diff --git a/Makefile b/Makefile index f9116b95b0f..bb27f5be950 100644 --- a/Makefile +++ b/Makefile @@ -198,7 +198,6 @@ export CI_RG ?= $(AZWI_RESOURCE_GROUP) export USER_IDENTITY ?= $(addsuffix $(RANDOM_SUFFIX),$(CI_RG)) export AZWI_LOCATION ?= eastus export AZURE_IDENTITY_ID_FILEPATH ?= $(ROOT_DIR)/azure_identity_id -export USE_BACK_COMPAT_IDENTITY ?= $(ROOT_DIR)/azure_wi_back_compat ## -------------------------------------- ## Binaries @@ -304,6 +303,10 @@ create-management-cluster: $(KUSTOMIZE) $(ENVSUBST) $(KUBECTL) $(KIND) ## Create # Install cert manager and wait for availability ./hack/install-cert-manager.sh + if [ -n "${AZURE_CLIENT_SECRET}" ] && [ -n "${AZURE_CLUSTER_IDENTITY_SECRET_NAME}" ]; then + # Create secret for AzureClusterIdentity + ./hack/create-identity-secret.sh + fi # Create customized cloud provider configs ./hack/create-custom-cloud-provider-config.sh diff --git a/Tiltfile b/Tiltfile index 5bcf9c52cba..64ebb03d001 100644 --- a/Tiltfile +++ b/Tiltfile @@ -266,7 +266,7 @@ def create_identity_secret(): os.putenv("AZURE_CLUSTER_IDENTITY_SECRET_NAME", "cluster-identity-secret") os.putenv("AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE", "default") - os.putenv("CLUSTER_IDENTITY_NAME", "cluster-identity-wi") + os.putenv("CLUSTER_IDENTITY_NAME", "cluster-identity-ci") os.putenv("ASO_CREDENTIAL_SECRET_NAME", "aso-credentials") local("cat templates/flavors/aks-aso/credentials.yaml | " + envsubst_cmd + " | " + kubectl_cmd + " apply -f -", quiet = True, echo_off = True) diff --git a/e2e.mk b/e2e.mk index c25905d198e..84b627211c4 100644 --- a/e2e.mk +++ b/e2e.mk @@ -10,10 +10,8 @@ test-e2e-run: generate-e2e-templates install-tools kind-create-bootstrap ## Run if [ -z "${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY}" ]; then \ export AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY=$(shell cat $(AZURE_IDENTITY_ID_FILEPATH)); \ fi; \ - if [ -f $(USE_BACK_COMPAT_IDENTITY) ]; then \ - export CI_RG=capz-ci; \ - export USER_IDENTITY=cloud-provider-user-identity; \ - fi; \ + export CI_RG=capz-ci; \ + export USER_IDENTITY=cloud-provider-user-identity; \ $(GINKGO) -v --trace --timeout=4h --tags=e2e --focus="$(GINKGO_FOCUS)" --skip="$(GINKGO_SKIP)" --nodes=$(GINKGO_NODES) --no-color=$(GINKGO_NOCOLOR) --output-dir="$(ARTIFACTS)" --junit-report="junit.e2e_suite.1.xml" $(GINKGO_ARGS) ./test/e2e -- \ -e2e.artifacts-folder="$(ARTIFACTS)" \ -e2e.config="$(E2E_CONF_FILE_ENVSUBST)" \ diff --git a/scripts/kind-with-registry.sh b/scripts/kind-with-registry.sh index f2884a7fc4a..3048a9e3827 100755 --- a/scripts/kind-with-registry.sh +++ b/scripts/kind-with-registry.sh @@ -80,10 +80,6 @@ function checkAZWIENVPreReqsAndCreateFiles() { export SERVICE_ACCOUNT_SIGNING_PUB_FILEPATH="${REPO_ROOT}/capz-wi-sa.pub" export SERVICE_ACCOUNT_SIGNING_KEY_FILEPATH="${REPO_ROOT}/capz-wi-sa.key" fi - # Back-compat logic to deal with previous implementation of this script - if [ -n "${SERVICE_ACCOUNT_SIGNING_PUB}" ] && [ -n "${SERVICE_ACCOUNT_SIGNING_KEY}" ]; then - touch "${USE_BACK_COMPAT_IDENTITY}" - fi if [ -z "${SERVICE_ACCOUNT_ISSUER}" ]; then # check if user is logged into azure cli if ! az account show > /dev/null 2>&1; then diff --git a/templates/test/dev/cluster-template-custom-builds.yaml b/templates/test/dev/cluster-template-custom-builds.yaml index 510f8b0c7d6..0f9052615f1 100644 --- a/templates/test/dev/cluster-template-custom-builds.yaml +++ b/templates/test/dev/cluster-template-custom-builds.yaml @@ -587,9 +587,13 @@ metadata: namespace: default spec: allowedNamespaces: {} - clientID: ${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY} + clientID: ${AZURE_CLIENT_ID} + clientSecret: + name: ${AZURE_CLUSTER_IDENTITY_SECRET_NAME} + namespace: ${AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE} + tenantID: ${AZURE_TENANT_ID} tenantID: ${AZURE_TENANT_ID} - type: WorkloadIdentity + type: ServicePrincipal --- apiVersion: addons.cluster.x-k8s.io/v1beta1 kind: ClusterResourceSet diff --git a/templates/test/dev/custom-builds/kustomization.yaml b/templates/test/dev/custom-builds/kustomization.yaml index f9651b84640..f74cefaacde 100644 --- a/templates/test/dev/custom-builds/kustomization.yaml +++ b/templates/test/dev/custom-builds/kustomization.yaml @@ -52,6 +52,7 @@ patches: - path: ../../../test/ci/patches/windows-machine-deployment-replicas.yaml - path: ../../../test/ci/patches/metrics-server-enabled-cluster.yaml - path: ../../../test/ci/patches/controller-manager-featuregates.yaml +- path: patches/azure-cluster-identity-user-assigned.yaml configMapGenerator: - behavior: merge files: diff --git a/templates/test/dev/custom-builds/patches/azure-cluster-identity-user-assigned.yaml b/templates/test/dev/custom-builds/patches/azure-cluster-identity-user-assigned.yaml new file mode 100644 index 00000000000..e279e978032 --- /dev/null +++ b/templates/test/dev/custom-builds/patches/azure-cluster-identity-user-assigned.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: AzureClusterIdentity +metadata: + labels: + clusterctl.cluster.x-k8s.io/move-hierarchy: "true" + name: ${CLUSTER_IDENTITY_NAME} + namespace: default +spec: + allowedNamespaces: {} + clientID: ${AZURE_CLIENT_ID} + clientSecret: + name: ${AZURE_CLUSTER_IDENTITY_SECRET_NAME} + namespace: ${AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE} + tenantID: ${AZURE_TENANT_ID} + type: ServicePrincipal diff --git a/test/e2e/config/azure-dev.yaml b/test/e2e/config/azure-dev.yaml index 0314dbc9eab..f7700df68a0 100644 --- a/test/e2e/config/azure-dev.yaml +++ b/test/e2e/config/azure-dev.yaml @@ -214,7 +214,7 @@ variables: CONFORMANCE_IMAGE: "${CONFORMANCE_IMAGE:-}" CONFORMANCE_NODES: "${CONFORMANCE_NODES:-1}" IP_FAMILY: "IPv4" - CLUSTER_IDENTITY_NAME: "cluster-identity-wi" + CLUSTER_IDENTITY_NAME: "cluster-identity-ci" ASO_CREDENTIAL_SECRET_NAME: "aso-credentials" ASO_CREDENTIAL_SECRET_MODE: workloadidentity NODE_DRAIN_TIMEOUT: "60s"