Merge pull request #2 from mihaiandreiratoiu/feature/fips-enable

Ops: Add FIPS option for azure machine
mihaiandreiratoiu · Jul 27, 2023 · 0d0d717 · 0d0d717
2 parents 4d95f09 + 80faefb
commit 0d0d717
Show file tree

Hide file tree

Showing 9 changed files with 56 additions and 1 deletion.
diff --git a/api/v1beta1/azuremanagedmachinepool_types.go b/api/v1beta1/azuremanagedmachinepool_types.go
@@ -510,6 +510,11 @@ type AzureManagedMachinePoolSpec struct {
 	// +optional
 	EnableNodePublicIP *bool `json:"enableNodePublicIP,omitempty"`
 
+	// EnableFIPS allows the ability to use FIPS enabled virtual machines.
+	// Immutable.
+	// +optional
+	EnableFIPS *bool `json:"enableFIPS,omitempty"`
+
 	// NodePublicIPPrefixID specifies the public IP prefix resource ID which VM nodes should use IPs from.
 	// Immutable.
 	// +optional

diff --git a/api/v1beta1/azuremanagedmachinepool_webhook.go b/api/v1beta1/azuremanagedmachinepool_webhook.go
@@ -235,6 +235,12 @@ func (mw *azureManagedMachinePoolWebhook) ValidateUpdate(ctx context.Context, ol
 		m.Spec.EnableNodePublicIP); err != nil {
 		allErrs = append(allErrs, err)
 	}
+	if err := webhookutils.ValidateImmutable(
+		field.NewPath("Spec", "EnableFIPS"),
+		old.Spec.EnableFIPS,
+		m.Spec.EnableFIPS); err != nil {
+		allErrs = append(allErrs, err)
+	}
 	if err := webhookutils.ValidateImmutable(
 		field.NewPath("Spec", "NodePublicIPPrefixID"),
 		old.Spec.NodePublicIPPrefixID,

diff --git a/api/v1beta1/azuremanagedmachinepool_webhook_test.go b/api/v1beta1/azuremanagedmachinepool_webhook_test.go
@@ -462,6 +462,34 @@ func TestAzureManagedMachinePoolUpdatingWebhook(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "Unexpected error, value EnableFIPS is unchanged",
+			new: &AzureManagedMachinePool{
+				Spec: AzureManagedMachinePoolSpec{
+					EnableFIPS: pointer.Bool(true),
+				},
+			},
+			old: &AzureManagedMachinePool{
+				Spec: AzureManagedMachinePoolSpec{
+					EnableFIPS: pointer.Bool(true),
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "EnableFIPS feature is immutable and currently enabled on this agentpool",
+			new: &AzureManagedMachinePool{
+				Spec: AzureManagedMachinePoolSpec{
+					EnableFIPS: pointer.Bool(false),
+				},
+			},
+			old: &AzureManagedMachinePool{
+				Spec: AzureManagedMachinePoolSpec{
+					EnableFIPS: pointer.Bool(true),
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "NodeTaints are mutable",
 			new: &AzureManagedMachinePool{

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/azure/converters/managedagentpool.go b/azure/converters/managedagentpool.go
@@ -43,6 +43,7 @@ func AgentPoolToManagedClusterAgentPoolProfile(pool containerservice.AgentPool)
 		NodeLabels:           properties.NodeLabels,
 		EnableUltraSSD:       properties.EnableUltraSSD,
 		EnableNodePublicIP:   properties.EnableNodePublicIP,
+		EnableFIPS:           properties.EnableFIPS,
 		NodePublicIPPrefixID: properties.NodePublicIPPrefixID,
 		ScaleSetPriority:     properties.ScaleSetPriority,
 		ScaleDownMode:        properties.ScaleDownMode,

diff --git a/azure/scope/managedmachinepool.go b/azure/scope/managedmachinepool.go
@@ -187,6 +187,7 @@ func buildAgentPoolSpec(managedControlPlane *infrav1.AzureManagedControlPlane,
 		EnableUltraSSD:       managedMachinePool.Spec.EnableUltraSSD,
 		Headers:              maps.FilterByKeyPrefix(agentPoolAnnotations, infrav1.CustomHeaderPrefix),
 		EnableNodePublicIP:   managedMachinePool.Spec.EnableNodePublicIP,
+		EnableFIPS:           managedMachinePool.Spec.EnableFIPS,
 		NodePublicIPPrefixID: managedMachinePool.Spec.NodePublicIPPrefixID,
 		ScaleSetPriority:     managedMachinePool.Spec.ScaleSetPriority,
 		ScaleDownMode:        managedMachinePool.Spec.ScaleDownMode,

diff --git a/azure/services/agentpools/spec.go b/azure/services/agentpools/spec.go
@@ -124,6 +124,9 @@ type AgentPoolSpec struct {
 	// EnableNodePublicIP controls whether or not nodes in the agent pool each have a public IP address.
 	EnableNodePublicIP *bool `json:"enableNodePublicIP,omitempty"`
 
+	// EnableFIPS allows the ability to use FIPS enabled virtual machines.
+	EnableFIPS *bool `json:"EnableFIPS,omitempty"`
+
 	// NodePublicIPPrefixID specifies the public IP prefix resource ID which VM nodes should use IPs from.
 	NodePublicIPPrefixID *string `json:"nodePublicIPPrefixID,omitempty"`
 

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml
@@ -62,6 +62,10 @@ spec:
                 description: EnableNodePublicIP controls whether or not nodes in the
                   pool each have a public IP address. Immutable.
                 type: boolean
+              enableFIPS:
+                description: allows the ability to use FIPS enabled virtual machines.
+                  Immutable.
+                type: boolean
               enableUltraSSD:
                 description: EnableUltraSSD enables the storage type UltraSSD_LRS
                   for the agent pool. Immutable.

diff --git a/templates/test/ci/cluster-template-prow-aks.yaml b/templates/test/ci/cluster-template-prow-aks.yaml