Azure · rajdeepc2792 · Jan 3, 2025 · Jan 3, 2025 · kimorris27 · Jan 3, 2025
@@ -220,28 +220,25 @@ func (m *manager) Update(ctx context.Context) error {
 			steps.Action(m.fixupClusterMsiTenantID),
 			steps.Action(m.ensureClusterMsiCertificate),
 			steps.Action(m.initializeClusterMsiClients),
-		)
-	}
-
-	s = append(s, steps.AuthorizationRetryingAction(m.fpAuthorizer, m.validateResources))
-
-	if m.doc.OpenShiftCluster.UsesWorkloadIdentity() {
-		s = append(s,
 			steps.AuthorizationRetryingAction(m.fpAuthorizer, m.clusterIdentityIDs),
 			steps.AuthorizationRetryingAction(m.fpAuthorizer, m.platformWorkloadIdentityIDs),
-			steps.Action(m.federateIdentityCredentials),
 		)
 	} else {
 		s = append(s,
 			// Since ServicePrincipalProfile is now a pointer and our converters re-build the struct,
 			// our update path needs to enrich the doc with SPObjectID since it was overwritten by our API on put/patch.
 			steps.AuthorizationRetryingAction(m.fpAuthorizer, m.fixupClusterSPObjectID),
-
-			// CSP credentials rotation flow steps
-			steps.Action(m.createOrUpdateClusterServicePrincipalRBAC),
 		)
 	}
 
+	s = append(s, steps.AuthorizationRetryingAction(m.fpAuthorizer, m.validateResources))
+
+	if m.doc.OpenShiftCluster.UsesWorkloadIdentity() {
+		s = append(s, steps.Action(m.federateIdentityCredentials))
+	} else {
+		s = append(s, steps.Action(m.createOrUpdateClusterServicePrincipalRBAC)) // CSP credentials rotation flow steps
+	}
+
 	s = append(s,
 		steps.Action(m.initializeKubernetesClients),
 		steps.Action(m.initializeOperatorDeployer), // depends on kube clients

@@ -35,7 +35,7 @@ func (m *manager) generateWorkloadIdentityResources() (map[string]kruntime.Objec
 	}
 
 	resources := map[string]kruntime.Object{}
-	if platformWorkloadIdentitySecrets, err := m.generatePlatformWorkloadIdentitySecrets(); err != nil {
+	if platformWorkloadIdentitySecrets, _, err := m.generatePlatformWorkloadIdentitySecretsAndNamespaces(); err != nil {
 		return nil, err
 	} else {
 		for _, secret := range platformWorkloadIdentitySecrets {
@@ -60,30 +60,34 @@ func (m *manager) generateWorkloadIdentityResources() (map[string]kruntime.Objec
 }
 
 func (m *manager) deployPlatformWorkloadIdentitySecrets(ctx context.Context) error {
-	secrets, err := m.generatePlatformWorkloadIdentitySecrets()
+	secrets, namespaces, err := m.generatePlatformWorkloadIdentitySecretsAndNamespaces()
 	if err != nil {
 		return err
 	}
-	resources := make([]kruntime.Object, len(secrets))
-	for i, secret := range secrets {
-		resources[i] = secret
+	resources := []kruntime.Object{}
+	for _, namespace := range namespaces {
+		resources = append(resources, namespace)
+	}
+	for _, secret := range secrets {
+		resources = append(resources, secret)
 	}
 
 	return m.ch.Ensure(ctx, resources...)
 }
 
-func (m *manager) generatePlatformWorkloadIdentitySecrets() ([]*corev1.Secret, error) {
+func (m *manager) generatePlatformWorkloadIdentitySecretsAndNamespaces() ([]*corev1.Secret, []*corev1.Namespace, error) {
 	subscriptionId := m.subscriptionDoc.ID
 	tenantId := m.subscriptionDoc.Subscription.Properties.TenantID
 	region := m.doc.OpenShiftCluster.Location
 
 	roles := m.platformWorkloadIdentityRolesByVersion.GetPlatformWorkloadIdentityRolesByRoleName()
 
 	secrets := []*corev1.Secret{}
+	namespaces := []*corev1.Namespace{}
 	for name, identity := range m.doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities {
 		role, exists := roles[name]
 		if !exists {
-			return nil, platformworkloadidentity.GetPlatformWorkloadIdentityMismatchError(m.doc.OpenShiftCluster, roles)
+			return nil, nil, platformworkloadidentity.GetPlatformWorkloadIdentityMismatchError(m.doc.OpenShiftCluster, roles)
 		}
 		// Skip creating a secret for the ARO Operator. This will be
 		// generated by the ARO Operator deployer instead
@@ -110,9 +114,19 @@ func (m *manager) generatePlatformWorkloadIdentitySecrets() ([]*corev1.Secret, e
 				"azure_federated_token_file": azureFederatedTokenFileLocation,
 			},
 		})
+
+		namespaces = append(namespaces, &corev1.Namespace{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: corev1.SchemeGroupVersion.Identifier(),
+				Kind:       "Namespace",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: role.SecretLocation.Namespace,
+			},
+		})
 	}
 
-	return secrets, nil
+	return secrets, namespaces, nil
 }
 
 func (m *manager) generateCloudCredentialOperatorSecret() (*corev1.Secret, error) {

@@ -317,17 +317,19 @@ func TestGeneratePlatformWorkloadIdentitySecrets(t *testing.T) {
 	location := "eastus"
 
 	for _, tt := range []struct {
-		name       string
-		identities map[string]api.PlatformWorkloadIdentity
-		roles      []api.PlatformWorkloadIdentityRole
-		want       []*corev1.Secret
-		wantErr    string
+		name           string
+		identities     map[string]api.PlatformWorkloadIdentity
+		roles          []api.PlatformWorkloadIdentityRole
+		wantSecrets    []*corev1.Secret
+		wantNamespaces []*corev1.Namespace
+		wantErr        string
 	}{
 		{
-			name:       "no identities, no secrets",
-			identities: map[string]api.PlatformWorkloadIdentity{},
-			roles:      []api.PlatformWorkloadIdentityRole{},
-			want:       []*corev1.Secret{},
+			name:           "no identities, no secrets",
+			identities:     map[string]api.PlatformWorkloadIdentity{},
+			roles:          []api.PlatformWorkloadIdentityRole{},
+			wantSecrets:    []*corev1.Secret{},
+			wantNamespaces: []*corev1.Namespace{},
 		},
 		{
 			name: "converts cluster PWIs if a role definition is present",
@@ -355,7 +357,7 @@ func TestGeneratePlatformWorkloadIdentitySecrets(t *testing.T) {
 					},
 				},
 			},
-			want: []*corev1.Secret{
+			wantSecrets: []*corev1.Secret{
 				{
 					TypeMeta: metav1.TypeMeta{
 						APIVersion: "v1",
@@ -393,6 +395,26 @@ func TestGeneratePlatformWorkloadIdentitySecrets(t *testing.T) {
 					},
 				},
 			},
+			wantNamespaces: []*corev1.Namespace{
+				{
+					TypeMeta: metav1.TypeMeta{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "openshift-foo",
+					},
+				},
+				{
+					TypeMeta: metav1.TypeMeta{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "openshift-bar",
+					},
+				},
+			},
 		},
 		{
 			name: "error - identities with unexpected operator name present",
@@ -401,9 +423,10 @@ func TestGeneratePlatformWorkloadIdentitySecrets(t *testing.T) {
 					ClientID: "00f00f00-0f00-0f00-0f00-f00f00f00f00",
 				},
 			},
-			roles:   []api.PlatformWorkloadIdentityRole{},
-			want:    []*corev1.Secret{},
-			wantErr: fmt.Sprintf("400: %s: properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities: There's a mismatch between the required and expected set of platform workload identities for the requested OpenShift minor version '%s'. The required platform workload identities are '[]'", api.CloudErrorCodePlatformWorkloadIdentityMismatch, "4.14"),
+			roles:          []api.PlatformWorkloadIdentityRole{},
+			wantSecrets:    []*corev1.Secret{},
+			wantNamespaces: []*corev1.Namespace{},
+			wantErr:        fmt.Sprintf("400: %s: properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities: There's a mismatch between the required and expected set of platform workload identities for the requested OpenShift minor version '%s'. The required platform workload identities are '[]'", api.CloudErrorCodePlatformWorkloadIdentityMismatch, "4.14"),
 		},
 		{
 			name: "skips ARO operator identity",
@@ -431,7 +454,7 @@ func TestGeneratePlatformWorkloadIdentitySecrets(t *testing.T) {
 					},
 				},
 			},
-			want: []*corev1.Secret{
+			wantSecrets: []*corev1.Secret{
 				{
 					TypeMeta: metav1.TypeMeta{
 						APIVersion: "v1",
@@ -451,6 +474,17 @@ func TestGeneratePlatformWorkloadIdentitySecrets(t *testing.T) {
 					},
 				},
 			},
+			wantNamespaces: []*corev1.Namespace{
+				{
+					TypeMeta: metav1.TypeMeta{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "openshift-foo",
+					},
+				},
+			},
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
@@ -484,10 +518,11 @@ func TestGeneratePlatformWorkloadIdentitySecrets(t *testing.T) {
 					controller, tt.roles,
 				),
 			}
-			got, err := m.generatePlatformWorkloadIdentitySecrets()
+			gotSecrets, gotNamespaces, err := m.generatePlatformWorkloadIdentitySecretsAndNamespaces()
 
 			utilerror.AssertErrorMessage(t, err, tt.wantErr)
-			assert.ElementsMatch(t, got, tt.want)
+			assert.ElementsMatch(t, gotSecrets, tt.wantSecrets)
+			assert.ElementsMatch(t, gotNamespaces, tt.wantNamespaces)
 		})
 	}
 }