Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-3931

Add more permissions when creating cluster in existing vnet

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • Installer Core
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • Installer Sprint 267

      Issues:

      When creating cluster in existing vnet with minimal permissions, installer get panic in function of checking for ip availability when creating a load balancer.

      Slack discussion: https://redhat-internal.slack.com/archives/C01V1DP387R/p1738888488097589
       

      Fix:

      Identify that permission 'Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read' is required for this scenario, update prow step to add this permission.

      This permission is only required when installing in existing vnet, while the current implement in prow step (azure-provision-service-principal-minimal-permission) uses ENV to control whether to apply related permissions ( for example, env ENABLE_MIN_PERMISSION_FOR_MARKETPLACE to control marketplace image perms and env ENABLE_MIN_PERMISSION_FOR_DES to control disk encryption set perms). In order to avoid introducing more ENVs and make code complicated, change to read install-config file directly.

      So do the following enhancements in prow steps.

      1. Split function "create custom role" from step azure-provision-service-principal-minimal-permission, make as new step "azure-provision-custom-role",  so that new step can be reused in test case "install cluster by using managed identity with minimal permissions" (only custom role is required, no need to create service principal)
      2.  In new step "azure-provision-custom-role", remove env ENABLE_MIN_PERMISSION_FOR_MARKETPLACE and ENABLE_MIN_PERMISSION_FOR_DES, create role with permissions based on the configuration in install-config
      3. Add new chain 'azure-provision-service-principal-minimal-permission' to include above two steps ( create custom role and create service principal), update all related workflows to use this new chain.
      4.  With the change in step2, we need to ensure install-config is customized with expected configuration before running this step. While some existing steps have both provision and role assignment in same script, so need to split function role assignment from provision step, and change the order in workflow:
        current order:  provision c customize install configustom role and service principal  -> provision resource and assign role ->
        after change: resource provision -> customize install config -> provision custom role and service principal -> assign role
        impact steps:
        • azure-provision-disk-encryption-set
        • azure-provision-vnet
        • ipi-conf-azure-resource-group

              jinyunma Jinyun Ma
              jinyunma Jinyun Ma
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: