diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go index af378b980bd..a9f4931a698 100644 --- a/pkg/cluster/cluster.go +++ b/pkg/cluster/cluster.go @@ -137,6 +137,7 @@ type manager struct { openShiftClusterDocumentVersioner openShiftClusterDocumentVersioner platformWorkloadIdentityRolesByVersion platformworkloadidentity.PlatformWorkloadIdentityRolesByVersion + platformWorkloadIdentities map[string]api.PlatformWorkloadIdentity } // New returns a cluster manager diff --git a/pkg/cluster/install.go b/pkg/cluster/install.go index 23d3899a0fd..010f1fe1080 100644 --- a/pkg/cluster/install.go +++ b/pkg/cluster/install.go @@ -220,6 +220,7 @@ func (m *manager) Update(ctx context.Context) error { steps.Action(m.fixupClusterMsiTenantID), steps.Action(m.ensureClusterMsiCertificate), steps.Action(m.initializeClusterMsiClients), + steps.Action(m.platformWorkloadIdentityIDs), ) } @@ -228,7 +229,7 @@ func (m *manager) Update(ctx context.Context) error { if m.doc.OpenShiftCluster.UsesWorkloadIdentity() { s = append(s, steps.AuthorizationRetryingAction(m.fpAuthorizer, m.clusterIdentityIDs), - steps.AuthorizationRetryingAction(m.fpAuthorizer, m.platformWorkloadIdentityIDs), + steps.AuthorizationRetryingAction(m.fpAuthorizer, m.persistPlatformWorkloadIdentityIDs), steps.Action(m.federateIdentityCredentials), ) } else { @@ -346,6 +347,7 @@ func (m *manager) bootstrap() []steps.Step { s = append(s, steps.Action(m.ensureClusterMsiCertificate), steps.Action(m.initializeClusterMsiClients), + steps.Action(m.platformWorkloadIdentityIDs), ) } @@ -354,7 +356,7 @@ func (m *manager) bootstrap() []steps.Step { if m.doc.OpenShiftCluster.UsesWorkloadIdentity() { s = append(s, steps.AuthorizationRetryingAction(m.fpAuthorizer, m.clusterIdentityIDs), - steps.AuthorizationRetryingAction(m.fpAuthorizer, m.platformWorkloadIdentityIDs), + steps.AuthorizationRetryingAction(m.fpAuthorizer, m.persistPlatformWorkloadIdentityIDs), ) } else { s = append(s, diff --git a/pkg/cluster/platformworkloadidentities.go b/pkg/cluster/platformworkloadidentities.go index 9adc2b9fb75..1d42ca951f3 100644 --- a/pkg/cluster/platformworkloadidentities.go +++ b/pkg/cluster/platformworkloadidentities.go @@ -7,26 +7,51 @@ import ( "context" "fmt" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi" + "github.com/Azure/ARO-RP/pkg/api" - "github.com/Azure/ARO-RP/pkg/util/platformworkloadidentity" ) -func (m *manager) platformWorkloadIdentityIDs(ctx context.Context) error { - var err error +func (m *manager) persistPlatformWorkloadIdentityIDs(ctx context.Context) (err error) { if !m.doc.OpenShiftCluster.UsesWorkloadIdentity() { - return fmt.Errorf("platformWorkloadIdentityIDs called for CSP cluster") - } - - identities := m.doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities - updatedIdentities, err := platformworkloadidentity.GetPlatformWorkloadIdentityIDs(ctx, identities, m.userAssignedIdentities) - if err != nil { - return err + return fmt.Errorf("persistPlatformWorkloadIdentityIDs called for CSP cluster") } m.doc, err = m.db.PatchWithLease(ctx, m.doc.Key, func(doc *api.OpenShiftClusterDocument) error { - doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities = updatedIdentities + doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities = m.platformWorkloadIdentities return nil }) return err } + +func (m *manager) platformWorkloadIdentityIDs(ctx context.Context) error { + if !m.doc.OpenShiftCluster.UsesWorkloadIdentity() { + return fmt.Errorf("platformWorkloadIdentityIDs called for CSP cluster") + } + + identities := m.doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities + updatedIdentities := make(map[string]api.PlatformWorkloadIdentity, len(identities)) + + for operatorName, identity := range identities { + resourceId, err := arm.ParseResourceID(identity.ResourceID) + if err != nil { + return fmt.Errorf("platform workload identity '%s' invalid: %w", operatorName, err) + } + + identityDetails, err := m.userAssignedIdentities.Get(ctx, resourceId.ResourceGroupName, resourceId.Name, &armmsi.UserAssignedIdentitiesClientGetOptions{}) + if err != nil { + return fmt.Errorf("error occured when retrieving platform workload identity '%s' details: %w", operatorName, err) + } + + updatedIdentities[operatorName] = api.PlatformWorkloadIdentity{ + ResourceID: identity.ResourceID, + ClientID: *identityDetails.Properties.ClientID, + ObjectID: *identityDetails.Properties.PrincipalID, + } + } + + m.platformWorkloadIdentities = updatedIdentities + return nil +} diff --git a/pkg/cluster/platformworkloadidentities_test.go b/pkg/cluster/platformworkloadidentities_test.go index f6f0af178dd..413e6070a1e 100644 --- a/pkg/cluster/platformworkloadidentities_test.go +++ b/pkg/cluster/platformworkloadidentities_test.go @@ -186,6 +186,11 @@ func TestPlatformWorkloadIdentityIDs(t *testing.T) { err := m.platformWorkloadIdentityIDs(ctx) utilerror.AssertErrorMessage(t, err, tt.wantErr) + if err == nil { + err = m.persistPlatformWorkloadIdentityIDs(ctx) + utilerror.AssertErrorMessage(t, err, tt.wantErr) + } + if tt.wantIdentities != nil { assert.Equal(t, *tt.wantIdentities, m.doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities) } diff --git a/pkg/cluster/validate.go b/pkg/cluster/validate.go index 2e4e7bb7dfd..4d0a41bca6c 100644 --- a/pkg/cluster/validate.go +++ b/pkg/cluster/validate.go @@ -16,6 +16,6 @@ func (m *manager) validateResources(ctx context.Context) error { clusterMSICredential = m.userAssignedIdentities.GetClusterMSICredential() } return validate.NewOpenShiftClusterDynamicValidator( - m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.fpAuthorizer, m.armRoleDefinitions, m.clusterMsiFederatedIdentityCredentials, m.userAssignedIdentities, m.platformWorkloadIdentityRolesByVersion, clusterMSICredential, + m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.fpAuthorizer, m.armRoleDefinitions, m.clusterMsiFederatedIdentityCredentials, m.platformWorkloadIdentities, m.platformWorkloadIdentityRolesByVersion, clusterMSICredential, ).Dynamic(ctx) } diff --git a/pkg/util/mocks/dynamic/dynamic.go b/pkg/util/mocks/dynamic/dynamic.go index ad1e0b7478d..b12b2fef22c 100644 --- a/pkg/util/mocks/dynamic/dynamic.go +++ b/pkg/util/mocks/dynamic/dynamic.go @@ -139,17 +139,17 @@ func (mr *MockDynamicMockRecorder) ValidateLoadBalancerProfile(ctx, oc any) *gom } // ValidatePlatformWorkloadIdentityProfile mocks base method. -func (m *MockDynamic) ValidatePlatformWorkloadIdentityProfile(ctx context.Context, oc *api.OpenShiftCluster, platformWorkloadIdentityRolesByRoleName map[string]api.PlatformWorkloadIdentityRole, roleDefinitions armauthorization.RoleDefinitionsClient, clusterMsiFederatedIdentityCredentials armmsi.FederatedIdentityCredentialsClient, userAssignedIdentityClient armmsi.UserAssignedIdentitiesClient) error { +func (m *MockDynamic) ValidatePlatformWorkloadIdentityProfile(ctx context.Context, oc *api.OpenShiftCluster, platformWorkloadIdentityRolesByRoleName map[string]api.PlatformWorkloadIdentityRole, roleDefinitions armauthorization.RoleDefinitionsClient, clusterMsiFederatedIdentityCredentials armmsi.FederatedIdentityCredentialsClient, platformWorkloadIdentities map[string]api.PlatformWorkloadIdentity) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ValidatePlatformWorkloadIdentityProfile", ctx, oc, platformWorkloadIdentityRolesByRoleName, roleDefinitions, clusterMsiFederatedIdentityCredentials, userAssignedIdentityClient) + ret := m.ctrl.Call(m, "ValidatePlatformWorkloadIdentityProfile", ctx, oc, platformWorkloadIdentityRolesByRoleName, roleDefinitions, clusterMsiFederatedIdentityCredentials, platformWorkloadIdentities) ret0, _ := ret[0].(error) return ret0 } // ValidatePlatformWorkloadIdentityProfile indicates an expected call of ValidatePlatformWorkloadIdentityProfile. -func (mr *MockDynamicMockRecorder) ValidatePlatformWorkloadIdentityProfile(ctx, oc, platformWorkloadIdentityRolesByRoleName, roleDefinitions, clusterMsiFederatedIdentityCredentials, userAssignedIdentityClient any) *gomock.Call { +func (mr *MockDynamicMockRecorder) ValidatePlatformWorkloadIdentityProfile(ctx, oc, platformWorkloadIdentityRolesByRoleName, roleDefinitions, clusterMsiFederatedIdentityCredentials, platformWorkloadIdentities any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidatePlatformWorkloadIdentityProfile", reflect.TypeOf((*MockDynamic)(nil).ValidatePlatformWorkloadIdentityProfile), ctx, oc, platformWorkloadIdentityRolesByRoleName, roleDefinitions, clusterMsiFederatedIdentityCredentials, userAssignedIdentityClient) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidatePlatformWorkloadIdentityProfile", reflect.TypeOf((*MockDynamic)(nil).ValidatePlatformWorkloadIdentityProfile), ctx, oc, platformWorkloadIdentityRolesByRoleName, roleDefinitions, clusterMsiFederatedIdentityCredentials, platformWorkloadIdentities) } // ValidatePreConfiguredNSGs mocks base method. diff --git a/pkg/util/platformworkloadidentity/platformworkloadidentities.go b/pkg/util/platformworkloadidentity/platformworkloadidentities.go deleted file mode 100644 index d2ec9125fc7..00000000000 --- a/pkg/util/platformworkloadidentity/platformworkloadidentities.go +++ /dev/null @@ -1,39 +0,0 @@ -package platformworkloadidentity - -// Copyright (c) Microsoft Corporation. -// Licensed under the Apache License 2.0. - -import ( - "context" - "fmt" - - "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm" - sdkmsi "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi" - - "github.com/Azure/ARO-RP/pkg/api" - "github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armmsi" -) - -func GetPlatformWorkloadIdentityIDs(ctx context.Context, identities map[string]api.PlatformWorkloadIdentity, userAssignedIdentitiesClient armmsi.UserAssignedIdentitiesClient) (map[string]api.PlatformWorkloadIdentity, error) { - updatedIdentities := make(map[string]api.PlatformWorkloadIdentity, len(identities)) - - for operatorName, identity := range identities { - resourceId, err := arm.ParseResourceID(identity.ResourceID) - if err != nil { - return nil, fmt.Errorf("platform workload identity '%s' invalid: %w", operatorName, err) - } - - identityDetails, err := userAssignedIdentitiesClient.Get(ctx, resourceId.ResourceGroupName, resourceId.Name, &sdkmsi.UserAssignedIdentitiesClientGetOptions{}) - if err != nil { - return nil, fmt.Errorf("error occured when retrieving platform workload identity '%s' details: %w", operatorName, err) - } - - updatedIdentities[operatorName] = api.PlatformWorkloadIdentity{ - ResourceID: identity.ResourceID, - ClientID: *identityDetails.Properties.ClientID, - ObjectID: *identityDetails.Properties.PrincipalID, - } - } - - return updatedIdentities, nil -} diff --git a/pkg/validate/dynamic/dynamic.go b/pkg/validate/dynamic/dynamic.go index aecf2f222f0..b9e57681a72 100644 --- a/pkg/validate/dynamic/dynamic.go +++ b/pkg/validate/dynamic/dynamic.go @@ -88,7 +88,7 @@ type Dynamic interface { platformWorkloadIdentityRolesByRoleName map[string]api.PlatformWorkloadIdentityRole, roleDefinitions armauthorization.RoleDefinitionsClient, clusterMsiFederatedIdentityCredentials armmsi.FederatedIdentityCredentialsClient, - userAssignedIdentityClient armmsi.UserAssignedIdentitiesClient, + platformWorkloadIdentities map[string]api.PlatformWorkloadIdentity, ) error } diff --git a/pkg/validate/dynamic/platformworkloadidentityprofile.go b/pkg/validate/dynamic/platformworkloadidentityprofile.go index 9ba460d4c62..427319a6cc5 100644 --- a/pkg/validate/dynamic/platformworkloadidentityprofile.go +++ b/pkg/validate/dynamic/platformworkloadidentityprofile.go @@ -30,15 +30,12 @@ func (dv *dynamic) ValidatePlatformWorkloadIdentityProfile( platformWorkloadIdentityRolesByRoleName map[string]api.PlatformWorkloadIdentityRole, roleDefinitions armauthorization.RoleDefinitionsClient, clusterMsiFederatedIdentityCredentials armmsi.FederatedIdentityCredentialsClient, - userAssignedIdentitiesClient armmsi.UserAssignedIdentitiesClient, + platformWorkloadIdentities map[string]api.PlatformWorkloadIdentity, // Platform Workload Identities with object and client IDs ) (err error) { dv.log.Print("ValidatePlatformWorkloadIdentityProfile") dv.platformIdentitiesActionsMap = map[string][]string{} - dv.platformIdentities, err = platformworkloadidentity.GetPlatformWorkloadIdentityIDs(ctx, oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities, userAssignedIdentitiesClient) - if err != nil { - return err - } + dv.platformIdentities = platformWorkloadIdentities // Check if any required platform identity is missing if len(dv.platformIdentities) != len(platformWorkloadIdentityRolesByRoleName) { diff --git a/pkg/validate/dynamic/platformworkloadidentityprofile_test.go b/pkg/validate/dynamic/platformworkloadidentityprofile_test.go index b2647345bb9..0b4b85c3bc2 100644 --- a/pkg/validate/dynamic/platformworkloadidentityprofile_test.go +++ b/pkg/validate/dynamic/platformworkloadidentityprofile_test.go @@ -313,19 +313,11 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { platformIdentityRequiredPermissionsList := []string{"FakeAction1", "FakeAction2", "FakeDataAction1", "FakeDataAction2"} - userAssignedIdentityResponse := sdkmsi.UserAssignedIdentitiesClientGetResponse{ - Identity: sdkmsi.Identity{ - Properties: &sdkmsi.UserAssignedIdentityProperties{ - ClientID: pointerutils.ToPtr(dummyClientId), - PrincipalID: pointerutils.ToPtr(dummyObjectId), - }, - }, - } for _, tt := range []struct { name string platformIdentityRoles map[string]api.PlatformWorkloadIdentityRole oc *api.OpenShiftCluster - mocks func(*mock_armauthorization.MockRoleDefinitionsClient, *mock_armmsi.MockFederatedIdentityCredentialsClient, *mock_armmsi.MockUserAssignedIdentitiesClient) + mocks func(*mock_armauthorization.MockRoleDefinitionsClient, *mock_armmsi.MockFederatedIdentityCredentialsClient) wantPlatformIdentities map[string]api.PlatformWorkloadIdentity wantPlatformIdentitiesActionsMap map[string][]string wantErr string @@ -352,10 +344,9 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().Return([]*sdkmsi.FederatedIdentityCredential{}, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantPlatformIdentities: desiredPlatformWorkloadIdentities, wantPlatformIdentitiesActionsMap: map[string][]string{ @@ -384,7 +375,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) expectedPlatformIdentity1FederatedCredName := platformworkloadidentity.GetPlatformWorkloadIdentityFederatedCredName(clusterResourceId, platformIdentity1ResourceId, platformIdentity1SAName) @@ -400,7 +391,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { }, }, }, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantPlatformIdentities: desiredPlatformWorkloadIdentities, wantPlatformIdentitiesActionsMap: map[string][]string{ @@ -429,7 +419,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) expectedPlatformIdentity1FederatedCredName := platformworkloadidentity.GetPlatformWorkloadIdentityFederatedCredName(clusterResourceId, platformIdentity1ResourceId, platformIdentity1SAName) @@ -454,7 +444,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { }, }, }, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantPlatformIdentities: desiredPlatformWorkloadIdentities, wantPlatformIdentitiesActionsMap: map[string][]string{ @@ -480,10 +469,9 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().Return([]*sdkmsi.FederatedIdentityCredential{}, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantPlatformIdentities: desiredPlatformWorkloadIdentities, wantPlatformIdentitiesActionsMap: map[string][]string{ @@ -507,10 +495,9 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().Return([]*sdkmsi.FederatedIdentityCredential{}, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantPlatformIdentities: desiredPlatformWorkloadIdentities, wantPlatformIdentitiesActionsMap: map[string][]string{ @@ -539,11 +526,10 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). Return(nil, fmt.Errorf("something unexpected occurred")) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: "something unexpected occurred", }, @@ -569,7 +555,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). Return([]*sdkmsi.FederatedIdentityCredential{ @@ -582,7 +568,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { }, }, }, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: fmt.Sprintf( "400: %s: properties.platformWorkloadIdentityProfile.platformWorkloadIdentities.%s.resourceId: Unexpected federated credential '%s' found on platform workload identity '%s' used for role '%s'. Please ensure only federated credentials provisioned by the ARO service for this cluster are present.", @@ -615,7 +600,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). Return([]*sdkmsi.FederatedIdentityCredential{ @@ -628,7 +613,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { }, }, }, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: fmt.Sprintf( "400: %s: properties.platformWorkloadIdentityProfile.platformWorkloadIdentities.%s.resourceId: Unexpected federated credential '%s' found on platform workload identity '%s' used for role '%s'. Please ensure only federated credentials provisioned by the ARO service for this cluster are present.", @@ -661,7 +645,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). Return([]*sdkmsi.FederatedIdentityCredential{ @@ -674,7 +658,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { }, }, }, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: fmt.Sprintf( "400: %s: properties.platformWorkloadIdentityProfile.platformWorkloadIdentities.%s.resourceId: Unexpected federated credential '%s' found on platform workload identity '%s' used for role '%s'. Please ensure only federated credentials provisioned by the ARO service for this cluster are present.", @@ -707,7 +690,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). Return([]*sdkmsi.FederatedIdentityCredential{ @@ -720,7 +703,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { }, }, }, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: fmt.Sprintf( "400: %s: properties.platformWorkloadIdentityProfile.platformWorkloadIdentities.%s.resourceId: Unexpected federated credential '%s' found on platform workload identity '%s' used for role '%s'. Please ensure only federated credentials provisioned by the ARO service for this cluster are present.", @@ -754,7 +736,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). @@ -768,7 +750,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { }, }, }, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: fmt.Sprintf( "400: %s: properties.platformWorkloadIdentityProfile.platformWorkloadIdentities.%s.resourceId: Unexpected federated credential '%s' found on platform workload identity '%s' used for role '%s'. Please ensure this identity is only used for this cluster and does not have any existing federated identity credentials.", @@ -801,12 +782,11 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). Return([]*sdkmsi.FederatedIdentityCredential{nil}, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: "received invalid federated credential", }, @@ -832,7 +812,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). @@ -846,7 +826,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { }, }, }, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: "received invalid federated credential", }, @@ -872,11 +851,10 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Eq(platformIdentity1ResourceId.ResourceGroup), gomock.Eq(platformIdentity1ResourceId.ResourceName), gomock.Any()). Return([]*sdkmsi.FederatedIdentityCredential{{Name: &expectedPlatformIdentity1FederatedCredName}}, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: "received invalid federated credential", }, @@ -903,8 +881,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { }, wantErr: fmt.Sprintf("400: %s: properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities: There's a mismatch between the required and expected set of platform workload identities for the requested OpenShift minor version '%s or %s'. The required platform workload identities are '[Dummy3]'", api.CloudErrorCodePlatformWorkloadIdentityMismatch, "4.14", "4.15"), }, @@ -931,8 +908,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { }, wantErr: fmt.Sprintf("400: %s: properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities: There's a mismatch between the required and expected set of platform workload identities for the requested OpenShift minor version '%s'. The required platform workload identities are '[Dummy3]'", api.CloudErrorCodePlatformWorkloadIdentityMismatch, "4.14"), }, @@ -959,8 +935,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { }, wantErr: fmt.Sprintf("400: %s: properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities: There's a mismatch between the required and expected set of platform workload identities for the requested OpenShift minor version '%s'. The required platform workload identities are '[Dummy3]'", api.CloudErrorCodePlatformWorkloadIdentityMismatch, "4.14"), }, @@ -982,8 +957,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { }, wantErr: fmt.Sprintf("400: %s: properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities: There's a mismatch between the required and expected set of platform workload identities for the requested OpenShift minor version '%s'. The required platform workload identities are '[Dummy1]'", api.CloudErrorCodePlatformWorkloadIdentityMismatch, "4.14"), }, @@ -1012,8 +986,7 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { }, wantErr: fmt.Sprintf("400: %s: properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities: There's a mismatch between the required and expected set of platform workload identities for the requested OpenShift minor version '%s'. The required platform workload identities are '[Dummy1]'", api.CloudErrorCodePlatformWorkloadIdentityMismatch, "4.14"), }, @@ -1035,10 +1008,9 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, errors.New("Generic Error")) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().Return([]*sdkmsi.FederatedIdentityCredential{}, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: "Generic Error", }, @@ -1064,10 +1036,10 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, nil) }, - wantErr: "platform workload identity 'Dummy1' invalid: invalid resource ID: resource id 'Invalid UUID' must start with '/'", + wantErr: "parsing failed for Invalid UUID. Invalid resource Id format", }, { name: "Fail - Getting Role Definition for Platform Identity Role returns error", @@ -1087,36 +1059,12 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { UserAssignedIdentities: clusterMSI, }, }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { + mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient) { roleDefinitions.EXPECT().GetByID(ctx, gomock.Any(), &sdkauthorization.RoleDefinitionsClientGetByIDOptions{}).AnyTimes().Return(platformIdentityRequiredPermissions, errors.New("Generic Error")) federatedIdentityCredentials.EXPECT().List(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().Return([]*sdkmsi.FederatedIdentityCredential{}, nil) - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, nil) }, wantErr: "Generic Error", }, - { - name: "Fail - Getting User Assigned Identity for Platform Identity returns error", - platformIdentityRoles: validRolesForVersion, - oc: &api.OpenShiftCluster{ - ID: clusterID, - Properties: api.OpenShiftClusterProperties{ - PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{ - PlatformWorkloadIdentities: platformWorkloadIdentities, - }, - ClusterProfile: api.ClusterProfile{ - Version: openShiftVersion, - OIDCIssuer: pointerutils.ToPtr(api.OIDCIssuer(expectedOIDCIssuer)), - }, - }, - Identity: &api.ManagedServiceIdentity{ - UserAssignedIdentities: clusterMSI, - }, - }, - mocks: func(roleDefinitions *mock_armauthorization.MockRoleDefinitionsClient, federatedIdentityCredentials *mock_armmsi.MockFederatedIdentityCredentialsClient, userAssignedIdentities *mock_armmsi.MockUserAssignedIdentitiesClient) { - userAssignedIdentities.EXPECT().Get(ctx, resourceGroupName, gomock.Any(), &sdkmsi.UserAssignedIdentitiesClientGetOptions{}).AnyTimes().Return(userAssignedIdentityResponse, errors.New("Generic Error")) - }, - wantErr: "error occured when retrieving platform workload identity 'Dummy1' details: Generic Error", - }, } { t.Run(tt.name, func(t *testing.T) { controller := gomock.NewController(t) @@ -1125,7 +1073,6 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { _env := mock_env.NewMockInterface(controller) roleDefinitions := mock_armauthorization.NewMockRoleDefinitionsClient(controller) federatedIdentityCredentials := mock_armmsi.NewMockFederatedIdentityCredentialsClient(controller) - userAssignedIdentitiesClient := mock_armmsi.NewMockUserAssignedIdentitiesClient(controller) dv := &dynamic{ env: _env, @@ -1134,10 +1081,21 @@ func TestValidatePlatformWorkloadIdentityProfile(t *testing.T) { } if tt.mocks != nil { - tt.mocks(roleDefinitions, federatedIdentityCredentials, userAssignedIdentitiesClient) + tt.mocks(roleDefinitions, federatedIdentityCredentials) + } + + pwis := tt.oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities + updatedIdentities := make(map[string]api.PlatformWorkloadIdentity, len(pwis)) + + for operatorName, pwi := range pwis { + updatedIdentities[operatorName] = api.PlatformWorkloadIdentity{ + ResourceID: pwi.ResourceID, + ClientID: dummyClientId, + ObjectID: dummyObjectId, + } } - err := dv.ValidatePlatformWorkloadIdentityProfile(ctx, tt.oc, tt.platformIdentityRoles, roleDefinitions, federatedIdentityCredentials, userAssignedIdentitiesClient) + err := dv.ValidatePlatformWorkloadIdentityProfile(ctx, tt.oc, tt.platformIdentityRoles, roleDefinitions, federatedIdentityCredentials, updatedIdentities) utilerror.AssertErrorMessage(t, err, tt.wantErr) if tt.wantPlatformIdentities != nil && !reflect.DeepEqual(tt.wantPlatformIdentities, dv.platformIdentities) { diff --git a/pkg/validate/openshiftcluster_validatedynamic.go b/pkg/validate/openshiftcluster_validatedynamic.go index c2d40cb7679..f23f8156a78 100644 --- a/pkg/validate/openshiftcluster_validatedynamic.go +++ b/pkg/validate/openshiftcluster_validatedynamic.go @@ -40,7 +40,7 @@ func NewOpenShiftClusterDynamicValidator( fpAuthorizer autorest.Authorizer, roleDefinitions armauthorization.RoleDefinitionsClient, clusterMsiFederatedIdentityCredentials armmsi.FederatedIdentityCredentialsClient, - userAssignedIdentitiesClient armmsi.UserAssignedIdentitiesClient, + platformWorkloadIdentities map[string]api.PlatformWorkloadIdentity, platformWorkloadIdentityRolesByVersion platformworkloadidentity.PlatformWorkloadIdentityRolesByVersion, clusterMSICredential azcore.TokenCredential, ) OpenShiftClusterDynamicValidator { @@ -55,7 +55,7 @@ func NewOpenShiftClusterDynamicValidator( clusterMsiFederatedIdentityCredentials: clusterMsiFederatedIdentityCredentials, platformWorkloadIdentityRolesByVersion: platformWorkloadIdentityRolesByVersion, clusterMSICredential: clusterMSICredential, - userAssignedIdentitiesClient: userAssignedIdentitiesClient, + platformWorkloadIdentities: platformWorkloadIdentities, } } @@ -70,7 +70,7 @@ type openShiftClusterDynamicValidator struct { clusterMsiFederatedIdentityCredentials armmsi.FederatedIdentityCredentialsClient platformWorkloadIdentityRolesByVersion platformworkloadidentity.PlatformWorkloadIdentityRolesByVersion clusterMSICredential azcore.TokenCredential - userAssignedIdentitiesClient armmsi.UserAssignedIdentitiesClient + platformWorkloadIdentities map[string]api.PlatformWorkloadIdentity } // ensureAccessTokenClaims can detect an error when the service principal (fp, cluster sp) has accidentally deleted from @@ -223,7 +223,7 @@ func (dv *openShiftClusterDynamicValidator) Dynamic(ctx context.Context) error { if err != nil { return err } - err = spDynamic.ValidatePlatformWorkloadIdentityProfile(ctx, dv.oc, dv.platformWorkloadIdentityRolesByVersion.GetPlatformWorkloadIdentityRolesByRoleName(), dv.roleDefinitions, dv.clusterMsiFederatedIdentityCredentials, dv.userAssignedIdentitiesClient) + err = spDynamic.ValidatePlatformWorkloadIdentityProfile(ctx, dv.oc, dv.platformWorkloadIdentityRolesByVersion.GetPlatformWorkloadIdentityRolesByRoleName(), dv.roleDefinitions, dv.clusterMsiFederatedIdentityCredentials, dv.platformWorkloadIdentities) if err != nil { return err }