api: Define OperatorsAuthentication model#950
Conversation
api/redhatopenshift/HcpCluster.Management/hcpCluster-models.tsp
Outdated
Show resolved
Hide resolved
api/redhatopenshift/HcpCluster.Management/hcpCluster-models.tsp
Outdated
Show resolved
Hide resolved
| /** The control plane operator name */ | ||
| operatorName: string; | ||
|
|
||
| ...UserAssignedManagedIdentity; |
There was a problem hiding this comment.
the client-id and principal-id will be duplicated in both the identity{} field and this field if we choose to specify it here.
properties: {
"managedIdentityProfile": {
"controlPlaneOperators": [
{
"operatorName": "csi-disk-driver",
"resourceId": "/subscriptions/.../Microsoft.Identity/managedIdentity/csi-disk-driver"
"principalId": "csi-disk-driver",
"clientId": "csi-disk-driver"
},
{...}
]
}
},
identity: {
"/subscriptions/.../Microsoft.Identity/managedIdentity/csi-disk-driver": {
"principalId": "csi-disk-driver",
"clientId": "csi-disk-driver"
},
"/subscriptions/.../csi-file-driver": {
"principalId": "csi-file-driver",
"clientId": "csi-file-driver"
}
}
There was a problem hiding this comment.
Ah, I had no idea what the top-level identity section would contain. In that case we can have both data and control plane operators be a map of operatorName -> resourceId where resourceId is a lookup key for the identity section (validation would fail if key is not found).
There was a problem hiding this comment.
Also, maybe the serviceManagedIdentity field just needs to be a resource ID lookup key as well?
There was a problem hiding this comment.
Just to call out here, the RP does not currently parse the top-level identity section at all so we'll need to get that implemented immediately in addition to the plumbing needed for this new API.
|
I see some of the attributes have removed parts of the names compared to in the CS API. In #858 (comment) I described and reasoned why in the CS API we intentionally kept parts of the names that initially might seem "redundant" |
I'm neutral on naming and will change it based on consensus, but FTR I felt the purpose of the operator maps were clear enough from the enclosing scopes. I'm considering renaming the |
|
Please rebase pull request. |
This is an extension to PlatformProfile that defines user-assigned managed identities for individual OpenShift cluster operators.
mbarnes
force-pushed
the
operators-authentication
branch
from
65cb766 to
46acea7
Compare
SudoBrendan
left a comment
SudoBrendan
left a comment
There was a problem hiding this comment.
I think this is clear on the various kinds of auth required and what fields should be provided for each. We should probably get BU feedback on names just to be sure, unless that's tracked somewhere I'm unaware of?
4 participants
What this PR does
Adds
PlatformProfile.operatorsAuthenticationfield to the Azure API, structured to resemble the azure.operators_authentication OCM schema (with minor tweaks to eliminate redundancy in field names, and simplifications where data is provided through ARM-defined models or headers)Jira: ARO-10911 - Frontend API Changes to support managed identities
Link to demo recording:
Special notes for your reviewer
hcpCluster-models.tsp. The rest of the changes are generated from it.