Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions api/hypershift/v1beta1/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,52 @@ type AzureNodePoolPlatform struct {
// If not specified, then Boot diagnostics will be disabled.
// +optional
Diagnostics *Diagnostics `json:"diagnostics,omitempty"`

// imageRegistryCredentials specifies configuration for enabling kubelet's image credential
// provider to authenticate to Azure Container Registry (ACR) using a managed identity.
// When configured, worker nodes will use the acr-credential-provider plugin to obtain
// short-lived tokens for ACR image pulls instead of relying on static pull secrets.
// Changing this field will trigger a node rollout.
// When not configured, no additional image credential provider is set up and worker nodes
// use the default pull secret for image authentication.
// +optional
ImageRegistryCredentials AzureImageRegistryCredentials `json:"imageRegistryCredentials,omitzero"`
}

// AzureManagedIdentityResourceID is a full Azure resource ID for a user-assigned managed identity.
// The expected format is:
//
// /subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=512
// +kubebuilder:validation:XValidation:rule="self.matches('^/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft\\\\.ManagedIdentity/userAssignedIdentities/[^/]+$')",message="must be a valid ARM resource ID for a user-assigned managed identity (e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{name})"
type AzureManagedIdentityResourceID string

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From another PR I reviewed recently that enforces this format, it looks like subscription ID and resource group can be further validated to be the correct format like:

// +kubebuilder:validation:XValidation:rule="oldSelf.hasValue() && oldSelf.value() == self || size(self.split('/')) == 9 && self.split('/')[2].matches('^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')",message="the subscriptionId in the imageID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12",optionalOldSelf=true
// +kubebuilder:validation:XValidation:rule=`oldSelf.hasValue() && oldSelf.value() == self || size(self.split('/')) == 9 && self.split('/')[4].matches('^[a-zA-Z0-9_\\(\\)\\.-]{1,90}$')`,message="the resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and parenthesis",optionalOldSelf=true

Reference: https://github.com/openshift/hypershift/pull/8106/changes#diff-11b7c56a5faf0c5e2154fc35474456e2aac1b6ea8e22e5bbda6c3a3996d91afaR143-R144


// UserAssignedManagedIdentity specifies a user-assigned managed identity for Azure resource
// authentication. The resourceID is required for VMSS identity attachment and is also used
// for the kubelet credential provider configuration.
type UserAssignedManagedIdentity struct {
// resourceID is the ARM resource ID of the user-assigned managed identity.
//
// Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
Comment on lines +138 to +140

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fully document the length constraints as well please

//
// +required
ResourceID AzureManagedIdentityResourceID `json:"resourceID,omitempty"`
}

// AzureImageRegistryCredentials configures the kubelet credential provider for ACR
// authentication using a user-assigned managed identity on worker node VMs.
// The credential provider is configured with wildcard patterns covering all standard Azure
// Container Registry endpoints (*.azurecr.io, *.azurecr.cn, *.azurecr.de, *.azurecr.us).
// The identity must have the AcrPull role granted on the target ACR registry(ies).
type AzureImageRegistryCredentials struct {
// managedIdentity specifies the user-assigned managed identity that will be assigned to
// worker node VMs/VMSS. The credential provider plugin running on each node will use this
// identity to authenticate to ACR via the Azure Instance Metadata Service (IMDS).
//
// +required
ManagedIdentity UserAssignedManagedIdentity `json:"managedIdentity,omitzero"`
}

// AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
Expand Down
32 changes: 32 additions & 0 deletions api/hypershift/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -915,6 +915,40 @@ spec:
AzureMarketplace
rule: 'has(self.type) && self.type == ''AzureMarketplace''
? true : !has(self.azureMarketplace)'
imageRegistryCredentials:
description: |-
imageRegistryCredentials specifies configuration for enabling kubelet's image credential
provider to authenticate to Azure Container Registry (ACR) using a managed identity.
When configured, worker nodes will use the acr-credential-provider plugin to obtain
short-lived tokens for ACR image pulls instead of relying on static pull secrets.
Changing this field will trigger a node rollout.
When not configured, no additional image credential provider is set up and worker nodes
use the default pull secret for image authentication.
properties:
managedIdentity:
description: |-
managedIdentity specifies the user-assigned managed identity that will be assigned to
worker node VMs/VMSS. The credential provider plugin running on each node will use this
identity to authenticate to ACR via the Azure Instance Metadata Service (IMDS).
properties:
resourceID:
description: |-
resourceID is the ARM resource ID of the user-assigned managed identity.

Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: must be a valid ARM resource ID for a user-assigned
managed identity (e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{name})
rule: self.matches('^/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft\\.ManagedIdentity/userAssignedIdentities/[^/]+$')
required:
- resourceID
type: object
required:
- managedIdentity
type: object
osDisk:
description: |-
osDisk provides configuration for the OS disk for the nodepool.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -915,6 +915,40 @@ spec:
AzureMarketplace
rule: 'has(self.type) && self.type == ''AzureMarketplace''
? true : !has(self.azureMarketplace)'
imageRegistryCredentials:
description: |-
imageRegistryCredentials specifies configuration for enabling kubelet's image credential
provider to authenticate to Azure Container Registry (ACR) using a managed identity.
When configured, worker nodes will use the acr-credential-provider plugin to obtain
short-lived tokens for ACR image pulls instead of relying on static pull secrets.
Changing this field will trigger a node rollout.
When not configured, no additional image credential provider is set up and worker nodes
use the default pull secret for image authentication.
properties:
managedIdentity:
description: |-
managedIdentity specifies the user-assigned managed identity that will be assigned to
worker node VMs/VMSS. The credential provider plugin running on each node will use this
identity to authenticate to ACR via the Azure Instance Metadata Service (IMDS).
properties:
resourceID:
description: |-
resourceID is the ARM resource ID of the user-assigned managed identity.

Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: must be a valid ARM resource ID for a user-assigned
managed identity (e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{name})
rule: self.matches('^/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft\\.ManagedIdentity/userAssignedIdentities/[^/]+$')
required:
- resourceID
type: object
required:
- managedIdentity
type: object
osDisk:
description: |-
osDisk provides configuration for the OS disk for the nodepool.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -915,6 +915,40 @@ spec:
AzureMarketplace
rule: 'has(self.type) && self.type == ''AzureMarketplace''
? true : !has(self.azureMarketplace)'
imageRegistryCredentials:
description: |-
imageRegistryCredentials specifies configuration for enabling kubelet's image credential
provider to authenticate to Azure Container Registry (ACR) using a managed identity.
When configured, worker nodes will use the acr-credential-provider plugin to obtain
short-lived tokens for ACR image pulls instead of relying on static pull secrets.
Changing this field will trigger a node rollout.
When not configured, no additional image credential provider is set up and worker nodes
use the default pull secret for image authentication.
properties:
managedIdentity:
description: |-
managedIdentity specifies the user-assigned managed identity that will be assigned to
worker node VMs/VMSS. The credential provider plugin running on each node will use this
identity to authenticate to ACR via the Azure Instance Metadata Service (IMDS).
properties:
resourceID:
description: |-
resourceID is the ARM resource ID of the user-assigned managed identity.

Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: must be a valid ARM resource ID for a user-assigned
managed identity (e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{name})
rule: self.matches('^/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft\\.ManagedIdentity/userAssignedIdentities/[^/]+$')
required:
- resourceID
type: object
required:
- managedIdentity
type: object
osDisk:
description: |-
osDisk provides configuration for the OS disk for the nodepool.
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading