focus on sp and user-assigned id, not back-compat

Signed-off-by: Jack Francis <[email protected]>
kubernetes-sigs · May 24, 2024 · 1d250ab · 1d250ab
1 parent 9dae1b3
commit 1d250ab
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 13 deletions.
diff --git a/Makefile b/Makefile
@@ -198,7 +198,6 @@ export CI_RG ?= $(AZWI_RESOURCE_GROUP)
 export USER_IDENTITY ?= $(addsuffix $(RANDOM_SUFFIX),$(CI_RG))
 export AZWI_LOCATION ?= eastus
 export AZURE_IDENTITY_ID_FILEPATH ?= $(ROOT_DIR)/azure_identity_id
-export USE_BACK_COMPAT_IDENTITY ?= $(ROOT_DIR)/azure_wi_back_compat
 
 ## --------------------------------------
 ## Binaries
@@ -304,6 +303,10 @@ create-management-cluster: $(KUSTOMIZE) $(ENVSUBST) $(KUBECTL) $(KIND) ## Create
 
 	# Install cert manager and wait for availability
 	./hack/install-cert-manager.sh
+	if [ -n "${AZURE_CLIENT_SECRET}" ] && [ -n "${AZURE_CLUSTER_IDENTITY_SECRET_NAME}" ]; then
+		# Create secret for AzureClusterIdentity
+		./hack/create-identity-secret.sh
+	fi
 
 	# Create customized cloud provider configs
 	./hack/create-custom-cloud-provider-config.sh

diff --git a/Tiltfile b/Tiltfile
@@ -266,7 +266,7 @@ def create_identity_secret():
 
     os.putenv("AZURE_CLUSTER_IDENTITY_SECRET_NAME", "cluster-identity-secret")
     os.putenv("AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE", "default")
-    os.putenv("CLUSTER_IDENTITY_NAME", "cluster-identity-wi")
+    os.putenv("CLUSTER_IDENTITY_NAME", "cluster-identity-ci")
     os.putenv("ASO_CREDENTIAL_SECRET_NAME", "aso-credentials")
 
     local("cat templates/flavors/aks-aso/credentials.yaml | " + envsubst_cmd + " | " + kubectl_cmd + " apply -f -", quiet = True, echo_off = True)

diff --git a/e2e.mk b/e2e.mk
@@ -10,10 +10,8 @@ test-e2e-run: generate-e2e-templates install-tools kind-create-bootstrap ## Run
 	if [ -z "${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY}" ]; then \
 		export AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY=$(shell cat $(AZURE_IDENTITY_ID_FILEPATH)); \
 	fi; \
-	if [ -f $(USE_BACK_COMPAT_IDENTITY) ]; then \
-		export CI_RG=capz-ci; \
-		export USER_IDENTITY=cloud-provider-user-identity; \
-	fi; \
+	export CI_RG=capz-ci; \
+	export USER_IDENTITY=cloud-provider-user-identity; \
 	$(GINKGO) -v --trace --timeout=4h --tags=e2e --focus="$(GINKGO_FOCUS)" --skip="$(GINKGO_SKIP)" --nodes=$(GINKGO_NODES) --no-color=$(GINKGO_NOCOLOR) --output-dir="$(ARTIFACTS)" --junit-report="junit.e2e_suite.1.xml" $(GINKGO_ARGS) ./test/e2e -- \
 		-e2e.artifacts-folder="$(ARTIFACTS)" \
 		-e2e.config="$(E2E_CONF_FILE_ENVSUBST)" \

diff --git a/scripts/kind-with-registry.sh b/scripts/kind-with-registry.sh
@@ -80,10 +80,6 @@ function checkAZWIENVPreReqsAndCreateFiles() {
     export SERVICE_ACCOUNT_SIGNING_PUB_FILEPATH="${REPO_ROOT}/capz-wi-sa.pub"
     export SERVICE_ACCOUNT_SIGNING_KEY_FILEPATH="${REPO_ROOT}/capz-wi-sa.key"
   fi
-  # Back-compat logic to deal with previous implementation of this script
-  if [ -n "${SERVICE_ACCOUNT_SIGNING_PUB}" ] && [ -n "${SERVICE_ACCOUNT_SIGNING_KEY}" ]; then
-    touch "${USE_BACK_COMPAT_IDENTITY}"
-  fi
   if [ -z "${SERVICE_ACCOUNT_ISSUER}" ]; then
     # check if user is logged into azure cli
     if ! az account show > /dev/null 2>&1; then

diff --git a/templates/test/dev/cluster-template-custom-builds.yaml b/templates/test/dev/cluster-template-custom-builds.yaml
diff --git a/templates/test/dev/custom-builds/kustomization.yaml b/templates/test/dev/custom-builds/kustomization.yaml
@@ -52,6 +52,7 @@ patches:
 - path: ../../../test/ci/patches/windows-machine-deployment-replicas.yaml
 - path: ../../../test/ci/patches/metrics-server-enabled-cluster.yaml
 - path: ../../../test/ci/patches/controller-manager-featuregates.yaml
+- path: patches/azure-cluster-identity-user-assigned.yaml
 configMapGenerator:
 - behavior: merge
   files:

diff --git a/templates/test/dev/custom-builds/patches/azure-cluster-identity-user-assigned.yaml b/templates/test/dev/custom-builds/patches/azure-cluster-identity-user-assigned.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureClusterIdentity
+metadata:
+  labels:
+    clusterctl.cluster.x-k8s.io/move-hierarchy: "true"
+  name: ${CLUSTER_IDENTITY_NAME}
+  namespace: default
+spec:
+  allowedNamespaces: {}
+  clientID: ${AZURE_CLIENT_ID}
+  clientSecret:
+    name: ${AZURE_CLUSTER_IDENTITY_SECRET_NAME}
+    namespace: ${AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE}
+    tenantID: ${AZURE_TENANT_ID}
+  type: ServicePrincipal
diff --git a/test/e2e/config/azure-dev.yaml b/test/e2e/config/azure-dev.yaml
@@ -214,7 +214,7 @@ variables:
   CONFORMANCE_IMAGE: "${CONFORMANCE_IMAGE:-}"
   CONFORMANCE_NODES: "${CONFORMANCE_NODES:-1}"
   IP_FAMILY: "IPv4"
-  CLUSTER_IDENTITY_NAME: "cluster-identity-wi"
+  CLUSTER_IDENTITY_NAME: "cluster-identity-ci"
   ASO_CREDENTIAL_SECRET_NAME: "aso-credentials"
   ASO_CREDENTIAL_SECRET_MODE: workloadidentity
   NODE_DRAIN_TIMEOUT: "60s"