createapp":
+		return c.CreateApp(ctx, clusterName)
+	case "deleteapp":
+		return c.DeleteApp(ctx)
 	case "delete":
 		return c.Delete(ctx, vnetResourceGroup, clusterName)
 	default:

hack/e2e/run-rp-and-e2e.sh

@@ -211,9 +211,31 @@ delete_e2e_cluster() {
         ./cluster delete
     else
         go run ./hack/cluster delete
+        go run ./hack/cluster deleteApp
     fi
 }
 
+get_cluster_sp() {
+    echo "########## Downloading SP secrets ##########"
+
+    az keyvault secret download --vault-name=aro-e2e-principals \
+        --name=aro-v4-e2e-devops-spn-1-app-id \
+        --file=secrets/app-id
+    az keyvault secret download --vault-name=aro-e2e-principals \
+        --name=aro-v4-e2e-devops-spn-1-sp-id \
+        --file=secrets/sp-id
+    az keyvault secret download --vault-name=aro-e2e-principals \
+        --name=aro-v4-e2e-devops-spn-1-secret-value \
+        --file=secrets/secret-value
+
+    echo -e -n "\nexport AZURE_CLUSTER_SERVICE_PRINCIPAL_ID=" >>secrets/env
+    cat secrets/sp-id >>secrets/env
+    echo -e -n "\nexport AZURE_CLUSTER_APP_ID=" >>secrets/env
+    cat secrets/app-id >>secrets/env
+    echo -e -n "\nexport AZURE_CLUSTER_APP_SECRET=" >>secrets/env
+    cat secrets/secret-value >>secrets/env
+}
+
 # TODO: CLUSTER and is also recalculated in multiple places
 # in the billing pipelines :-(
 

pkg/api/admin/openshiftcluster.go

@@ -24,27 +24,29 @@ type OpenShiftCluster struct {
 	Location   string                     `json:"location,omitempty"`
 	Tags       map[string]string          `json:"tags,omitempty"`
 	Properties OpenShiftClusterProperties `json:"properties,omitempty"`
+	Identity   *Identity                  `json:"identity,omitempty"`
 }
 
 // OpenShiftClusterProperties represents an OpenShift cluster's properties.
 type OpenShiftClusterProperties struct {
-	ArchitectureVersion     ArchitectureVersion     `json:"architectureVersion"` // ArchitectureVersion is int so 0 is valid value to be returned
-	ProvisioningState       ProvisioningState       `json:"provisioningState,omitempty"`
-	LastProvisioningState   ProvisioningState       `json:"lastProvisioningState,omitempty"`
-	FailedProvisioningState ProvisioningState       `json:"failedProvisioningState,omitempty"`
-	LastAdminUpdateError    string                  `json:"lastAdminUpdateError,omitempty"`
-	MaintenanceTask         MaintenanceTask         `json:"maintenanceTask,omitempty" mutable:"true"`
-	OperatorFlags           OperatorFlags           `json:"operatorFlags,omitempty" mutable:"true"`
-	OperatorVersion         string                  `json:"operatorVersion,omitempty" mutable:"true"`
-	CreatedAt               time.Time               `json:"createdAt,omitempty"`
-	CreatedBy               string                  `json:"createdBy,omitempty"`
-	ProvisionedBy           string                  `json:"provisionedBy,omitempty"`
-	ClusterProfile          ClusterProfile          `json:"clusterProfile,omitempty"`
-	FeatureProfile          FeatureProfile          `json:"featureProfile,omitempty"`
-	ConsoleProfile          ConsoleProfile          `json:"consoleProfile,omitempty"`
-	ServicePrincipalProfile ServicePrincipalProfile `json:"servicePrincipalProfile,omitempty"`
-	NetworkProfile          NetworkProfile          `json:"networkProfile,omitempty"`
-	MasterProfile           MasterProfile           `json:"masterProfile,omitempty"`
+	ArchitectureVersion             ArchitectureVersion              `json:"architectureVersion"` // ArchitectureVersion is int so 0 is valid value to be returned
+	ProvisioningState               ProvisioningState                `json:"provisioningState,omitempty"`
+	LastProvisioningState           ProvisioningState                `json:"lastProvisioningState,omitempty"`
+	FailedProvisioningState         ProvisioningState                `json:"failedProvisioningState,omitempty"`
+	LastAdminUpdateError            string                           `json:"lastAdminUpdateError,omitempty"`
+	MaintenanceTask                 MaintenanceTask                  `json:"maintenanceTask,omitempty" mutable:"true"`
+	OperatorFlags                   OperatorFlags                    `json:"operatorFlags,omitempty" mutable:"true"`
+	OperatorVersion                 string                           `json:"operatorVersion,omitempty" mutable:"true"`
+	CreatedAt                       time.Time                        `json:"createdAt,omitempty"`
+	CreatedBy                       string                           `json:"createdBy,omitempty"`
+	ProvisionedBy                   string                           `json:"provisionedBy,omitempty"`
+	ClusterProfile                  ClusterProfile                   `json:"clusterProfile,omitempty"`
+	FeatureProfile                  FeatureProfile                   `json:"featureProfile,omitempty"`
+	ConsoleProfile                  ConsoleProfile                   `json:"consoleProfile,omitempty"`
+	ServicePrincipalProfile         ServicePrincipalProfile          `json:"servicePrincipalProfile,omitempty"`
+	PlatformWorkloadIdentityProfile *PlatformWorkloadIdentityProfile `json:"platformWorkloadIdentityProfile,omitempty"`
+	NetworkProfile                  NetworkProfile                   `json:"networkProfile,omitempty"`
+	MasterProfile                   MasterProfile                    `json:"masterProfile,omitempty"`
 	// WorkerProfiles is used to store the worker profile data that was sent in the api request
 	WorkerProfiles []WorkerProfile `json:"workerProfiles,omitempty"`
 	// WorkerProfilesStatus is used to store the enriched worker profile data
@@ -76,6 +78,9 @@ const (
 // FipsValidatedModules determines if FIPS is used.
 type FipsValidatedModules string
 
+// OIDCIssuer represents the URL of the managed OIDC issuer in a workload identity cluster.
+type OIDCIssuer string
+
 // FipsValidatedModules constants.
 const (
 	FipsValidatedModulesEnabled  FipsValidatedModules = "Enabled"
@@ -129,6 +134,7 @@ type ClusterProfile struct {
 	Version              string               `json:"version,omitempty"`
 	ResourceGroupID      string               `json:"resourceGroupId,omitempty"`
 	FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"`
+	OIDCIssuer           OIDCIssuer           `json:"oidcIssuer,omitempty"`
 }
 
 // FeatureProfile represents a feature profile.
@@ -409,6 +415,34 @@ type IngressProfile struct {
 	IP         string     `json:"ip,omitempty"`
 }
 
+// PlatformWorkloadIdentityProfile encapsulates all information that is specific to workload identity clusters.
+type PlatformWorkloadIdentityProfile struct {
+	PlatformWorkloadIdentities []PlatformWorkloadIdentity `json:"platformWorkloadIdentities,omitempty"`
+}
+
+// PlatformWorkloadIdentity stores information representing a single workload identity.
+type PlatformWorkloadIdentity struct {
+	OperatorName string `json:"operatorName,omitempty"`
+	ResourceID   string `json:"resourceId,omitempty"`
+	ClientID     string `json:"clientId,omitempty" swagger:"readOnly"`
+	ObjectID     string `json:"objectId,omitempty" swagger:"readOnly"`
+}
+
+// ClusterUserAssignedIdentity stores information about a user-assigned managed identity in a predefined format required by Microsoft's Managed Identity team.
+type ClusterUserAssignedIdentity struct {
+	ClientID    string `json:"clientId,omitempty"`
+	PrincipalID string `json:"principalId,omitempty"`
+}
+
+// UserAssignedIdentities stores a mapping from resource IDs of managed identities to their client/principal IDs.
+type UserAssignedIdentities map[string]ClusterUserAssignedIdentity
+
+// Identity stores information about the cluster MSI(s) in a workload identity cluster.
+type Identity struct {
+	Type                   string                 `json:"type,omitempty"`
+	UserAssignedIdentities UserAssignedIdentities `json:"userAssignedIdentities,omitempty"`
+}
+
 // Install represents an install process.
 type Install struct {
 	Now   time.Time    `json:"now,omitempty"`

pkg/api/admin/openshiftcluster_convert.go

@@ -37,6 +37,7 @@ func (c openShiftClusterConverter) ToExternal(oc *api.OpenShiftCluster) interfac
 				Version:              oc.Properties.ClusterProfile.Version,
 				ResourceGroupID:      oc.Properties.ClusterProfile.ResourceGroupID,
 				FipsValidatedModules: FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules),
+				OIDCIssuer:           OIDCIssuer(oc.Properties.ClusterProfile.OIDCIssuer),
 			},
 			FeatureProfile: FeatureProfile{
 				GatewayEnabled: oc.Properties.FeatureProfile.GatewayEnabled,
@@ -172,6 +173,29 @@ func (c openShiftClusterConverter) ToExternal(oc *api.OpenShiftCluster) interfac
 		}
 	}
 
+	if oc.Identity != nil {
+		out.Identity.Type = oc.Identity.Type
+		out.Identity.UserAssignedIdentities = make(map[string]ClusterUserAssignedIdentity, len(oc.Identity.UserAssignedIdentities))
+		for k := range oc.Identity.UserAssignedIdentities {
+			var temp ClusterUserAssignedIdentity
+			temp.ClientID = oc.Identity.UserAssignedIdentities[k].ClientID
+			temp.PrincipalID = oc.Identity.UserAssignedIdentities[k].PrincipalID
+			out.Identity.UserAssignedIdentities[k] = temp
+		}
+	}
+
+	if oc.Properties.PlatformWorkloadIdentityProfile != nil && oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities != nil {
+		out.Properties.PlatformWorkloadIdentityProfile = &PlatformWorkloadIdentityProfile{}
+		out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities = make([]PlatformWorkloadIdentity, len(oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities))
+
+		for i := range oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities {
+			out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].OperatorName = oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].OperatorName
+			out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ResourceID = oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ResourceID
+			out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ClientID = oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ClientID
+			out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ObjectID = oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ObjectID
+		}
+	}
+
 	if oc.Properties.RegistryProfiles != nil {
 		out.Properties.RegistryProfiles = make([]RegistryProfile, len(oc.Properties.RegistryProfiles))
 		for i, v := range oc.Properties.RegistryProfiles {
@@ -221,6 +245,16 @@ func (c openShiftClusterConverter) ToInternal(_oc interface{}, out *api.OpenShif
 			out.Tags[k] = v
 		}
 	}
+	if oc.Identity != nil {
+		out.Identity.Type = oc.Identity.Type
+		out.Identity.UserAssignedIdentities = make(map[string]api.ClusterUserAssignedIdentity, len(oc.Identity.UserAssignedIdentities))
+		for k := range oc.Identity.UserAssignedIdentities {
+			var temp api.ClusterUserAssignedIdentity
+			temp.ClientID = oc.Identity.UserAssignedIdentities[k].ClientID
+			temp.PrincipalID = oc.Identity.UserAssignedIdentities[k].PrincipalID
+			out.Identity.UserAssignedIdentities[k] = temp
+		}
+	}
 	out.Properties.ArchitectureVersion = api.ArchitectureVersion(oc.Properties.ArchitectureVersion)
 	out.Properties.InfraID = oc.Properties.InfraID
 	out.Properties.HiveProfile.Namespace = oc.Properties.HiveProfile.Namespace
@@ -243,6 +277,17 @@ func (c openShiftClusterConverter) ToInternal(_oc interface{}, out *api.OpenShif
 	out.Properties.ConsoleProfile.URL = oc.Properties.ConsoleProfile.URL
 	out.Properties.ServicePrincipalProfile.ClientID = oc.Properties.ServicePrincipalProfile.ClientID
 	out.Properties.ServicePrincipalProfile.SPObjectID = oc.Properties.ServicePrincipalProfile.SPObjectID
+	if oc.Properties.PlatformWorkloadIdentityProfile != nil && oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities != nil {
+		out.Properties.PlatformWorkloadIdentityProfile = &api.PlatformWorkloadIdentityProfile{}
+		out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities = make([]api.PlatformWorkloadIdentity, len(oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities))
+
+		for i := range oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities {
+			out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].OperatorName = oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].OperatorName
+			out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ResourceID = oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ResourceID
+			out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ClientID = oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ClientID
+			out.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ObjectID = oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ObjectID
+		}
+	}
 	out.Properties.NetworkProfile.PodCIDR = oc.Properties.NetworkProfile.PodCIDR
 	out.Properties.NetworkProfile.ServiceCIDR = oc.Properties.NetworkProfile.ServiceCIDR
 	out.Properties.NetworkProfile.MTUSize = api.MTUSize(oc.Properties.NetworkProfile.MTUSize)