azure

package
v0.1.76 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 12, 2026 License: Apache-2.0 Imports: 31 Imported by: 1

README

Azure Infrastructure Commands

This directory contains the Azure infrastructure creation command for HyperShift HostedClusters.

Overview

The hypershift create infra azure command creates the necessary Azure infrastructure resources for hosting HyperShift clusters. It supports two deployment models:

  1. ARO HCP (Azure Red Hat OpenShift Hosted Control Planes) - A managed service that uses UserAssignedManagedIdentity authentication with pre-created managed identities
  2. Self-managed Azure - Customer-managed clusters that use workload identity authentication. Can either create workload identities automatically or use pre-existing ones via file

The key difference is the authentication method: ARO HCP uses UserAssignedManagedIdentity while self-managed uses workload identity with federated credentials.

IAM Commands

The hypershift create/destroy iam azure commands manage workload identities separately from infrastructure.

Create Workload Identities
hypershift create iam azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --azure-creds /path/to/azure-creds.json \
  --location eastus \
  --resource-group-name my-rg \
  --oidc-issuer-url https://my-oidc-issuer.com \
  --output-file workload-identities.json

This creates 7 managed identities with federated credentials for cluster components:

  • Disk CSI driver
  • File CSI driver
  • Image Registry
  • Ingress Operator
  • Cloud Provider
  • NodePool Management
  • Network Operator
Destroy Workload Identities
hypershift destroy iam azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --resource-group-name my-rg \
  --azure-creds /path/to/azure-creds.json \
  --workload-identities-file workload-identities.json
IAM Command Flags
Required for create iam azure:
  • --name: Name of the HostedCluster
  • --infra-id: Unique infrastructure identifier
  • --azure-creds: Path to Azure credentials JSON file
  • --location: Azure region
  • --oidc-issuer-url: OIDC issuer URL for federation
Optional for create iam azure:
  • --resource-group-name: Resource group for identities (default: auto-generated)
  • --output-file: Output file path (default: {name}-iam-output.json)
  • --cloud: Azure cloud environment (default: AzurePublicCloud)
Required for destroy iam azure:
  • --name: Name of the HostedCluster
  • --infra-id: Unique infrastructure identifier
  • --resource-group-name: Resource group containing the identities
  • --azure-creds: Path to Azure credentials JSON file
  • --workload-identities-file: Path to workload identities JSON from create

Infrastructure Command Examples

ARO HCP with Managed Identities

Use pre-created managed identities for ARO HCP deployment:

hypershift create infra azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --azure-creds /path/to/azure-creds.json \
  --base-domain example.com \
  --location eastus \
  --managed-identities-file /path/to/managed-identities.yaml \
  --data-plane-identities-file /path/to/data-plane-identities.yaml \
  --output-file infra-output.yaml
Self-managed Azure with Auto-generated Workload Identities

Create infrastructure and automatically generate workload identities:

hypershift create infra azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --azure-creds /path/to/azure-creds.json \
  --base-domain example.com \
  --location eastus \
  --oidc-issuer-url https://my-oidc-issuer.com \
  --output-file infra-output.yaml
Self-managed Azure with Pre-existing Workload Identities

Use pre-created workload identities from a JSON file:

hypershift create infra azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --azure-creds /path/to/azure-creds.json \
  --base-domain example.com \
  --location eastus \
  --workload-identities-file /path/to/workload-identities.json \
  --output-file infra-output.yaml
Using Existing Network Resources

Use existing VNet and security group:

hypershift create infra azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --azure-creds /path/to/azure-creds.json \
  --base-domain example.com \
  --location eastus \
  --oidc-issuer-url https://my-oidc-issuer.com \
  --vnet-id /subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/my-vnet \
  --subnet-id /subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/my-subnet \
  --network-security-group-id /subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Network/networkSecurityGroups/my-nsg \
  --output-file infra-output.yaml
Using Custom Resource Group

Specify a custom resource group and add tags:

hypershift create infra azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --azure-creds /path/to/azure-creds.json \
  --base-domain example.com \
  --location eastus \
  --oidc-issuer-url https://my-oidc-issuer.com \
  --resource-group-name my-custom-rg \
  --resource-group-tags "environment=dev,team=platform" \
  --output-file infra-output.yaml

Required Flags

  • --name: Name of the HostedCluster
  • --infra-id: Unique infrastructure identifier
  • --azure-creds: Path to Azure credentials JSON file

Identity Configuration Requirements

You must provide exactly one of the following identity configurations:

For ARO HCP:
  • --managed-identities-file and --data-plane-identities-file (both required)
For Self-managed Azure:
  • --workload-identities-file OR --oidc-issuer-url

To create workload identities separately, use hypershift create iam azure instead.

RBAC and Role Assignment Flags

When creating infrastructure with workload identities, you can optionally enable automatic RBAC role assignment:

Enabling Automatic Role Assignment
hypershift create infra azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --azure-creds /path/to/azure-creds.json \
  --base-domain example.com \
  --location eastus \
  --oidc-issuer-url https://my-oidc-issuer.com \
  --assign-identity-roles \
  --dns-zone-rg-name my-dns-zone-rg \
  --output-file infra-output.yaml
RBAC Flag Reference
  • --assign-identity-roles: Automatically assign required Azure RBAC roles to workload identities. This grants the identities permissions to manage Azure resources (DNS, networking, storage) for the cluster.
  • --dns-zone-rg-name: Name of the resource group containing your Azure DNS zone. Required when using --assign-identity-roles for the ingress controller to create DNS records.
  • --assign-custom-hcp-roles: Use custom Azure HCP role definitions instead of the default Contributor role for workload identities.
  • --disable-cluster-capabilities: Comma-separated list of cluster capabilities to disable (e.g., ImageRegistry). Disabled capabilities will not have corresponding workload identities created.
Example with Custom Roles and Disabled Capabilities
hypershift create infra azure \
  --name my-cluster \
  --infra-id my-cluster-infra \
  --azure-creds /path/to/azure-creds.json \
  --base-domain example.com \
  --location eastus \
  --oidc-issuer-url https://my-oidc-issuer.com \
  --assign-identity-roles \
  --assign-custom-hcp-roles \
  --dns-zone-rg-name my-dns-zone-rg \
  --disable-cluster-capabilities ImageRegistry \
  --output-file infra-output.yaml

Flag Conflicts

The following flags are mutually exclusive:

  • ARO HCP flags (--managed-identities-file, --data-plane-identities-file) cannot be used with self-managed Azure flags (--workload-identities-file)
  • Within self-managed Azure: --workload-identities-file and --oidc-issuer-url are mutually exclusive

Output

Normal Infrastructure Creation Mode

When creating full infrastructure, the command outputs information to the specified --output-file in YAML format, including:

  • baseDomain: The base domain for the cluster
  • publicZoneID: Public DNS zone ID
  • privateZoneID: Private DNS zone ID
  • region: Azure location/region
  • resourceGroupName: Main resource group name
  • vnetID: Virtual network ID
  • subnetID: Subnet ID
  • infraID: Infrastructure ID
  • securityGroupID: Network security group ID
  • controlPlaneMIs: Control plane managed identities (ARO HCP only)
  • dataPlaneIdentities: Data plane identities (ARO HCP only)
  • workloadIdentities: Workload identities (self-managed Azure only)

Azure Credentials File Format

The Azure credentials file should be a JSON file with the following structure:

{
  "subscriptionId": "your-subscription-id",
  "tenantId": "your-tenant-id",
  "clientId": "your-client-id",
  "clientSecret": "your-client-secret"
}

Code Architecture

This package follows a modular architecture with specialized managers for different Azure operations:

File Structure
  • create.go - Main CLI command and orchestration logic (~240 lines)
  • types.go - Shared type definitions and data structures
  • resource_groups.go - Azure resource group management operations
  • networking.go - VNet, DNS, load balancer, and security group operations
  • images.go - RHCOS image upload and management
  • rbac.go - Role-based access control and Microsoft Graph API operations
  • identity.go - Workload identity and federated credential management
Manager Pattern

Each manager encapsulates domain-specific Azure operations:

  • ResourceGroupManager - Creates and manages Azure resource groups
  • NetworkManager - Handles virtual networks, DNS zones, load balancers, and security groups
  • ImageManager - Manages RHCOS image upload and bootable image creation
  • RBACManager - Handles role assignments and Microsoft Graph API interactions
  • IdentityManager - Creates workload identities and federated credentials

This architecture provides:

  • Separation of concerns - Each manager handles one specific domain
  • Better testability - Managers can be unit tested independently
  • Improved maintainability - Changes are isolated to specific areas
  • Cleaner orchestration - Main function reads like a high-level workflow

Documentation

Index

Constants

View Source 
const (
	VirtualNetworkAddressPrefix       = "10.0.0.0/16"
	VirtualNetworkLinkLocation        = "global"
	VirtualNetworkSubnetAddressPrefix = "10.0.0.0/24"
)

Variables

This section is empty.

Functions

func BindCreateIAMProductFlags added in v0.1.74 

func BindCreateIAMProductFlags(opts *CreateIAMOptions, flags *pflag.FlagSet)

BindCreateIAMProductFlags binds flags for the product CLI (hcp) IAM create azure command

func BindDestroyIAMProductFlags added in v0.1.74 

func BindDestroyIAMProductFlags(opts *DestroyIAMOptions, flags *pflag.FlagSet)

BindDestroyIAMProductFlags binds flags for the product CLI (hcp) IAM destroy azure command

func BindDestroyProductFlags added in v0.1.74 

func BindDestroyProductFlags(opts *DestroyInfraOptions, flags *pflag.FlagSet)

BindDestroyProductFlags binds flags for the product CLI (hcp) infra destroy azure command. This exposes only the self-managed Azure flags relevant for the productized CLI.

func BindProductFlags added in v0.1.74 

func BindProductFlags(opts *CreateInfraOptions, flags *pflag.FlagSet)

BindProductFlags binds flags for the product CLI (hcp) infra create azure command. This exposes only the self-managed Azure flags relevant for the productized CLI.

func NewCreateCommand 

func NewCreateCommand() *cobra.Command

NewCreateCommand creates a new cobra command for creating Azure infrastructure resources for a HostedCluster

func NewCreateIAMCommand added in v0.1.74 

func NewCreateIAMCommand() *cobra.Command

NewCreateIAMCommand creates a new cobra command for creating Azure IAM resources (managed identities and federated credentials) for a HostedCluster

func NewDestroyCommand 

func NewDestroyCommand() *cobra.Command

func NewDestroyIAMCommand added in v0.1.74 

func NewDestroyIAMCommand() *cobra.Command

NewDestroyIAMCommand creates a new cobra command for destroying Azure IAM resources (managed identities and federated credentials) for a HostedCluster

func NewLoadBalancer added in v0.1.69 

func NewLoadBalancer(location string, infraID string, idPrefix string, loadBalancerName string, publicIPAddress *armnetwork.PublicIPAddress) armnetwork.LoadBalancer

NewLoadBalancer creates a LoadBalancer struct configured for guest cluster egress traffic. This load balancer is used to provide outbound internet connectivity for nodes in the hosted cluster. The Azure cloud provider can later reuse this load balancer to add additional public IP addresses and load balancing rules for services of type LoadBalancer.

The load balancer includes:

  • Frontend IP configuration with a public IP address
  • Backend address pool for guest cluster nodes
  • Health probe for monitoring node health
  • Outbound rule for explicit egress SNAT configuration

Parameters:

  • location: Azure region where the load balancer will be created
  • infraID: Infrastructure identifier used for naming components
  • idPrefix: Azure resource ID prefix for constructing component references
  • loadBalancerName: Name for the load balancer resource
  • publicIPAddress: Public IP address to use for the frontend configuration

Returns a fully configured armnetwork.LoadBalancer with Standard SKU.

func NewPublicIPAddress added in v0.1.69 

func NewPublicIPAddress(name string, location string) armnetwork.PublicIPAddress

NewPublicIPAddress creates a PublicIPAddress struct configured for use with a load balancer. The IP address is configured as a static IPv4 address with the Standard SKU, suitable for production load balancers that require consistent, non-changing IP addresses.

Parameters:

  • name: Name for the public IP address resource
  • location: Azure region where the IP address will be allocated (e.g., "eastus")

Returns an armnetwork.PublicIPAddress with:

  • Static allocation method (IP doesn't change)
  • IPv4 address version
  • Standard SKU (required for Standard Load Balancers)
  • 4-minute idle timeout

func NewVirtualNetwork added in v0.1.69 

func NewVirtualNetwork(location string, vnetAddrPrefix string) armnetwork.VirtualNetwork

NewVirtualNetwork creates a VirtualNetwork struct with the given address prefix. It initializes an empty virtual network with the specified location and address space, ready to have subnets added to it.

Parameters:

  • location: Azure region where the virtual network will be created (e.g., "eastus")
  • vnetAddrPrefix: CIDR notation for the virtual network address space (e.g., "10.0.0.0/16")

Returns an armnetwork.VirtualNetwork with an empty Subnets slice that can be populated later. 

func NewVirtualNetworkLink(location string, vnetID string, registrationEnabled bool) armprivatedns.VirtualNetworkLink

NewVirtualNetworkLink creates a VirtualNetworkLink struct for linking a VNet to a Private DNS Zone. This allows resources in the virtual network to resolve DNS records from the private DNS zone.

Parameters:

  • location: Azure region, typically "global" for private DNS zone links
  • vnetID: Full resource ID of the virtual network to link (e.g., "/subscriptions/.../virtualNetworks/...")
  • registrationEnabled: If true, enables automatic DNS record registration for VMs in the VNet

Returns an armprivatedns.VirtualNetworkLink ready to be created via the Azure API.

Types

type CreateIAMOptions added in v0.1.74 

type CreateIAMOptions struct {
	Name              string
	Location          string
	InfraID           string
	CredentialsFile   string
	Credentials       *util.AzureCreds
	ResourceGroupName string
	OIDCIssuerURL     string
	OutputFile        string
	Cloud             string
}

CreateIAMOptions holds options for creating Azure IAM resources (managed identities and federated credentials)

func DefaultCreateIAMOptions added in v0.1.74 

func DefaultCreateIAMOptions() *CreateIAMOptions

DefaultCreateIAMOptions returns CreateIAMOptions with default values

func (*CreateIAMOptions) Run added in v0.1.74 

func (o *CreateIAMOptions) Run(ctx context.Context, l logr.Logger) error

Run creates the Azure IAM resources (managed identities and federated credentials)

func (*CreateIAMOptions) Validate added in v0.1.74 

func (o *CreateIAMOptions) Validate() error

Validate validates the CreateIAMOptions

type CreateInfraOptions 

type CreateInfraOptions struct {
	Name                        string
	BaseDomain                  string
	Location                    string
	InfraID                     string
	CredentialsFile             string
	Credentials                 *util.AzureCreds
	OutputFile                  string
	ResourceGroupName           string
	VnetID                      string
	NetworkSecurityGroupID      string
	ResourceGroupTags           map[string]string
	SubnetID                    string
	ManagedIdentitiesFile       string
	DataPlaneIdentitiesFile     string
	WorkloadIdentitiesFile      string
	AssignServicePrincipalRoles bool
	DNSZoneRG                   string
	AssignCustomHCPRoles        bool
	DisableClusterCapabilities  []string
	Cloud                       string
}

func DefaultOptions added in v0.1.74 

func DefaultOptions() *CreateInfraOptions

DefaultOptions returns CreateInfraOptions with default values for self-managed Azure

func (*CreateInfraOptions) Run 

func (o *CreateInfraOptions) Run(ctx context.Context, l logr.Logger) (*CreateInfraOutput, error)

Run is the main function responsible for creating the Azure infrastructure resources for a HostedCluster.

func (*CreateInfraOptions) Validate added in v0.1.74 

func (o *CreateInfraOptions) Validate() error

Validate validates the CreateInfraOptions before running the command

type CreateInfraOutput 

type CreateInfraOutput struct {
	BaseDomain          string                                  `json:"baseDomain"`
	PublicZoneID        string                                  `json:"publicZoneID"`
	PrivateZoneID       string                                  `json:"privateZoneID"`
	Location            string                                  `json:"region"`
	ResourceGroupName   string                                  `json:"resourceGroupName"`
	VNetID              string                                  `json:"vnetID"`
	SubnetID            string                                  `json:"subnetID"`
	BootImageID         string                                  `json:"bootImageID"`
	InfraID             string                                  `json:"infraID"`
	SecurityGroupID     string                                  `json:"securityGroupID"`
	NATSubnetID         string                                  `json:"natSubnetID,omitempty"`
	ControlPlaneMIs     *hyperv1.AzureResourceManagedIdentities `json:"controlPlaneMIs"`
	DataPlaneIdentities hyperv1.DataPlaneManagedIdentities      `json:"dataPlaneIdentities"`
	WorkloadIdentities  *hyperv1.AzureWorkloadIdentities        `json:"workloadIdentities"`
}

type DestroyIAMOptions added in v0.1.74 

type DestroyIAMOptions struct {
	Name                   string
	InfraID                string
	WorkloadIdentitiesFile string
	CredentialsFile        string
	Credentials            *util.AzureCreds
	ResourceGroupName      string
	DNSZoneRG              string
	Cloud                  string
}

DestroyIAMOptions holds options for destroying Azure IAM resources

func DefaultDestroyIAMOptions added in v0.1.74 

func DefaultDestroyIAMOptions() *DestroyIAMOptions

DefaultDestroyIAMOptions returns DestroyIAMOptions with default values

func (*DestroyIAMOptions) Run added in v0.1.74 

func (o *DestroyIAMOptions) Run(ctx context.Context, l logr.Logger) error

Run destroys the Azure IAM resources (managed identities and federated credentials)

func (*DestroyIAMOptions) Validate added in v0.1.74 

func (o *DestroyIAMOptions) Validate() error

Validate validates the DestroyIAMOptions

type DestroyInfraOptions 

type DestroyInfraOptions struct {
	Name                  string
	Location              string
	InfraID               string
	CredentialsFile       string
	Credentials           *util.AzureCreds
	ResourceGroupName     string
	PreserveResourceGroup bool
	Cloud                 string
}

func DefaultDestroyOptions added in v0.1.74 

func DefaultDestroyOptions() *DestroyInfraOptions

DefaultDestroyOptions returns DestroyInfraOptions with default values for self-managed Azure

func (*DestroyInfraOptions) GetResourceGroupName added in v0.1.23 

func (o *DestroyInfraOptions) GetResourceGroupName() string

GetResourceGroupName returns the resource group name to use for destroy operations. If a custom resource group name was provided, it is returned; otherwise, the default name format of {name}-{infraID} is used.

func (*DestroyInfraOptions) Run 

func (o *DestroyInfraOptions) Run(ctx context.Context, logger logr.Logger) error

func (*DestroyInfraOptions) Validate added in v0.1.74 

func (o *DestroyInfraOptions) Validate() error

Validate validates the DestroyInfraOptions before running the destroy operation.

type FederatedCredentialConfig added in v0.1.69 

type FederatedCredentialConfig struct {
	CredentialName string
	Subject        string
	Audience       string
}

FederatedCredentialConfig holds configuration for creating federated identity credentials

type IdentityManager added in v0.1.69 

type IdentityManager struct {
	// contains filtered or unexported fields
}

IdentityManager handles Azure managed identity and federated credential operations

func NewIdentityManager added in v0.1.69 

func NewIdentityManager(subscriptionID string, creds azcore.TokenCredential, cloud string) *IdentityManager

NewIdentityManager creates a new IdentityManager

func (*IdentityManager) CreateWorkloadIdentitiesFromIAMOptions added in v0.1.74 

func (i *IdentityManager) CreateWorkloadIdentitiesFromIAMOptions(ctx context.Context, l logr.Logger, opts *CreateIAMOptions, resourceGroupName string) (*hyperv1.AzureWorkloadIdentities, error)

CreateWorkloadIdentitiesFromIAMOptions creates all managed identities and federated credentials for workload identity using CreateIAMOptions. This is used by the standalone IAM create command.

func (*IdentityManager) DestroyWorkloadIdentities added in v0.1.74 

func (i *IdentityManager) DestroyWorkloadIdentities(ctx context.Context, l logr.Logger, clusterName string, infraID string, resourceGroupName string) error

DestroyWorkloadIdentities deletes all managed identities and their federated credentials for a cluster. Federated credentials are explicitly deleted first, then the managed identity is deleted. The method continues deleting remaining identities even if some fail, logging errors as it goes.

type NetworkManager added in v0.1.69 

type NetworkManager struct {
	// contains filtered or unexported fields
}

NetworkManager handles Azure networking operations

func NewNetworkManager added in v0.1.69 

func NewNetworkManager(subscriptionID string, creds azcore.TokenCredential, cloud string) *NetworkManager

NewNetworkManager creates a new NetworkManager

func (*NetworkManager) CreateLoadBalancer added in v0.1.69 

func (n *NetworkManager) CreateLoadBalancer(ctx context.Context, resourceGroupName string, infraID string, location string, publicIPAddress *armnetwork.PublicIPAddress) error

CreateLoadBalancer creates a load balancer (LB) with an outbound rule for guest cluster egress; azure cloud provider will reuse this LB to add a public ip address and the load balancer rules

func (*NetworkManager) CreatePrivateDNSZone added in v0.1.69 

func (n *NetworkManager) CreatePrivateDNSZone(ctx context.Context, resourceGroupName string, name string, baseDomain string) (string, string, error)

CreatePrivateDNSZone creates the private DNS zone 

func (n *NetworkManager) CreatePrivateDNSZoneLink(ctx context.Context, resourceGroupName string, name string, infraID string, vnetID string, privateDNSZoneName string) error

CreatePrivateDNSZoneLink creates the private DNS Zone network link. It is idempotent: if the link already exists, it returns successfully.

func (*NetworkManager) CreatePublicIPAddressForLB added in v0.1.69 

func (n *NetworkManager) CreatePublicIPAddressForLB(ctx context.Context, resourceGroupName string, infraID string, location string) (*armnetwork.PublicIPAddress, error)

CreatePublicIPAddressForLB creates a public IP address to use for the outbound rule in the load balancer

func (*NetworkManager) CreateSecurityGroup added in v0.1.69 

func (n *NetworkManager) CreateSecurityGroup(ctx context.Context, resourceGroupName string, name string, infraID string, location string) (string, error)

CreateSecurityGroup creates the security group the virtual network will use

func (*NetworkManager) CreateVirtualNetwork added in v0.1.69 

func (n *NetworkManager) CreateVirtualNetwork(ctx context.Context, resourceGroupName string, name string, infraID string, location string, subnetID string, securityGroupID string) (armnetwork.VirtualNetworksClientCreateOrUpdateResponse, error)

CreateVirtualNetwork creates the virtual network

func (*NetworkManager) GetBaseDomainID added in v0.1.69 

func (n *NetworkManager) GetBaseDomainID(ctx context.Context, baseDomain string) (string, error)

GetBaseDomainID gets the resource group ID for the resource group containing the base domain

type RBACManager added in v0.1.69 

type RBACManager struct {
	// contains filtered or unexported fields
}

RBACManager handles Azure RBAC operations

func NewRBACManager added in v0.1.69 

func NewRBACManager(subscriptionID string, creds azcore.TokenCredential) *RBACManager

NewRBACManager creates a new RBACManager

func (*RBACManager) AssignControlPlaneRoles added in v0.1.69 

func (r *RBACManager) AssignControlPlaneRoles(ctx context.Context, opts *CreateInfraOptions, controlPlaneMIs *hyperv1.AzureResourceManagedIdentities, resourceGroupName, nsgResourceGroupName, vnetResourceGroupName string) error

AssignControlPlaneRoles assigns roles to control plane managed identities

func (*RBACManager) AssignDataPlaneRoles added in v0.1.69 

func (r *RBACManager) AssignDataPlaneRoles(ctx context.Context, opts *CreateInfraOptions, dataPlaneIdentities hyperv1.DataPlaneManagedIdentities, resourceGroupName string) error

AssignDataPlaneRoles assigns roles to data plane managed identities

func (*RBACManager) AssignWorkloadIdentities added in v0.1.69 

func (r *RBACManager) AssignWorkloadIdentities(ctx context.Context, opts *CreateInfraOptions, workloadIdentities *hyperv1.AzureWorkloadIdentities, resourceGroupName, nsgResourceGroupName, vnetResourceGroupName string) error

AssignWorkloadIdentities assigns roles to workload identity managed identities

func (*RBACManager) CleanupRoleAssignments added in v0.1.76 

func (r *RBACManager) CleanupRoleAssignments(ctx context.Context, l logr.Logger, infraID string, resourceGroupName, nsgResourceGroupName, vnetResourceGroupName, dnsZoneRG string, assignCustomHCPRoles bool) error

CleanupRoleAssignments deletes all role assignments created for a cluster's workload identities. It regenerates the deterministic role assignment names from the infraID, component names, and scopes, then deletes each one. This must be called before destroying managed identities to avoid orphaned role assignments that cause naming collisions on re-creation.

type ResourceGroupManager added in v0.1.69 

type ResourceGroupManager struct {
	// contains filtered or unexported fields
}

ResourceGroupManager handles Azure resource group operations

func NewResourceGroupManager added in v0.1.69 

func NewResourceGroupManager(subscriptionID string, creds azcore.TokenCredential, cloud string) *ResourceGroupManager

NewResourceGroupManager creates a new ResourceGroupManager

func (*ResourceGroupManager) CreateOrGetResourceGroup added in v0.1.69 

func (r *ResourceGroupManager) CreateOrGetResourceGroup(ctx context.Context, opts *CreateInfraOptions, rgName string) (string, string, error)

CreateOrGetResourceGroup creates the three resource groups needed for the cluster: 1. The resource group for the cluster's infrastructure 2. The resource group for the virtual network 3. The resource group for the network security group

type ServicePrincipal added in v0.1.69 

type ServicePrincipal struct {
	ID string `json:"id"`
}

ServicePrincipal represents a service principal from Microsoft Graph API

type ServicePrincipalResponse added in v0.1.58 

type ServicePrincipalResponse struct {
	Value []ServicePrincipal `json:"value"`
}

ServicePrincipalResponse represents the response from Microsoft Graph API

type WorkloadIdentityDefinition added in v0.1.74 

type WorkloadIdentityDefinition struct {
	ComponentName        string // e.g., "disk", "file", "ingress"
	IdentityNameSuffix   string // e.g., "-disk", "-file"
	FederatedCredentials []FederatedCredentialConfig
}

WorkloadIdentityDefinition defines a workload identity component with its federated credentials

func GetWorkloadIdentityDefinitions added in v0.1.74 

func GetWorkloadIdentityDefinitions(clusterName string, topology string) []WorkloadIdentityDefinition

GetWorkloadIdentityDefinitions returns all workload identity definitions for a cluster. This is the single source of truth for identity names and their federated credentials, used by both create and destroy operations. The topology parameter controls whether private-topology-only identities (e.g., controlPlaneOperator) are included.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.