ARO-4376 use dbPlatformWorkloadIdentityRoleSets to get platform ident…

…ity roles for cluster version

cmd/aro/rp.go

@@ -181,7 +181,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		return err
 	}
 
-	b, err := backend.NewBackend(ctx, log.WithField("component", "backend"), _env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, aead, metrics)
+	b, err := backend.NewBackend(ctx, log.WithField("component", "backend"), _env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, aead, metrics)
 	if err != nil {
 		return err
 	}

pkg/backend/backend.go

@@ -28,12 +28,13 @@ type backend struct {
 	baseLog *logrus.Entry
 	env     env.Interface
 
-	dbAsyncOperations   database.AsyncOperations
-	dbBilling           database.Billing
-	dbGateway           database.Gateway
-	dbOpenShiftClusters database.OpenShiftClusters
-	dbSubscriptions     database.Subscriptions
-	dbOpenShiftVersions database.OpenShiftVersions
+	dbAsyncOperations                  database.AsyncOperations
+	dbBilling                          database.Billing
+	dbGateway                          database.Gateway
+	dbOpenShiftClusters                database.OpenShiftClusters
+	dbSubscriptions                    database.Subscriptions
+	dbOpenShiftVersions                database.OpenShiftVersions
+	dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets
 
 	aead    encryption.AEAD
 	m       metrics.Emitter
@@ -54,8 +55,8 @@ type Runnable interface {
 }
 
 // NewBackend returns a new runnable backend
-func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD, m metrics.Emitter) (Runnable, error) {
-	b, err := newBackend(ctx, log, env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, aead, m)
+func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD, m metrics.Emitter) (Runnable, error) {
+	b, err := newBackend(ctx, log, env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, aead, m)
 	if err != nil {
 		return nil, err
 	}
@@ -65,7 +66,7 @@ func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsy
 	return b, nil
 }
 
-func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD, m metrics.Emitter) (*backend, error) {
+func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD, m metrics.Emitter) (*backend, error) {
 	billing, err := billing.NewManager(env, dbBilling, dbSubscriptions, log)
 	if err != nil {
 		return nil, err
@@ -75,12 +76,13 @@ func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsy
 		baseLog: log,
 		env:     env,
 
-		dbAsyncOperations:   dbAsyncOperations,
-		dbBilling:           dbBilling,
-		dbGateway:           dbGateway,
-		dbOpenShiftClusters: dbOpenShiftClusters,
-		dbSubscriptions:     dbSubscriptions,
-		dbOpenShiftVersions: dbOpenShiftVersions,
+		dbAsyncOperations:                  dbAsyncOperations,
+		dbBilling:                          dbBilling,
+		dbGateway:                          dbGateway,
+		dbOpenShiftClusters:                dbOpenShiftClusters,
+		dbSubscriptions:                    dbSubscriptions,
+		dbOpenShiftVersions:                dbOpenShiftVersions,
+		dbPlatformWorkloadIdentityRoleSets: dbPlatformWorkloadIdentityRoleSets,
 
 		billing: billing,
 		aead:    aead,

pkg/backend/openshiftcluster.go

@@ -30,7 +30,7 @@ import (
 type openShiftClusterBackend struct {
 	*backend
 
-	newManager func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error)
+	newManager func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, database.PlatformWorkloadIdentityRoleSets, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error)
 }
 
 func newOpenShiftClusterBackend(b *backend) *openShiftClusterBackend {
@@ -129,7 +129,7 @@ func (ocb *openShiftClusterBackend) handle(ctx context.Context, log *logrus.Entr
 		}
 	}
 
-	m, err := ocb.newManager(ctx, log, ocb.env, ocb.dbOpenShiftClusters, ocb.dbGateway, ocb.dbOpenShiftVersions, ocb.aead, ocb.billing, doc, subscriptionDoc, hr, ocb.m)
+	m, err := ocb.newManager(ctx, log, ocb.env, ocb.dbOpenShiftClusters, ocb.dbGateway, ocb.dbOpenShiftVersions, ocb.dbPlatformWorkloadIdentityRoleSets, ocb.aead, ocb.billing, doc, subscriptionDoc, hr, ocb.m)
 	if err != nil {
 		return ocb.endLease(ctx, log, stop, doc, api.ProvisioningStateFailed, err)
 	}

pkg/backend/openshiftcluster_test.go

@@ -302,6 +302,7 @@ func TestBackendTry(t *testing.T) {
 			dbSubscriptions, _ := testdatabase.NewFakeSubscriptions()
 			uuidGen := deterministicuuid.NewTestUUIDGenerator(deterministicuuid.OPENSHIFT_VERSIONS)
 			dbOpenShiftVersions, _ := testdatabase.NewFakeOpenShiftVersions(uuidGen)
+			dbPlatformWorkloadIdentityRoleSets, _ := testdatabase.NewFakePlatformWorkloadIdentityRoleSets(uuidGen)
 
 			f := testdatabase.NewFixture().WithOpenShiftClusters(dbOpenShiftClusters).WithSubscriptions(dbSubscriptions)
 			tt.mocks(manager, dbOpenShiftClusters)
@@ -311,11 +312,11 @@ func TestBackendTry(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			createManager := func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error) {
+			createManager := func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, database.PlatformWorkloadIdentityRoleSets, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error) {
 				return manager, nil
 			}
 
-			b, err := newBackend(ctx, log, _env, nil, nil, nil, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, nil, &noop.Noop{})
+			b, err := newBackend(ctx, log, _env, nil, nil, nil, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, nil, &noop.Noop{})
 			if err != nil {
 				t.Fatal(err)
 			}

pkg/cluster/cluster.go

@@ -43,6 +43,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/dns"
 	"github.com/Azure/ARO-RP/pkg/util/encryption"
 	utilgraph "github.com/Azure/ARO-RP/pkg/util/graph"
+	"github.com/Azure/ARO-RP/pkg/util/platformworkloadidentity"
 	"github.com/Azure/ARO-RP/pkg/util/refreshable"
 	"github.com/Azure/ARO-RP/pkg/util/storage"
 	"github.com/Azure/ARO-RP/pkg/util/subnet"
@@ -119,10 +120,12 @@ type manager struct {
 	now func() time.Time
 
 	openShiftClusterDocumentVersioner openShiftClusterDocumentVersioner
+
+	platformWorkloadIdentityRolesByVersion platformworkloadidentity.PlatformWorkloadIdentityRolesByVersion
 }
 
 // New returns a cluster manager
-func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database.OpenShiftClusters, dbGateway database.Gateway, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD,
+func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database.OpenShiftClusters, dbGateway database.Gateway, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD,
 	billing billing.Manager, doc *api.OpenShiftClusterDocument, subscriptionDoc *api.SubscriptionDocument, hiveClusterManager hive.ClusterManager, metricsEmitter metrics.Emitter,
 ) (Interface, error) {
 	r, err := azure.ParseResourceID(doc.OpenShiftCluster.ID)
@@ -185,6 +188,11 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		return nil, err
 	}
 
+	platformWorkloadIdentityRolesByVersion, err := platformworkloadidentity.NewPlatformWorkloadIdentityRolesByVersion(ctx, doc.OpenShiftCluster, dbPlatformWorkloadIdentityRoleSets)
+	if err != nil {
+		return nil, err
+	}
+
 	return &manager{
 		log:                   log,
 		env:                   _env,
@@ -223,10 +231,11 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		subnet:  subnet.NewManager(_env.Environment(), r.SubscriptionID, fpAuthorizer),
 		graph:   graph.NewManager(_env, log, aead, storage),
 
-		installViaHive:                    installViaHive,
-		adoptViaHive:                      adoptByHive,
-		hiveClusterManager:                hiveClusterManager,
-		now:                               func() time.Time { return time.Now() },
-		openShiftClusterDocumentVersioner: new(openShiftClusterDocumentVersionerService),
+		installViaHive:                         installViaHive,
+		adoptViaHive:                           adoptByHive,
+		hiveClusterManager:                     hiveClusterManager,
+		now:                                    func() time.Time { return time.Now() },
+		openShiftClusterDocumentVersioner:      new(openShiftClusterDocumentVersionerService),
+		platformWorkloadIdentityRolesByVersion: platformWorkloadIdentityRolesByVersion,
 	}, nil
 }

pkg/cluster/validate.go

@@ -11,7 +11,7 @@ import (
 
 func (m *manager) validateResources(ctx context.Context) error {
 	ocDynamicValidator := validate.NewOpenShiftClusterDynamicValidator(
-		m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.fpAuthorizer,
+		m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.fpAuthorizer, m.platformWorkloadIdentityRolesByVersion,
 	)
 	err := ocDynamicValidator.Dynamic(ctx)
 	if err != nil {

pkg/util/platformworkloadidentity/generate.go

@@ -0,0 +1,8 @@
+package platformworkloadidentity
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+//go:generate rm -rf ../mocks/$GOPACKAGE
+//go:generate go run ../../../vendor/github.com/golang/mock/mockgen -destination=../mocks/$GOPACKAGE/$GOPACKAGE.go github.com/Azure/ARO-RP/pkg/util/$GOPACKAGE PlatformWorkloadIdentityRolesByVersion
+//go:generate go run ../../../vendor/golang.org/x/tools/cmd/goimports -local=github.com/Azure/ARO-RP -e -w ../mocks/$GOPACKAGE/$GOPACKAGE.go

pkg/util/platformworkloadidentity/platformworkloadidentityrolesbyversion.go

@@ -0,0 +1,49 @@
+package platformworkloadidentity
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/Azure/ARO-RP/pkg/api"
+	"github.com/Azure/ARO-RP/pkg/database"
+)
+
+// PlatformWorkloadIdentityRolesByVersion is the interface that validates and obtains the version from an PlatformWorkloadIdentityRoleSetDocument.
+type PlatformWorkloadIdentityRolesByVersion interface {
+	GetPlatformWorkloadIdentityRoles() []api.PlatformWorkloadIdentityRole
+}
+
+// platformWorkloadIdentityRolesByVersionService is the default implementation of the PlatformWorkloadIdentityRolesByVersion interface.
+type platformWorkloadIdentityRolesByVersionService struct {
+	platformWorkloadIdentityRoles []api.PlatformWorkloadIdentityRole
+}
+
+func NewPlatformWorkloadIdentityRolesByVersion(ctx context.Context, oc *api.OpenShiftCluster, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets) (PlatformWorkloadIdentityRolesByVersion, error) {
+	if oc.Properties.PlatformWorkloadIdentityProfile == nil || oc.Properties.ServicePrincipalProfile != nil {
+		return nil, nil
+	}
+
+	requestedInstallVersion := oc.Properties.ClusterProfile.Version
+
+	docs, err := dbPlatformWorkloadIdentityRoleSets.ListAll(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, doc := range docs.PlatformWorkloadIdentityRoleSetDocuments {
+		if requestedInstallVersion == doc.PlatformWorkloadIdentityRoleSet.Properties.OpenShiftVersion {
+			return &platformWorkloadIdentityRolesByVersionService{
+				platformWorkloadIdentityRoles: doc.PlatformWorkloadIdentityRoleSet.Properties.PlatformWorkloadIdentityRoles,
+			}, nil
+		}
+	}
+
+	return nil, api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, "properties.clusterProfile.version", "No PlatformWorkloadIdentityRoleSet found for the requested OpenShift version '%s'.", requestedInstallVersion)
+}
+
+func (service *platformWorkloadIdentityRolesByVersionService) GetPlatformWorkloadIdentityRoles() []api.PlatformWorkloadIdentityRole {
+	return service.platformWorkloadIdentityRoles
+}

pkg/validate/openshiftcluster_validatedynamic.go

@@ -19,6 +19,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/api"
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/authz/remotepdp"
+	"github.com/Azure/ARO-RP/pkg/util/platformworkloadidentity"
 	"github.com/Azure/ARO-RP/pkg/validate/dynamic"
 )
 
@@ -34,24 +35,27 @@ func NewOpenShiftClusterDynamicValidator(
 	oc *api.OpenShiftCluster,
 	subscriptionDoc *api.SubscriptionDocument,
 	fpAuthorizer autorest.Authorizer,
+	platformWorkloadIdentityRolesByVersion platformworkloadidentity.PlatformWorkloadIdentityRolesByVersion,
 ) OpenShiftClusterDynamicValidator {
 	return &openShiftClusterDynamicValidator{
 		log: log,
 		env: env,
 
-		oc:              oc,
-		subscriptionDoc: subscriptionDoc,
-		fpAuthorizer:    fpAuthorizer,
+		oc:                                     oc,
+		subscriptionDoc:                        subscriptionDoc,
+		fpAuthorizer:                           fpAuthorizer,
+		platformWorkloadIdentityRolesByVersion: platformWorkloadIdentityRolesByVersion,
 	}
 }
 
 type openShiftClusterDynamicValidator struct {
 	log *logrus.Entry
 	env env.Interface
 
-	oc              *api.OpenShiftCluster
-	subscriptionDoc *api.SubscriptionDocument
-	fpAuthorizer    autorest.Authorizer
+	oc                                     *api.OpenShiftCluster
+	subscriptionDoc                        *api.SubscriptionDocument
+	fpAuthorizer                           autorest.Authorizer
+	platformWorkloadIdentityRolesByVersion platformworkloadidentity.PlatformWorkloadIdentityRolesByVersion
 }
 
 // ensureAccessTokenClaims can detect an error when the service principal (fp, cluster sp) has accidentally deleted from