Skip to content

Commit a91680a

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #5043 from jackfrancis/custom-builds-use-generated-identity
CI: use generated identity w/ storage privileges
2 parents a498485 + 080912a commit a91680a

14 files changed

+27
-25
lines changed

hack/log/redact.sh

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -24,16 +24,8 @@ log_files=()
2424
while IFS='' read -r line; do log_files+=("$line"); done < <(find "${ARTIFACTS:-${PWD}/_artifacts}" -type f)
2525
redact_vars=(
2626
"${AZURE_CLIENT_ID:-}"
27-
"${AZURE_CLIENT_SECRET:-}"
28-
"${AZURE_SUBSCRIPTION_ID:-}"
29-
"${AZURE_TENANT_ID:-}"
3027
"${AZURE_JSON_B64:-}"
31-
"${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY:-}"
32-
"$(echo -n "${AZURE_SUBSCRIPTION_ID:-}" | base64 | tr -d '\n')"
33-
"$(echo -n "${AZURE_TENANT_ID:-}" | base64 | tr -d '\n')"
34-
"$(echo -n "${AZURE_CLIENT_ID:-}" | base64 | tr -d '\n')"
3528
"$(echo -n "${AZURE_CLIENT_SECRET:-}" | base64 | tr -d '\n')"
36-
"$(echo -n "${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY:-}" | base64 | tr -d '\n')"
3729
)
3830

3931
for log_file in "${log_files[@]}"; do

scripts/kind-with-registry.sh

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,10 @@ function checkAZWIENVPreReqsAndCreateFiles() {
106106
if ! az storage account show --name "${AZWI_STORAGE_ACCOUNT}" --resource-group "${AZWI_RESOURCE_GROUP}" > /dev/null 2>&1; then
107107
echo "Creating storage account '${AZWI_STORAGE_ACCOUNT}' in '${AZWI_RESOURCE_GROUP}'"
108108
az storage account create --resource-group "${AZWI_RESOURCE_GROUP}" --name "${AZWI_STORAGE_ACCOUNT}" --output none --only-show-errors --tags creationTimestamp="${TIMESTAMP}" jobName="${JOB_NAME}" buildProvenance="${BUILD_PROVENANCE}"
109+
until az storage account show --name "${AZWI_STORAGE_ACCOUNT}" --resource-group "${AZWI_RESOURCE_GROUP}" > /dev/null 2>&1; do
110+
sleep 5
111+
done
112+
echo "Configuring storage account '${AZWI_STORAGE_ACCOUNT}' as static website"
109113
az storage blob service-properties update --account-name "${AZWI_STORAGE_ACCOUNT}" --static-website
110114
fi
111115

@@ -155,7 +159,13 @@ EOF
155159
AZURE_IDENTITY_ID_PRINCIPAL_ID=$(az identity show -n "${USER_IDENTITY}" -g "${AZWI_RESOURCE_GROUP}" --query principalId -o tsv)
156160

157161
echo "${AZURE_IDENTITY_ID}" > "${AZURE_IDENTITY_ID_FILEPATH}"
158-
until az role assignment create --assignee-object-id "${AZURE_IDENTITY_ID_PRINCIPAL_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}" --assignee-principal-type ServicePrincipal --output none --only-show-errors; do
162+
until az role assignment create --assignee-object-id "${AZURE_IDENTITY_ID_PRINCIPAL_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}" --assignee-principal-type ServicePrincipal; do
163+
sleep 5
164+
done
165+
until az role assignment create --assignee-object-id "${AZURE_IDENTITY_ID_PRINCIPAL_ID}" --role "Storage Account Contributor" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}" --assignee-principal-type ServicePrincipal; do
166+
sleep 5
167+
done
168+
until az role assignment create --assignee-object-id "${AZURE_IDENTITY_ID_PRINCIPAL_ID}" --role "Storage Blob Data Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}" --assignee-principal-type ServicePrincipal; do
159169
sleep 5
160170
done
161171

templates/test/ci/cluster-template-prow-ci-version-dual-stack.yaml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

templates/test/ci/cluster-template-prow-ci-version-ipv6.yaml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

templates/test/ci/cluster-template-prow-ci-version.yaml

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

templates/test/ci/prow-ci-version/patches/machine-deployment-ci-version-control-plane.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,5 +22,5 @@ spec:
2222
osType: Linux
2323
sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""}
2424
userAssignedIdentities:
25-
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/capz-ci/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cloud-provider-user-identity
25+
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY}
2626
vmSize: ${AZURE_CONTROL_PLANE_MACHINE_TYPE}

templates/test/ci/prow-ci-version/patches/machine-deployment-ci-version-windows.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,4 +15,4 @@ spec:
1515
version: "latest"
1616
identity: UserAssigned
1717
userAssignedIdentities:
18-
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/capz-ci/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cloud-provider-user-identity
18+
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY}

templates/test/dev/cluster-template-custom-builds.yaml

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

templates/test/dev/custom-builds/patches/machine-deployment-pr-version-windows.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ spec:
88
spec:
99
identity: UserAssigned
1010
userAssignedIdentities:
11-
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/capz-ci/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cloud-provider-user-identity
11+
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY}
1212
image:
1313
# we use the latest image as a workaround there is no published marketplace image for k8s CI versions.
1414
# latest binaries and images will get replaced to the desired version by the script above.

templates/test/dev/custom-builds/patches/machine-deployment-pr-version.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ spec:
77
spec:
88
identity: UserAssigned
99
userAssignedIdentities:
10-
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/capz-ci/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cloud-provider-user-identity
10+
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY}
1111
image:
1212
# we use the latest image as a workaround there is no published marketplace image for k8s CI versions.
1313
# latest binaries and images will get replaced to the desired version by the script above.
@@ -26,7 +26,7 @@ spec:
2626
spec:
2727
identity: UserAssigned
2828
userAssignedIdentities:
29-
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/capz-ci/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cloud-provider-user-identity
29+
- providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY}
3030
image:
3131
# we use the latest image as a workaround there is no published marketplace image for k8s CI versions.
3232
# latest binaries and images will get replaced to the desired version by the script above.

0 commit comments

Comments
 (0)