diff --git a/ci-operator/config/openshift-priv/installer/openshift-priv-installer-main.yaml b/ci-operator/config/openshift-priv/installer/openshift-priv-installer-main.yaml index f2f44924a12ca..838367fb8a17b 100644 --- a/ci-operator/config/openshift-priv/installer/openshift-priv-installer-main.yaml +++ b/ci-operator/config/openshift-priv/installer/openshift-priv-installer-main.yaml @@ -553,9 +553,9 @@ tests: post: - chain: ipi-azure-post pre: - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install timeout: 6h0m0s - as: e2e-azure-ovn @@ -1159,7 +1159,6 @@ tests: cluster_profile: azure4 env: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FAIL_ON_CORE_DUMP: "false" OS_IMAGE_PLAN: NoPurchasePlan OS_IMAGE_URN: azureopenshift:aro4:aro_417:417.94.20240701 @@ -1169,10 +1168,10 @@ tests: - chain: ipi-deprovision - ref: azure-deprovision-sp-and-custom-role pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ovn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac timeout: 6h0m0s diff --git a/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.18.yaml b/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.18.yaml index 319cca8fbe3cd..11baab0cca16a 100644 --- a/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.18.yaml +++ b/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.18.yaml @@ -559,9 +559,9 @@ tests: post: - chain: ipi-azure-post pre: - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install timeout: 6h0m0s - as: e2e-azure-ovn @@ -1155,7 +1155,6 @@ tests: cluster_profile: azure4 env: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FAIL_ON_CORE_DUMP: "false" OS_IMAGE_PLAN: NoPurchasePlan OS_IMAGE_URN: azureopenshift:aro4:aro_417:417.94.20240701 @@ -1165,10 +1164,10 @@ tests: - chain: ipi-deprovision - ref: azure-deprovision-sp-and-custom-role pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ovn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac timeout: 6h0m0s diff --git a/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.19.yaml b/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.19.yaml index 778d76b9d914f..4fc3c4013de71 100644 --- a/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.19.yaml +++ b/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.19.yaml @@ -554,9 +554,9 @@ tests: post: - chain: ipi-azure-post pre: - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install timeout: 6h0m0s - as: e2e-azure-ovn @@ -1160,7 +1160,6 @@ tests: cluster_profile: azure4 env: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FAIL_ON_CORE_DUMP: "false" OS_IMAGE_PLAN: NoPurchasePlan OS_IMAGE_URN: azureopenshift:aro4:aro_417:417.94.20240701 @@ -1170,10 +1169,10 @@ tests: - chain: ipi-deprovision - ref: azure-deprovision-sp-and-custom-role pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ovn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac timeout: 6h0m0s diff --git a/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.20.yaml b/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.20.yaml index 2049350c10965..8a3d3bd4c914e 100644 --- a/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.20.yaml +++ b/ci-operator/config/openshift-priv/installer/openshift-priv-installer-release-4.20.yaml @@ -553,9 +553,9 @@ tests: post: - chain: ipi-azure-post pre: - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install timeout: 6h0m0s - as: e2e-azure-ovn @@ -1159,7 +1159,6 @@ tests: cluster_profile: azure4 env: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FAIL_ON_CORE_DUMP: "false" OS_IMAGE_PLAN: NoPurchasePlan OS_IMAGE_URN: azureopenshift:aro4:aro_417:417.94.20240701 @@ -1169,10 +1168,10 @@ tests: - chain: ipi-deprovision - ref: azure-deprovision-sp-and-custom-role pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ovn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac timeout: 6h0m0s diff --git a/ci-operator/config/openshift/installer/openshift-installer-main.yaml b/ci-operator/config/openshift/installer/openshift-installer-main.yaml index 446df276d9992..827ca84598c65 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-main.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-main.yaml @@ -552,9 +552,9 @@ tests: post: - chain: ipi-azure-post pre: - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install timeout: 6h0m0s - as: e2e-azure-ovn @@ -1158,7 +1158,6 @@ tests: cluster_profile: azure4 env: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FAIL_ON_CORE_DUMP: "false" OS_IMAGE_PLAN: NoPurchasePlan OS_IMAGE_URN: azureopenshift:aro4:aro_417:417.94.20240701 @@ -1168,10 +1167,10 @@ tests: - chain: ipi-deprovision - ref: azure-deprovision-sp-and-custom-role pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ovn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac timeout: 6h0m0s diff --git a/ci-operator/config/openshift/installer/openshift-installer-release-4.18.yaml b/ci-operator/config/openshift/installer/openshift-installer-release-4.18.yaml index 8c34e1a86be22..6b123c816a920 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-release-4.18.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-release-4.18.yaml @@ -558,9 +558,9 @@ tests: post: - chain: ipi-azure-post pre: - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install timeout: 6h0m0s - as: e2e-azure-ovn @@ -1154,7 +1154,6 @@ tests: cluster_profile: azure4 env: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FAIL_ON_CORE_DUMP: "false" OS_IMAGE_PLAN: NoPurchasePlan OS_IMAGE_URN: azureopenshift:aro4:aro_417:417.94.20240701 @@ -1164,10 +1163,10 @@ tests: - chain: ipi-deprovision - ref: azure-deprovision-sp-and-custom-role pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ovn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac timeout: 6h0m0s diff --git a/ci-operator/config/openshift/installer/openshift-installer-release-4.19.yaml b/ci-operator/config/openshift/installer/openshift-installer-release-4.19.yaml index f3fda12cd5db1..72a79e5b4697c 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-release-4.19.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-release-4.19.yaml @@ -553,9 +553,9 @@ tests: post: - chain: ipi-azure-post pre: - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install timeout: 6h0m0s - as: e2e-azure-ovn @@ -1159,7 +1159,6 @@ tests: cluster_profile: azure4 env: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FAIL_ON_CORE_DUMP: "false" OS_IMAGE_PLAN: NoPurchasePlan OS_IMAGE_URN: azureopenshift:aro4:aro_417:417.94.20240701 @@ -1169,10 +1168,10 @@ tests: - chain: ipi-deprovision - ref: azure-deprovision-sp-and-custom-role pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ovn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac timeout: 6h0m0s diff --git a/ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml b/ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml index 9e349818ced60..668a532b5e31a 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-release-4.20.yaml @@ -552,7 +552,7 @@ tests: post: - chain: ipi-azure-post pre: - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default - chain: ipi-install @@ -1158,7 +1158,6 @@ tests: cluster_profile: azure4 env: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FAIL_ON_CORE_DUMP: "false" OS_IMAGE_PLAN: NoPurchasePlan OS_IMAGE_URN: azureopenshift:aro4:aro_417:417.94.20240701 @@ -1168,7 +1167,7 @@ tests: - chain: ipi-deprovision - ref: azure-deprovision-sp-and-custom-role pre: - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ovn-conf diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__amd64-nightly.yaml index 4b3de30a162da..ceef997f788c4 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__amd64-nightly.yaml @@ -1083,7 +1083,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive @@ -1093,7 +1093,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__automated-release-stable-4.12-upgrade-from-stable-4.12.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__automated-release-stable-4.12-upgrade-from-stable-4.12.yaml index c09e07ee8033a..a86b4805ce016 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__automated-release-stable-4.12-upgrade-from-stable-4.12.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__automated-release-stable-4.12-upgrade-from-stable-4.12.yaml @@ -73,7 +73,7 @@ tests: allow_skip_on_success: true cluster_profile: azure-autorelease-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com FIPS_ENABLED: "true" test: diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__automated-release.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__automated-release.yaml index b7d0672e8cadd..f0b478cb871c8 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__automated-release.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__automated-release.yaml @@ -89,7 +89,7 @@ tests: allow_skip_on_success: true cluster_profile: azure-autorelease-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com CATALOGSOURCE_NAME: auto-release-app-registry E2E_RUN_TAGS: '@level0' diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__multi-nightly-4.12-upgrade-from-stable-4.12.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__multi-nightly-4.12-upgrade-from-stable-4.12.yaml index ceca1c4638565..bbe0e5b239d40 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__multi-nightly-4.12-upgrade-from-stable-4.12.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.12__multi-nightly-4.12-upgrade-from-stable-4.12.yaml @@ -213,7 +213,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 OCP_ARCH: arm64 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.13__multi-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.13__multi-nightly.yaml index 7918b709eb2fe..41b50ba0674bb 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.13__multi-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.13__multi-nightly.yaml @@ -578,7 +578,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive @@ -588,7 +588,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 OCP_ARCH: arm64 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__amd64-nightly.yaml index 7347bc147d976..37958c947ea10 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__amd64-nightly.yaml @@ -1301,9 +1301,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 413.92.2023101700 test: - chain: openshift-e2e-test-qe diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__multi-nightly-4.14-upgrade-from-stable-4.14.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__multi-nightly-4.14-upgrade-from-stable-4.14.yaml index 7f2135828c990..b29c6e7d5c7ea 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__multi-nightly-4.14-upgrade-from-stable-4.14.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__multi-nightly-4.14-upgrade-from-stable-4.14.yaml @@ -317,7 +317,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__multi-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__multi-nightly.yaml index c4ddd35d3ce09..d1f2d39636611 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__multi-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.14__multi-nightly.yaml @@ -646,7 +646,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive @@ -656,7 +656,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 OCP_ARCH: arm64 @@ -690,7 +690,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_MIN_PERMISSION_FOR_STS: "true" EXTRACT_MANIFEST_INCLUDED: "true" @@ -702,7 +702,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -909,7 +909,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 @@ -923,7 +923,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml index 189ee053d49dd..0b25edfed760c 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml @@ -1455,9 +1455,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.15.2024072409 test: - chain: openshift-e2e-test-qe @@ -1467,9 +1466,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.15.2024072409 test: - chain: openshift-e2e-test-clusterinfra-qe-longrun diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly-4.15-upgrade-from-stable-4.14.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly-4.15-upgrade-from-stable-4.14.yaml index 2434597745687..a0d8cb773ce48 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly-4.15-upgrade-from-stable-4.14.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly-4.15-upgrade-from-stable-4.14.yaml @@ -226,7 +226,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly-4.15-upgrade-from-stable-4.15.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly-4.15-upgrade-from-stable-4.15.yaml index 1ab52746b2e20..665c26656319d 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly-4.15-upgrade-from-stable-4.15.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly-4.15-upgrade-from-stable-4.15.yaml @@ -119,11 +119,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly.yaml index a2e6b1f0bc7b4..7759a4051d43a 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__multi-nightly.yaml @@ -573,11 +573,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_DES_COMPUTE: "true" ENABLE_DES_CONTROL_PLANE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" FIPS_ENABLED: "true" test: - chain: openshift-e2e-test-qe-destructive @@ -587,11 +586,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-e2e-test-qe @@ -689,7 +687,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_MIN_PERMISSION_FOR_STS: "true" EXTRACT_MANIFEST_INCLUDED: "true" @@ -701,7 +699,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -898,7 +896,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive @@ -908,7 +906,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__amd64-nightly.yaml index b4796caeefd42..d0a1f0523b0a0 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__amd64-nightly.yaml @@ -1484,9 +1484,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.15.2024072409 test: - chain: openshift-e2e-test-qe diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly-4.16-upgrade-from-stable-4.15.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly-4.16-upgrade-from-stable-4.15.yaml index 1cc9befcbccc3..d99822d74898c 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly-4.16-upgrade-from-stable-4.15.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly-4.16-upgrade-from-stable-4.15.yaml @@ -260,11 +260,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test @@ -329,7 +328,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly-4.16-upgrade-from-stable-4.16.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly-4.16-upgrade-from-stable-4.16.yaml index 8e9783ab743b8..51d10c5a10b68 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly-4.16-upgrade-from-stable-4.16.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly-4.16-upgrade-from-stable-4.16.yaml @@ -234,11 +234,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly.yaml index 9d5c5894d54bc..e4ade2a7e3c1c 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__multi-nightly.yaml @@ -708,11 +708,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_DES_COMPUTE: "true" ENABLE_DES_CONTROL_PLANE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" FIPS_ENABLED: "true" test: - chain: openshift-e2e-test-qe-destructive @@ -722,11 +721,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-e2e-test-qe @@ -835,7 +833,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_MIN_PERMISSION_FOR_STS: "true" EXTRACT_MANIFEST_INCLUDED: "true" @@ -847,7 +845,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -1054,7 +1052,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive @@ -1064,7 +1062,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly-4.17-upgrade-from-stable-4.16.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly-4.17-upgrade-from-stable-4.16.yaml index 906ccfeecc073..b835e75d6c400 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly-4.17-upgrade-from-stable-4.16.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly-4.17-upgrade-from-stable-4.16.yaml @@ -350,9 +350,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 413.92.2023101700 test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly-4.17-upgrade-from-stable-4.17.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly-4.17-upgrade-from-stable-4.17.yaml index c36dc2eead5c8..ff35226ac284f 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly-4.17-upgrade-from-stable-4.17.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly-4.17-upgrade-from-stable-4.17.yaml @@ -383,9 +383,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.17.2024100419 test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly.yaml index 7c3b13760cef8..91c6c309987e0 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-nightly.yaml @@ -1546,9 +1546,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.17.2024100419 test: - chain: openshift-e2e-test-qe diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly-4.17-upgrade-from-stable-4.16.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly-4.17-upgrade-from-stable-4.16.yaml index 3e7cf7e6a3661..6a96a429837d9 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly-4.17-upgrade-from-stable-4.16.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly-4.17-upgrade-from-stable-4.16.yaml @@ -314,11 +314,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test @@ -389,7 +388,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -491,7 +490,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly-4.17-upgrade-from-stable-4.17.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly-4.17-upgrade-from-stable-4.17.yaml index ad5df30c61bd1..836fd2f472d6b 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly-4.17-upgrade-from-stable-4.17.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly-4.17-upgrade-from-stable-4.17.yaml @@ -329,11 +329,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test @@ -403,7 +402,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -511,7 +510,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly.yaml index a1772b02bf13c..e085716082d16 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__multi-nightly.yaml @@ -713,11 +713,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-e2e-test-qe @@ -727,11 +726,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_DES_COMPUTE: "true" ENABLE_DES_CONTROL_PLANE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" FIPS_ENABLED: "true" test: - chain: openshift-e2e-test-qe-destructive @@ -911,7 +909,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_MIN_PERMISSION_FOR_STS: "true" EXTRACT_MANIFEST_INCLUDED: "true" @@ -923,7 +921,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -1150,7 +1148,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive @@ -1160,7 +1158,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.17.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.17.yaml index 76a56773d8c0e..a79b5bc801a18 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.17.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.17.yaml @@ -455,9 +455,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 413.92.2023101700 test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml index e5efd101c183b..2a306619e5f77 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml @@ -401,9 +401,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.17.2024100419 test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml index 0f48da64e9fb8..f80bb4eac632e 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml @@ -1607,9 +1607,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.17.2024100419 test: - chain: openshift-e2e-test-qe @@ -1619,9 +1618,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" FEATURE_SET: TechPreviewNoUpgrade OS_IMAGE_VERSION: 4.17.2024100419 test: diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly-4.18-upgrade-from-stable-4.17.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly-4.18-upgrade-from-stable-4.17.yaml index 95202970c0537..ce8bd144d2b56 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly-4.18-upgrade-from-stable-4.17.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly-4.18-upgrade-from-stable-4.17.yaml @@ -289,11 +289,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test @@ -381,7 +380,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -466,7 +465,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly-4.18-upgrade-from-stable-4.18.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly-4.18-upgrade-from-stable-4.18.yaml index 551e14586151e..e9cfbe2d43eba 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly-4.18-upgrade-from-stable-4.18.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly-4.18-upgrade-from-stable-4.18.yaml @@ -301,11 +301,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test @@ -375,7 +374,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -483,7 +482,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly.yaml index d2846ea71fe26..359108a454f09 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__multi-nightly.yaml @@ -864,11 +864,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-e2e-test-qe @@ -878,11 +877,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_DES_COMPUTE: "true" ENABLE_DES_CONTROL_PLANE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" FIPS_ENABLED: "true" test: - chain: openshift-e2e-test-qe-destructive @@ -1062,7 +1060,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_MIN_PERMISSION_FOR_STS: "true" EXTRACT_MANIFEST_INCLUDED: "true" @@ -1074,7 +1072,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -1321,7 +1319,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive @@ -1331,7 +1329,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml index 55c88b6720cd1..3038a0f35db3f 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml @@ -449,9 +449,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 413.92.2023101700 test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml index 1f81c84c969ce..f567f11b51815 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml @@ -403,9 +403,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.17.2024100419 test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml index 4ac1fe978d9ad..cf2cfd828e734 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml @@ -1617,9 +1617,8 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com - ENABLE_MIN_PERMISSION_FOR_MARKETPLACE: "true" OS_IMAGE_VERSION: 4.17.2024100419 test: - chain: openshift-e2e-test-qe diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly-4.19-upgrade-from-stable-4.18.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly-4.19-upgrade-from-stable-4.18.yaml index 506a155f2d02f..fa0b33b141315 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly-4.19-upgrade-from-stable-4.18.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly-4.19-upgrade-from-stable-4.18.yaml @@ -302,11 +302,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test @@ -394,7 +393,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -490,7 +489,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly-4.19-upgrade-from-stable-4.19.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly-4.19-upgrade-from-stable-4.19.yaml index 487c116421773..749bc04b0bdd7 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly-4.19-upgrade-from-stable-4.19.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly-4.19-upgrade-from-stable-4.19.yaml @@ -292,11 +292,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-upgrade-qe-test @@ -383,7 +382,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -491,7 +490,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly.yaml index 50a49442b612f..d40cfb9dc6fff 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__multi-nightly.yaml @@ -774,11 +774,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_DES_DEFAULT_MACHINE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" OCP_ARCH: arm64 test: - chain: openshift-e2e-test-qe @@ -788,11 +787,10 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_DES_COMPUTE: "true" ENABLE_DES_CONTROL_PLANE: "true" - ENABLE_MIN_PERMISSION_FOR_DES: "true" FIPS_ENABLED: "true" test: - chain: openshift-e2e-test-qe-destructive @@ -983,7 +981,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_MIN_PERMISSION_FOR_STS: "true" EXTRACT_MANIFEST_INCLUDED: "true" @@ -995,7 +993,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com COMPUTE_NODE_TYPE: Standard_D4ps_v5 ENABLE_MIN_PERMISSION_FOR_STS: "true" @@ -1242,7 +1240,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com test: - chain: openshift-e2e-test-qe-destructive @@ -1252,7 +1250,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com BOOTSTRAP_NODE_TYPE: Standard_D4ps_v5 COMPUTE_NODE_TYPE: Standard_D4ps_v5 diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.16.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.16.yaml index 1a8ac08c2ad18..6cf8cea981185 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.16.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.16.yaml @@ -348,7 +348,7 @@ tests: dependencies: OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com OCP_ARCH: arm64 test: diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.17.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.17.yaml index 1f6f28574fe85..5bb5bf83f5159 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.17.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.17.yaml @@ -417,7 +417,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com OCP_ARCH: arm64 test: diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml index 9eabe7fd75f67..a5946b5a20f50 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml @@ -536,7 +536,7 @@ tests: dependencies: OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com OCP_ARCH: arm64 test: diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml index 078d342f2e592..c0ee74c8d427c 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml @@ -553,7 +553,7 @@ tests: dependencies: OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com OCP_ARCH: arm64 test: diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installer-rehearse-4.18.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installer-rehearse-4.18.yaml index a14b5310b557a..a5201037afeae 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installer-rehearse-4.18.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installer-rehearse-4.18.yaml @@ -61,7 +61,7 @@ tests: steps: cluster_profile: azure-qe env: - AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "true" + AZURE_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.azure.devcluster.openshift.com ENABLE_DES_DEFAULT_MACHINE: "true" ENABLE_MIN_PERMISSION_FOR_DES: "true" diff --git a/ci-operator/step-registry/azure/provision/custom-role/OWNERS b/ci-operator/step-registry/azure/provision/custom-role/OWNERS new file mode 100644 index 0000000000000..6218f78b9e37d --- /dev/null +++ b/ci-operator/step-registry/azure/provision/custom-role/OWNERS @@ -0,0 +1,6 @@ +approvers: +- patrickdillon +- yunjiang29 +- MayXuQQ +- jianlinliu +- jinyunma diff --git a/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-commands.sh b/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-commands.sh new file mode 100644 index 0000000000000..098e284658ef8 --- /dev/null +++ b/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-commands.sh @@ -0,0 +1,379 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +# save the exit code for junit xml file generated in step gather-must-gather +# pre configuration steps before running installation, exit code 100 if failed, +# save to install-pre-config-status.txt +# post check steps after cluster installation, exit code 101 if failed, +# save to install-post-check-status.txt +EXIT_CODE=100 +trap 'if [[ "$?" == 0 ]]; then EXIT_CODE=0; fi; echo "${EXIT_CODE}" > "${SHARED_DIR}/install-pre-config-status.txt"' EXIT TERM + +function run_command() { + local CMD="$1" + echo "Running Command: ${CMD}" + eval "${CMD}" +} + +function run_cmd_with_retries_save_output() +{ + local cmd="$1" output="$2" retries="${3:-}" + local try=0 ret=0 + [[ -z ${retries} ]] && max="20" || max=${retries} + echo "Trying ${max} times max to run '${cmd}', save output to ${output}" + + eval "${cmd}" > "${output}" || ret=$? + while [ X"${ret}" != X"0" ] && [ ${try} -lt ${max} ]; do + echo "'${cmd}' did not return success, waiting 60 sec....." + sleep 60 + try=$(( try + 1 )) + ret=0 + eval "${cmd}" > "${output}" || ret=$? + done + if [ ${try} -eq ${max} ]; then + echo "Never succeed or Timeout" + return 1 + fi + echo "Succeed" + return 0 +} + +function create_role_definition_json() { + + local role_name=$1 permissions=$2 role_definition_file=$3 + + role_description="the custom role ${role_name} with minimal permissions for cluster ${CLUSTER_NAME}" + assignable_scopes=""" +\"/subscriptions/${AZURE_AUTH_SUBSCRIPTOIN_ID}\" +""" + + # create role definition json file + jq --null-input \ + --arg role_name "${role_name}" \ + --arg description "${role_description}" \ + --argjson assignable_scopes "[ ${assignable_scopes} ]" \ + --argjson permission_list "[ ${permissions} ]" ' +{ + "Name": $role_name, + "IsCustom": true, + "Description": $description, + "assignableScopes": $assignable_scopes, + "Actions": $permission_list, + "notActions": [], + "dataActions": [], + "notDataActions": [] +}' > "${role_definition_file}" +} + +function create_custom_role() { + local role_definition="$1" + + # create custom role + cmd="az role definition create --role-definition ${role_definition}" + run_command "${cmd}" || return 1 + + echo "Sleep 1 min to wait for custom role created" + sleep 60 +} + +if [[ "${AZURE_INSTALL_USE_MINIMAL_PERMISSIONS}" == "no" ]] && [[ "${ENABLE_MIN_PERMISSION_FOR_STS}" == "false" ]]; then + echo "Both AZURE_INSTALL_USE_MINIMAL_PERMISSIONS and ENABLE_MIN_PERMISSION_FOR_STS are disabled, skip this step to create custom role with minimal permission!" + exit 0 +fi + +echo "RELEASE_IMAGE_LATEST: ${RELEASE_IMAGE_LATEST}" +echo "RELEASE_IMAGE_LATEST_FROM_BUILD_FARM: ${RELEASE_IMAGE_LATEST_FROM_BUILD_FARM}" +export HOME="${HOME:-/tmp/home}" +export XDG_RUNTIME_DIR="${HOME}/run" +export REGISTRY_AUTH_PREFERENCE=podman # TODO: remove later, used for migrating oc from docker to podman +mkdir -p "${XDG_RUNTIME_DIR}" +# After cluster is set up, ci-operator make KUBECONFIG pointing to the installed cluster, +# to make "oc registry login" interact with the build farm, set KUBECONFIG to empty, +# so that the credentials of the build farm registry can be saved in docker client config file. +# A direct connection is required while communicating with build-farm, instead of through proxy +KUBECONFIG="" oc --loglevel=8 registry login +ocp_version=$(oc adm release info ${RELEASE_IMAGE_LATEST_FROM_BUILD_FARM} --output=json | jq -r '.metadata.version' | cut -d. -f 1,2) +echo "OCP Version: $ocp_version" +ocp_major_version=$( echo "${ocp_version}" | awk --field-separator=. '{print $1}' ) +ocp_minor_version=$( echo "${ocp_version}" | awk --field-separator=. '{print $2}' ) + +# az should already be there +command -v az +az --version + +# set the parameters we'll need as env vars +AZURE_AUTH_LOCATION="${CLUSTER_PROFILE_DIR}/osServicePrincipal.json" +if [[ -f "${CLUSTER_PROFILE_DIR}/installer-sp-minter.json" ]]; then + AZURE_AUTH_LOCATION="${CLUSTER_PROFILE_DIR}/installer-sp-minter.json" +fi +AZURE_AUTH_CLIENT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientId)" +AZURE_AUTH_CLIENT_SECRET="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientSecret)" +AZURE_AUTH_TENANT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .tenantId)" +AZURE_AUTH_SUBSCRIPTOIN_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .subscriptionId)" + +# log in with az +if [[ "${CLUSTER_TYPE}" == "azuremag" ]] || [[ "${CLUSTER_TYPE}" == "azurestack" ]]; then + echo "Installation with minimal permissions is only supported on Azure Public Cloud so far, exit..." + exit 1 +else + az cloud set --name AzureCloud +fi +az login --service-principal -u "${AZURE_AUTH_CLIENT_ID}" -p "${AZURE_AUTH_CLIENT_SECRET}" --tenant "${AZURE_AUTH_TENANT_ID}" --output none + +CLUSTER_NAME="${NAMESPACE}-${UNIQUE_HASH}" +custom_role_name_json="{}" +# create custom role with minimal permission for cluster to create the infrastructure. +if [[ "${AZURE_INSTALL_USE_MINIMAL_PERMISSIONS}" == "yes" ]]; then + ROLE_DEFINITION="${ARTIFACT_DIR}/azure-custom-role-definition-minimal-permissions.json" + CUSTOM_ROLE_NAME="${CLUSTER_NAME}-custom-role" + CONFIG="${SHARED_DIR}/install-config.yaml" + + install_config_vnet=$(yq-go r ${CONFIG} 'platform.azure.virtualNetwork') + install_config_osimage_default=$(yq-go r ${CONFIG} 'platform.azure.defaultMachinePlatform.osImage') + install_config_osimage_master=$(yq-go r ${CONFIG} 'controlPlane.platform.azure.osImage') + install_config_osimage_worker=$(yq-go r ${CONFIG} 'compute[0].platform.azure.osImage') + install_config_des_default=$(yq-go r ${CONFIG} 'platform.azure.defaultMachinePlatform.osDisk.diskEncryptionSet') + install_config_des_master=$(yq-go r ${CONFIG} 'controlPlane.platform.azure.osDisk.diskEncryptionSet') + install_config_des_worker=$(yq-go r ${CONFIG} 'compute[0].platform.azure.osDisk.diskEncryptionSet') + + required_permissions=""" +\"Microsoft.Authorization/policies/audit/action\", +\"Microsoft.Authorization/policies/auditIfNotExists/action\", +\"Microsoft.Authorization/roleAssignments/read\", +\"Microsoft.Authorization/roleAssignments/write\", +\"Microsoft.Compute/availabilitySets/read\", +\"Microsoft.Compute/availabilitySets/write\", +\"Microsoft.Compute/availabilitySets/delete\", +\"Microsoft.Compute/disks/beginGetAccess/action\", +\"Microsoft.Compute/disks/delete\", +\"Microsoft.Compute/disks/read\", +\"Microsoft.Compute/disks/write\", +\"Microsoft.Compute/galleries/images/read\", +\"Microsoft.Compute/galleries/images/versions/read\", +\"Microsoft.Compute/galleries/images/versions/write\", +\"Microsoft.Compute/galleries/images/write\", +\"Microsoft.Compute/galleries/read\", +\"Microsoft.Compute/galleries/write\", +\"Microsoft.Compute/snapshots/read\", +\"Microsoft.Compute/snapshots/write\", +\"Microsoft.Compute/snapshots/delete\", +\"Microsoft.Compute/virtualMachines/delete\", +\"Microsoft.Compute/virtualMachines/powerOff/action\", +\"Microsoft.Compute/virtualMachines/read\", +\"Microsoft.Compute/virtualMachines/write\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/read\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/write\", +\"Microsoft.Network/dnsZones/A/write\", +\"Microsoft.Network/dnsZones/CNAME/write\", +\"Microsoft.Network/dnszones/CNAME/read\", +\"Microsoft.Network/dnszones/read\", +\"Microsoft.Network/loadBalancers/backendAddressPools/join/action\", +\"Microsoft.Network/loadBalancers/backendAddressPools/read\", +\"Microsoft.Network/loadBalancers/backendAddressPools/write\", +\"Microsoft.Network/loadBalancers/read\", +\"Microsoft.Network/loadBalancers/write\", +\"Microsoft.Network/networkInterfaces/delete\", +\"Microsoft.Network/networkInterfaces/join/action\", +\"Microsoft.Network/networkInterfaces/read\", +\"Microsoft.Network/networkInterfaces/write\", +\"Microsoft.Network/networkSecurityGroups/join/action\", +\"Microsoft.Network/networkSecurityGroups/read\", +\"Microsoft.Network/networkSecurityGroups/securityRules/delete\", +\"Microsoft.Network/networkSecurityGroups/securityRules/read\", +\"Microsoft.Network/networkSecurityGroups/securityRules/write\", +\"Microsoft.Network/networkSecurityGroups/write\", +\"Microsoft.Network/privateDnsZones/A/read\", +\"Microsoft.Network/privateDnsZones/A/write\", +\"Microsoft.Network/privateDnsZones/A/delete\", +\"Microsoft.Network/privateDnsZones/SOA/read\", +\"Microsoft.Network/privateDnsZones/read\", +\"Microsoft.Network/privateDnsZones/virtualNetworkLinks/read\", +\"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write\", +\"Microsoft.Network/privateDnsZones/write\", +\"Microsoft.Network/publicIPAddresses/delete\", +\"Microsoft.Network/publicIPAddresses/join/action\", +\"Microsoft.Network/publicIPAddresses/read\", +\"Microsoft.Network/publicIPAddresses/write\", +\"Microsoft.Network/virtualNetworks/join/action\", +\"Microsoft.Network/virtualNetworks/read\", +\"Microsoft.Network/virtualNetworks/subnets/join/action\", +\"Microsoft.Network/virtualNetworks/subnets/read\", +\"Microsoft.Network/virtualNetworks/subnets/write\", +\"Microsoft.Network/virtualNetworks/write\", +\"Microsoft.Resourcehealth/healthevent/Activated/action\", +\"Microsoft.Resourcehealth/healthevent/InProgress/action\", +\"Microsoft.Resourcehealth/healthevent/Pending/action\", +\"Microsoft.Resourcehealth/healthevent/Resolved/action\", +\"Microsoft.Resourcehealth/healthevent/Updated/action\", +\"Microsoft.Resources/subscriptions/resourceGroups/read\", +\"Microsoft.Resources/subscriptions/resourcegroups/write\", +\"Microsoft.Resources/tags/write\", +\"Microsoft.Storage/storageAccounts/blobServices/read\", +\"Microsoft.Storage/storageAccounts/blobServices/containers/write\", +\"Microsoft.Storage/storageAccounts/fileServices/read\", +\"Microsoft.Storage/storageAccounts/fileServices/shares/read\", +\"Microsoft.Storage/storageAccounts/fileServices/shares/write\", +\"Microsoft.Storage/storageAccounts/fileServices/shares/delete\", +\"Microsoft.Storage/storageAccounts/listKeys/action\", +\"Microsoft.Storage/storageAccounts/read\", +\"Microsoft.Storage/storageAccounts/write\", +\"Microsoft.Authorization/roleAssignments/delete\", +\"Microsoft.Compute/disks/delete\", +\"Microsoft.Compute/galleries/delete\", +\"Microsoft.Compute/galleries/images/delete\", +\"Microsoft.Compute/galleries/images/versions/delete\", +\"Microsoft.Compute/virtualMachines/delete\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/delete\", +\"Microsoft.Network/dnszones/read\", +\"Microsoft.Network/dnsZones/A/read\", +\"Microsoft.Network/dnsZones/A/delete\", +\"Microsoft.Network/dnsZones/CNAME/read\", +\"Microsoft.Network/dnsZones/CNAME/delete\", +\"Microsoft.Network/loadBalancers/delete\", +\"Microsoft.Network/networkInterfaces/delete\", +\"Microsoft.Network/networkSecurityGroups/delete\", +\"Microsoft.Network/privateDnsZones/read\", +\"Microsoft.Network/privateDnsZones/A/read\", +\"Microsoft.Network/privateDnsZones/delete\", +\"Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete\", +\"Microsoft.Network/publicIPAddresses/delete\", +\"Microsoft.Network/virtualNetworks/delete\", +\"Microsoft.Resourcehealth/healthevent/Activated/action\", +\"Microsoft.Resourcehealth/healthevent/Resolved/action\", +\"Microsoft.Resourcehealth/healthevent/Updated/action\", +\"Microsoft.Resources/subscriptions/resourcegroups/delete\", +\"Microsoft.Storage/storageAccounts/delete\", +\"Microsoft.Storage/storageAccounts/listKeys/action\" +""" + + # optional permissions for external dns operator + required_permissions=""" +\"Microsoft.Network/privateDnsZones/CNAME/read\", +\"Microsoft.Network/privateDnsZones/CNAME/write\", +\"Microsoft.Network/privateDnsZones/CNAME/delete\", +\"Microsoft.Network/privateDnsZones/TXT/read\", +\"Microsoft.Network/privateDnsZones/TXT/write\", +\"Microsoft.Network/privateDnsZones/TXT/delete\", +${required_permissions} +""" + + + # optional permission to gather bootstrap bundle log + required_permissions=""" +\"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action\", +${required_permissions} +""" + + # New permissions are instroduced when using CAPZ to provision IPI cluster + if [[ "${CLUSTER_TYPE_MIN_PERMISSOIN}" == "IPI" ]] && (( ocp_minor_version >= 17 && ocp_major_version == 4 )); then + # routeTables relevant perssions can be removed once OCPBUGS-37663 is fixed. + required_permissions=""" +\"Microsoft.Network/routeTables/read\", +\"Microsoft.Network/routeTables/write\", +\"Microsoft.Network/routeTables/join/action\", +\"Microsoft.Network/loadBalancers/inboundNatRules/read\", +\"Microsoft.Network/loadBalancers/inboundNatRules/write\", +\"Microsoft.Network/loadBalancers/inboundNatRules/join/action\", +\"Microsoft.Network/loadBalancers/inboundNatRules/delete\", +${required_permissions} +""" + fi + + if [[ "${CLUSTER_TYPE_MIN_PERMISSOIN}" == "UPI" ]]; then + required_permissions=""" +\"Microsoft.Compute/images/read\", +\"Microsoft.Compute/images/write\", +\"Microsoft.Compute/images/delete\", +\"Microsoft.Compute/virtualMachines/deallocate/action\", +\"Microsoft.Storage/storageAccounts/blobServices/containers/read\", +\"Microsoft.Resources/deployments/read\", +\"Microsoft.Resources/deployments/write\", +\"Microsoft.Resources/deployments/validate/action\", +\"Microsoft.Resources/deployments/operationstatuses/read\", +${required_permissions} +""" + fi + + # optional permissions when installing cluster in existing vnet + if [[ -n ${install_config_vnet} ]] && (( ocp_minor_version >= 17 && ocp_major_version == 4 )); then + required_permissions=""" +\"Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read\", +${required_permissions} +""" + fi + + if [[ -n "${install_config_osimage_default}" ]] || [[ -n "${install_config_osimage_master}" ]] || [[ -n "${install_config_osimage_worker}" ]]; then + required_permissions=""" +\"Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read\", +\"Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write\", +\"Microsoft.Compute/images/read\", +\"Microsoft.Compute/images/write\", +\"Microsoft.Compute/images/delete\", +${required_permissions} +""" + fi + + if [[ -n "${install_config_des_default}" ]] || [[ -n "${install_config_des_master}" ]] || [[ -n "${install_config_des_worker}" ]]; then + required_permissions=""" +\"Microsoft.Compute/diskEncryptionSets/read\", +\"Microsoft.Compute/diskEncryptionSets/write\", +\"Microsoft.Compute/diskEncryptionSets/delete\", +\"Microsoft.KeyVault/vaults/read\", +\"Microsoft.KeyVault/vaults/write\", +\"Microsoft.KeyVault/vaults/delete\", +\"Microsoft.KeyVault/vaults/deploy/action\", +\"Microsoft.KeyVault/vaults/keys/read\", +\"Microsoft.KeyVault/vaults/keys/write\", +${required_permissions} +""" + fi + + create_role_definition_json "${CUSTOM_ROLE_NAME}" "${required_permissions}" "${ROLE_DEFINITION}" + echo "Creating custom role..." + create_custom_role "${ROLE_DEFINITION}" + # for destroy + custom_role_name_json=$(echo "${custom_role_name_json}" | jq -c -S ". +={\"cluster\":\"${CUSTOM_ROLE_NAME}\"}") + echo "${custom_role_name_json}" > "${SHARED_DIR}/azure_custom_role_name" +fi + +# create custom role with minimal permission for ccoctl to create required Azure resources when using workload identity +if [[ "${ENABLE_MIN_PERMISSION_FOR_STS}" == "true" ]]; then + sts_required_permissions=""" +\"Microsoft.Resources/subscriptions/resourceGroups/read\", +\"Microsoft.Resources/subscriptions/resourceGroups/write\", +\"Microsoft.Resources/subscriptions/resourceGroups/delete\", +\"Microsoft.Authorization/roleAssignments/read\", +\"Microsoft.Authorization/roleAssignments/delete\", +\"Microsoft.Authorization/roleAssignments/write\", +\"Microsoft.Authorization/roleDefinitions/read\", +\"Microsoft.Authorization/roleDefinitions/write\", +\"Microsoft.Authorization/roleDefinitions/delete\", +\"Microsoft.Storage/storageAccounts/listkeys/action\", +\"Microsoft.Storage/storageAccounts/delete\", +\"Microsoft.Storage/storageAccounts/read\", +\"Microsoft.Storage/storageAccounts/write\", +\"Microsoft.Storage/storageAccounts/blobServices/containers/write\", +\"Microsoft.Storage/storageAccounts/blobServices/containers/delete\", +\"Microsoft.Storage/storageAccounts/blobServices/containers/read\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/delete\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/read\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/write\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write\", +\"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete\", +\"Microsoft.Storage/register/action\", +\"Microsoft.ManagedIdentity/register/action\" +""" + sts_role_name="${CLUSTER_NAME}-custom-role-sts" + sts_role_definition="${ARTIFACT_DIR}/azure-custom-role-definition-sts-minimal-permissions.json" + + create_role_definition_json "${sts_role_name}" "${sts_required_permissions}" "${sts_role_definition}" + create_custom_role "${sts_role_definition}" + # for destroy + custom_role_name_json=$(echo "${custom_role_name_json}" | jq -c -S ". +={\"sts\":\"${sts_role_name}\"}") + echo "${custom_role_name_json}" > "${SHARED_DIR}/azure_custom_role_name" +fi diff --git a/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-ref.metadata.json b/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-ref.metadata.json new file mode 100644 index 0000000000000..368224e01df2b --- /dev/null +++ b/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-ref.metadata.json @@ -0,0 +1,12 @@ +{ + "path": "azure/provision/custom-role/azure-provision-custom-role-ref.yaml", + "owners": { + "approvers": [ + "patrickdillon", + "yunjiang29", + "MayXuQQ", + "jianlinliu", + "jinyunma" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-ref.yaml b/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-ref.yaml new file mode 100644 index 0000000000000..6569da3c7e8b1 --- /dev/null +++ b/ci-operator/step-registry/azure/provision/custom-role/azure-provision-custom-role-ref.yaml @@ -0,0 +1,32 @@ +ref: + as: azure-provision-custom-role + from_image: + namespace: ocp + name: "4.14" + tag: upi-installer + grace_period: 10m + commands: azure-provision-custom-role-commands.sh + resources: + requests: + cpu: 10m + memory: 100Mi + dependencies: + - name: "release:latest" + env: RELEASE_IMAGE_LATEST_FROM_BUILD_FARM + env: + - name: CLUSTER_TYPE_MIN_PERMISSOIN + default: "IPI" + documentation: |- + The provision way to set up cluster to test installation with Azure crendentials with minimal permissions. + Valid value: IPI UPI + - name: ENABLE_MIN_PERMISSION_FOR_STS + default: "false" + documentation: |- + Assign minimal permissions for SP to create workload identity related azure resources by ccoctl. + - name: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS + default: "no" + documentation: |- + "no", default option, if the install should be done with the standard service principal from the cluster profile. + "yes" if the step should create a service principal user and attach a policy with only the install-needed permissions. + documentation: |- + Provision a service principal with minimal permissions required for IPI-on-Azure diff --git a/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/OWNERS b/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-commands.sh b/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-commands.sh new file mode 100644 index 0000000000000..9fa55eed6f7a9 --- /dev/null +++ b/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-commands.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +# save the exit code for junit xml file generated in step gather-must-gather +# pre configuration steps before running installation, exit code 100 if failed, +# save to install-pre-config-status.txt +# post check steps after cluster installation, exit code 101 if failed, +# save to install-post-check-status.txt +EXIT_CODE=100 +trap 'if [[ "$?" == 0 ]]; then EXIT_CODE=0; fi; echo "${EXIT_CODE}" > "${SHARED_DIR}/install-pre-config-status.txt"' EXIT TERM + +function run_command() { + local CMD="$1" + echo "Running Command: ${CMD}" + eval "${CMD}" +} + +function run_command_with_retries() +{ + local try=0 cmd="$1" retries="${2:-}" ret=0 + [[ -z ${retries} ]] && max="20" || max=${retries} + echo "Trying ${max} times max to run '${cmd}'" + + eval "${cmd}" || ret=$? + while [ X"${ret}" != X"0" ] && [ ${try} -lt ${max} ]; do + echo "'${cmd}' did not return success, waiting 60 sec....." + sleep 60 + try=$((try + 1)) + ret=0 + eval "${cmd}" || ret=$? + done + if [ ${try} -eq ${max} ]; then + echo "Never succeed or Timeout" + return 1 + fi + echo "Succeed" + return 0 +} + +# az should already be there +command -v az +az --version + +# set the parameters we'll need as env vars +AZURE_AUTH_LOCATION="${CLUSTER_PROFILE_DIR}/osServicePrincipal.json" +AZURE_AUTH_CLIENT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientId)" +AZURE_AUTH_CLIENT_SECRET="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientSecret)" +AZURE_AUTH_TENANT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .tenantId)" + +# log in with az +if [[ "${CLUSTER_TYPE}" == "azuremag" ]]; then + az cloud set --name AzureUSGovernment +else + az cloud set --name AzureCloud +fi +az login --service-principal -u "${AZURE_AUTH_CLIENT_ID}" -p "${AZURE_AUTH_CLIENT_SECRET}" --tenant "${AZURE_AUTH_TENANT_ID}" --output none + + +rg_file="${SHARED_DIR}/resourcegroup" +if [ -f "${rg_file}" ]; then + RESOURCE_GROUP=$(cat "${rg_file}") +else + echo "Did not found an provisoned empty resource group" + exit 1 +fi + +run_command "az group show --name $RESOURCE_GROUP"; ret=$? +if [ X"$ret" != X"0" ]; then + echo "The $RESOURCE_GROUP resrouce group does not exit" + exit 1 +fi + +AZURE_DES_FILE="${SHARED_DIR}/azure_des.json" +cluster_sp_id=$(cat "${AZURE_AUTH_LOCATION}" | jq -r ".clientId") +role_name="Owner" +if [[ "${AZURE_INSTALL_USE_MINIMAL_PERMISSIONS}" == "yes" ]]; then + role_name=$(< "${SHARED_DIR}/azure_custom_role_name" jq -r .cluster) + if [[ -z "${role_name}" ]]; then + echo "Could not find cluster custom role name in file /azure_custom_role_name, which is created in step 'azure-provision-service-principal-minimal-permission'" + exit 1 + fi + cluster_sp_id=$(< "${SHARED_DIR}/azure_minimal_permission" jq -r .clientId) +fi +des_name_list=$(jq -r 'values[]' ${AZURE_DES_FILE}) +for des_name in ${des_name_list}; do + echo "Granting role ${role_name} permissions to cluster service principal on scope of the DiskEncryptionSet: ${des_name}" + des_id=$(az disk-encryption-set show -n "${des_name}" -g "${RESOURCE_GROUP}" --query "[id]" -o tsv) + run_command_with_retries "az role assignment create --assignee ${cluster_sp_id} --role ${role_name} --scope ${des_id} -o jsonc" 5 +done diff --git a/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-ref.metadata.json b/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-ref.metadata.json new file mode 100644 index 0000000000000..4ee7ed294c120 --- /dev/null +++ b/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-ref.metadata.json @@ -0,0 +1,12 @@ +{ + "path": "azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-ref.yaml", + "owners": { + "approvers": [ + "patrickdillon", + "yunjiang29", + "MayXuQQ", + "jianlinliu", + "jinyunma" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-ref.yaml b/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-ref.yaml new file mode 100644 index 0000000000000..fab081c08cd99 --- /dev/null +++ b/ci-operator/step-registry/azure/provision/disk-encryption-set/assign-role/azure-provision-disk-encryption-set-assign-role-ref.yaml @@ -0,0 +1,20 @@ +ref: + as: azure-provision-disk-encryption-set-assign-role + from_image: + namespace: ocp + name: "4.12" + tag: upi-installer + grace_period: 10m + commands: azure-provision-disk-encryption-set-assign-role-commands.sh + env: + - name: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS + default: "no" + documentation: |- + "no", default option, if the install should be done with the standard service principal from the cluster profile. + "yes" if the step should create a service principal user and attach a policy with only the install-needed permissions. + resources: + requests: + cpu: 10m + memory: 100Mi + documentation: |- + Provision an empty resource group. diff --git a/ci-operator/step-registry/azure/provision/disk-encryption-set/azure-provision-disk-encryption-set-commands.sh b/ci-operator/step-registry/azure/provision/disk-encryption-set/azure-provision-disk-encryption-set-commands.sh index 5c4f119711668..da90ad51ad77b 100644 --- a/ci-operator/step-registry/azure/provision/disk-encryption-set/azure-provision-disk-encryption-set-commands.sh +++ b/ci-operator/step-registry/azure/provision/disk-encryption-set/azure-provision-disk-encryption-set-commands.sh @@ -102,16 +102,6 @@ fi # The Key Vault name must be randomized because deleted Key Vaults remain in a soft-deleted state for 7 days. # A vault's name must be between 3-24 alphanumeric characters # The vault name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens. -cluster_sp_id=$(cat "${AZURE_AUTH_LOCATION}" | jq -r ".clientId") -role_name="Owner" -if [[ "${ENABLE_MIN_PERMISSION_FOR_DES}" == "true" ]]; then - role_name=$(< "${SHARED_DIR}/azure_custom_role_name" jq -r .cluster) - if [[ -z "${role_name}" ]]; then - echo "Could not find cluster custom role name in file /azure_custom_role_name, which is created in step 'azure-provision-service-principal-minimal-permission'" - exit 1 - fi - cluster_sp_id=$(< "${SHARED_DIR}/azure_minimal_permission" jq -r .clientId) -fi azure_des_json="{}" des_id="" kv_prefix="ci-${NAMESPACE: -6}-${UNIQUE_HASH}" @@ -122,10 +112,8 @@ if [[ "${ENABLE_DES_DEFAULT_MACHINE}" == "true" ]]; then des_default="${kv_prefix}-des-d" create_disk_encryption_set "${RESOURCE_GROUP}" "${keyvault_default}" "${keyvault_key_default}" "${des_default}" - echo "Granting service principal reader permissions to the DiskEncryptionSet: ${des_default}" des_default_id=$(az disk-encryption-set show -n "${des_default}" -g "${RESOURCE_GROUP}" --query "[id]" -o tsv) des_id="$des_default_id" - run_command_with_retries "az role assignment create --assignee ${cluster_sp_id} --role ${role_name} --scope ${des_default_id} -o jsonc" 5 #save default des information to ${SHARED_DIR} for reference azure_des_json=$(echo "${azure_des_json}" | jq -c -S ". +={\"default\":\"${des_default}\"}") @@ -138,10 +126,8 @@ if [[ "${ENABLE_DES_CONTROL_PLANE}" == "true" ]]; then des_master="${kv_prefix}-des-m" create_disk_encryption_set "${RESOURCE_GROUP}" "${keyvault_master}" "${keyvault_key_master}" "${des_master}" - echo "Granting service principal reader permissions to the DiskEncryptionSet: ${des_master}" des_master_id=$(az disk-encryption-set show -n "${des_master}" -g "${RESOURCE_GROUP}" --query "[id]" -o tsv) des_id="$des_master_id" - run_command_with_retries "az role assignment create --assignee ${cluster_sp_id} --role ${role_name} --scope ${des_master_id} -o jsonc" 5 #save control plane des information to ${SHARED_DIR} for reference azure_des_json=$(echo "${azure_des_json}" | jq -c -S ". +={\"master\":\"${des_master}\"}") @@ -154,10 +140,8 @@ if [[ "${ENABLE_DES_COMPUTE}" == "true" ]]; then des_worker="${kv_prefix}-des-w" create_disk_encryption_set "${RESOURCE_GROUP}" "${keyvault_worker}" "${keyvault_key_worker}" "${des_worker}" - echo "Granting service principal reader permissions to the DiskEncryptionSet: ${des_worker}" des_worker_id=$(az disk-encryption-set show -n "${des_worker}" -g "${RESOURCE_GROUP}" --query "[id]" -o tsv) des_id="$des_worker_id" - run_command_with_retries "az role assignment create --assignee ${cluster_sp_id} --role ${role_name} --scope ${des_worker_id} -o jsonc" 5 #save compute des information to ${SHARED_DIR} for reference azure_des_json=$(echo "${azure_des_json}" | jq -c -S ". +={\"worker\":\"${des_worker}\"}") diff --git a/ci-operator/step-registry/azure/provision/disk-encryption-set/grant-permission/azure-provision-disk-encryption-set-grant-permission-commands.sh b/ci-operator/step-registry/azure/provision/disk-encryption-set/grant-permission/azure-provision-disk-encryption-set-grant-permission-commands.sh index 8694f37c152ac..5d33b7e3df021 100644 --- a/ci-operator/step-registry/azure/provision/disk-encryption-set/grant-permission/azure-provision-disk-encryption-set-grant-permission-commands.sh +++ b/ci-operator/step-registry/azure/provision/disk-encryption-set/grant-permission/azure-provision-disk-encryption-set-grant-permission-commands.sh @@ -51,7 +51,7 @@ if [[ "${ENABLE_MIN_PERMISSION_FOR_DES}" == "true" ]]; then role_name=$(jq -r '.cluster' "${SHARED_DIR}/azure_custom_role_name" ) fi -echo "Grants the cluster service principal ${role_name} privileges to the disk encryption set" +echo "Grants the cluster identity ${role_name} privileges to the disk encryption set" des_type_list="$(cat ${azure_des_file} | jq -r 'keys[]')" for type in ${des_type_list}; do des_name=$(cat "${azure_des_file}" | jq -r ".${type}") diff --git a/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-chain.metadata.json b/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-chain.metadata.json new file mode 100644 index 0000000000000..da5fb7f293fcb --- /dev/null +++ b/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-chain.metadata.json @@ -0,0 +1,12 @@ +{ + "path": "azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-chain.yaml", + "owners": { + "approvers": [ + "patrickdillon", + "yunjiang29", + "MayXuQQ", + "jianlinliu", + "jinyunma" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-chain.yaml b/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-chain.yaml new file mode 100644 index 0000000000000..8f9efe87432ee --- /dev/null +++ b/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-chain.yaml @@ -0,0 +1,7 @@ +chain: + as: azure-provision-service-principal-minimal-permission + steps: + - ref: azure-provision-custom-role + - ref: azure-provision-service-principal-minimal-permission + documentation: |- + Privision service principal with minimal permission diff --git a/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-commands.sh b/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-commands.sh index 844c91791bef2..571f08e8d1dd2 100644 --- a/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-commands.sh +++ b/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-commands.sh @@ -41,43 +41,27 @@ function run_cmd_with_retries_save_output() return 0 } -function create_role_definition_json() { - - local role_name=$1 permissions=$2 role_definition_file=$3 - - role_description="the custom role ${role_name} with minimal permissions for cluster ${CLUSTER_NAME}" - assignable_scopes=""" -\"/subscriptions/${AZURE_AUTH_SUBSCRIPTOIN_ID}\" -""" - - # create role definition json file - jq --null-input \ - --arg role_name "${role_name}" \ - --arg description "${role_description}" \ - --argjson assignable_scopes "[ ${assignable_scopes} ]" \ - --argjson permission_list "[ ${permissions} ]" ' +function run_cmd_with_retries() { - "Name": $role_name, - "IsCustom": true, - "Description": $description, - "assignableScopes": $assignable_scopes, - "Actions": $permission_list, - "notActions": [], - "dataActions": [], - "notDataActions": [] -}' > "${role_definition_file}" -} - -function create_custom_role() { - local role_definition="$1" - local custom_role_name="$2" - - # create custom role - cmd="az role definition create --role-definition ${role_definition}" - run_command "${cmd}" || return 1 + local cmd="$1" retries="${2:-}" + local try=0 ret=0 + [[ -z ${retries} ]] && max="20" || max=${retries} + echo "Trying ${max} times max to run '${cmd}'" - echo "Sleep 1 min to wait for custom role created" - sleep 60 + res=$(eval "${cmd}") || ret=$? + while [[ ${ret} -ne 0 || -z "${res}" ]] && [ ${try} -lt ${max} ]; do + echo "'${cmd}' did not return success or return empty, waiting 60 sec....." + sleep 60 + try=$(( try + 1 )) + ret=0 + res=$(eval "${cmd}") || ret=$? + done + if [ ${try} -eq ${max} ]; then + echo "Never succeed or Timeout" + return 1 + fi + echo "Succeed" + return 0 } function create_sp_with_custom_role() { @@ -91,27 +75,6 @@ function create_sp_with_custom_role() { run_cmd_with_retries_save_output "az ad sp create-for-rbac --role '${custom_role_name}' --name ${sp_name} --scopes /subscriptions/${subscription_id}" "${sp_output}" "5" } -if [[ "${AZURE_INSTALL_USE_MINIMAL_PERMISSIONS}" == "no" ]]; then - echo "AZURE_INSTALL_USE_MINIMAL_PERMISSIONS is set to no, skip this step to create sp with minimal permission!" - exit 0 -fi - -echo "RELEASE_IMAGE_LATEST: ${RELEASE_IMAGE_LATEST}" -echo "RELEASE_IMAGE_LATEST_FROM_BUILD_FARM: ${RELEASE_IMAGE_LATEST_FROM_BUILD_FARM}" -export HOME="${HOME:-/tmp/home}" -export XDG_RUNTIME_DIR="${HOME}/run" -export REGISTRY_AUTH_PREFERENCE=podman # TODO: remove later, used for migrating oc from docker to podman -mkdir -p "${XDG_RUNTIME_DIR}" -# After cluster is set up, ci-operator make KUBECONFIG pointing to the installed cluster, -# to make "oc registry login" interact with the build farm, set KUBECONFIG to empty, -# so that the credentials of the build farm registry can be saved in docker client config file. -# A direct connection is required while communicating with build-farm, instead of through proxy -KUBECONFIG="" oc --loglevel=8 registry login -ocp_version=$(oc adm release info ${RELEASE_IMAGE_LATEST_FROM_BUILD_FARM} --output=json | jq -r '.metadata.version' | cut -d. -f 1,2) -echo "OCP Version: $ocp_version" -ocp_major_version=$( echo "${ocp_version}" | awk --field-separator=. '{print $1}' ) -ocp_minor_version=$( echo "${ocp_version}" | awk --field-separator=. '{print $2}' ) - # az should already be there command -v az az --version @@ -137,282 +100,51 @@ az login --service-principal -u "${AZURE_AUTH_CLIENT_ID}" -p "${AZURE_AUTH_CLIEN az account set --subscription ${AZURE_AUTH_SUBSCRIPTOIN_ID} CLUSTER_NAME="${NAMESPACE}-${UNIQUE_HASH}" -ROLE_DEFINITION="${ARTIFACT_DIR}/azure-custom-role-definition-minimal-permissions.json" -CUSTOM_ROLE_NAME="${CLUSTER_NAME}-custom-role" -SP_NAME="${CLUSTER_NAME}-sp" -SP_OUTPUT="$(mktemp)" - -required_permissions=""" -\"Microsoft.Authorization/policies/audit/action\", -\"Microsoft.Authorization/policies/auditIfNotExists/action\", -\"Microsoft.Authorization/roleAssignments/read\", -\"Microsoft.Authorization/roleAssignments/write\", -\"Microsoft.Compute/availabilitySets/read\", -\"Microsoft.Compute/availabilitySets/write\", -\"Microsoft.Compute/availabilitySets/delete\", -\"Microsoft.Compute/disks/beginGetAccess/action\", -\"Microsoft.Compute/disks/delete\", -\"Microsoft.Compute/disks/read\", -\"Microsoft.Compute/disks/write\", -\"Microsoft.Compute/galleries/images/read\", -\"Microsoft.Compute/galleries/images/versions/read\", -\"Microsoft.Compute/galleries/images/versions/write\", -\"Microsoft.Compute/galleries/images/write\", -\"Microsoft.Compute/galleries/read\", -\"Microsoft.Compute/galleries/write\", -\"Microsoft.Compute/snapshots/read\", -\"Microsoft.Compute/snapshots/write\", -\"Microsoft.Compute/snapshots/delete\", -\"Microsoft.Compute/virtualMachines/delete\", -\"Microsoft.Compute/virtualMachines/powerOff/action\", -\"Microsoft.Compute/virtualMachines/read\", -\"Microsoft.Compute/virtualMachines/write\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/read\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/write\", -\"Microsoft.Network/dnsZones/A/write\", -\"Microsoft.Network/dnsZones/CNAME/write\", -\"Microsoft.Network/dnszones/CNAME/read\", -\"Microsoft.Network/dnszones/read\", -\"Microsoft.Network/loadBalancers/backendAddressPools/join/action\", -\"Microsoft.Network/loadBalancers/backendAddressPools/read\", -\"Microsoft.Network/loadBalancers/backendAddressPools/write\", -\"Microsoft.Network/loadBalancers/read\", -\"Microsoft.Network/loadBalancers/write\", -\"Microsoft.Network/networkInterfaces/delete\", -\"Microsoft.Network/networkInterfaces/join/action\", -\"Microsoft.Network/networkInterfaces/read\", -\"Microsoft.Network/networkInterfaces/write\", -\"Microsoft.Network/networkSecurityGroups/join/action\", -\"Microsoft.Network/networkSecurityGroups/read\", -\"Microsoft.Network/networkSecurityGroups/securityRules/delete\", -\"Microsoft.Network/networkSecurityGroups/securityRules/read\", -\"Microsoft.Network/networkSecurityGroups/securityRules/write\", -\"Microsoft.Network/networkSecurityGroups/write\", -\"Microsoft.Network/privateDnsZones/A/read\", -\"Microsoft.Network/privateDnsZones/A/write\", -\"Microsoft.Network/privateDnsZones/A/delete\", -\"Microsoft.Network/privateDnsZones/SOA/read\", -\"Microsoft.Network/privateDnsZones/read\", -\"Microsoft.Network/privateDnsZones/virtualNetworkLinks/read\", -\"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write\", -\"Microsoft.Network/privateDnsZones/write\", -\"Microsoft.Network/publicIPAddresses/delete\", -\"Microsoft.Network/publicIPAddresses/join/action\", -\"Microsoft.Network/publicIPAddresses/read\", -\"Microsoft.Network/publicIPAddresses/write\", -\"Microsoft.Network/virtualNetworks/join/action\", -\"Microsoft.Network/virtualNetworks/read\", -\"Microsoft.Network/virtualNetworks/subnets/join/action\", -\"Microsoft.Network/virtualNetworks/subnets/read\", -\"Microsoft.Network/virtualNetworks/subnets/write\", -\"Microsoft.Network/virtualNetworks/write\", -\"Microsoft.Resourcehealth/healthevent/Activated/action\", -\"Microsoft.Resourcehealth/healthevent/InProgress/action\", -\"Microsoft.Resourcehealth/healthevent/Pending/action\", -\"Microsoft.Resourcehealth/healthevent/Resolved/action\", -\"Microsoft.Resourcehealth/healthevent/Updated/action\", -\"Microsoft.Resources/subscriptions/resourceGroups/read\", -\"Microsoft.Resources/subscriptions/resourcegroups/write\", -\"Microsoft.Resources/tags/write\", -\"Microsoft.Storage/storageAccounts/blobServices/read\", -\"Microsoft.Storage/storageAccounts/blobServices/containers/write\", -\"Microsoft.Storage/storageAccounts/fileServices/read\", -\"Microsoft.Storage/storageAccounts/fileServices/shares/read\", -\"Microsoft.Storage/storageAccounts/fileServices/shares/write\", -\"Microsoft.Storage/storageAccounts/fileServices/shares/delete\", -\"Microsoft.Storage/storageAccounts/listKeys/action\", -\"Microsoft.Storage/storageAccounts/read\", -\"Microsoft.Storage/storageAccounts/write\", -\"Microsoft.Authorization/roleAssignments/delete\", -\"Microsoft.Compute/disks/delete\", -\"Microsoft.Compute/galleries/delete\", -\"Microsoft.Compute/galleries/images/delete\", -\"Microsoft.Compute/galleries/images/versions/delete\", -\"Microsoft.Compute/virtualMachines/delete\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/delete\", -\"Microsoft.Network/dnszones/read\", -\"Microsoft.Network/dnsZones/A/read\", -\"Microsoft.Network/dnsZones/A/delete\", -\"Microsoft.Network/dnsZones/CNAME/read\", -\"Microsoft.Network/dnsZones/CNAME/delete\", -\"Microsoft.Network/loadBalancers/delete\", -\"Microsoft.Network/networkInterfaces/delete\", -\"Microsoft.Network/networkSecurityGroups/delete\", -\"Microsoft.Network/privateDnsZones/read\", -\"Microsoft.Network/privateDnsZones/A/read\", -\"Microsoft.Network/privateDnsZones/delete\", -\"Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete\", -\"Microsoft.Network/publicIPAddresses/delete\", -\"Microsoft.Network/virtualNetworks/delete\", -\"Microsoft.Resourcehealth/healthevent/Activated/action\", -\"Microsoft.Resourcehealth/healthevent/Resolved/action\", -\"Microsoft.Resourcehealth/healthevent/Updated/action\", -\"Microsoft.Resources/subscriptions/resourcegroups/delete\", -\"Microsoft.Storage/storageAccounts/delete\", -\"Microsoft.Storage/storageAccounts/listKeys/action\" -""" - -# optional permissions for external dns operator -required_permissions=""" -\"Microsoft.Network/privateDnsZones/CNAME/read\", -\"Microsoft.Network/privateDnsZones/CNAME/write\", -\"Microsoft.Network/privateDnsZones/CNAME/delete\", -\"Microsoft.Network/privateDnsZones/TXT/read\", -\"Microsoft.Network/privateDnsZones/TXT/write\", -\"Microsoft.Network/privateDnsZones/TXT/delete\", -${required_permissions} -""" +sp_list="" +[[ "${AZURE_INSTALL_USE_MINIMAL_PERMISSIONS}" == "yes" ]] && sp_list="${sp_list} cluster" +[[ "${ENABLE_MIN_PERMISSION_FOR_STS}" == "true" ]] && sp_list="${sp_list} sts" -# optional permission to gather bootstrap bundle log -required_permissions=""" -\"Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action\", -${required_permissions} -""" - -# New permissions are instroduced when using CAPZ to provision IPI cluster -if [[ "${CLUSTER_TYPE_MIN_PERMISSOIN}" == "IPI" ]] && (( ocp_minor_version >= 17 && ocp_major_version == 4 )); then - # routeTables relevant perssions can be removed once OCPBUGS-37663 is fixed. - required_permissions=""" -\"Microsoft.Network/routeTables/read\", -\"Microsoft.Network/routeTables/write\", -\"Microsoft.Network/routeTables/join/action\", -\"Microsoft.Network/loadBalancers/inboundNatRules/read\", -\"Microsoft.Network/loadBalancers/inboundNatRules/write\", -\"Microsoft.Network/loadBalancers/inboundNatRules/join/action\", -\"Microsoft.Network/loadBalancers/inboundNatRules/delete\", -${required_permissions} -""" -fi - - -if [[ "${CLUSTER_TYPE_MIN_PERMISSOIN}" == "UPI" ]]; then - required_permissions=""" -\"Microsoft.Compute/images/read\", -\"Microsoft.Compute/images/write\", -\"Microsoft.Compute/images/delete\", -\"Microsoft.Compute/virtualMachines/deallocate/action\", -\"Microsoft.Storage/storageAccounts/blobServices/containers/read\", -\"Microsoft.Resources/deployments/read\", -\"Microsoft.Resources/deployments/write\", -\"Microsoft.Resources/deployments/validate/action\", -\"Microsoft.Resources/deployments/operationstatuses/read\", -${required_permissions} -""" -fi - -if [[ "${ENABLE_MIN_PERMISSION_FOR_MARKETPLACE}" == "true" ]]; then - required_permissions=""" -\"Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read\", -\"Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write\", -\"Microsoft.Compute/images/read\", -\"Microsoft.Compute/images/write\", -\"Microsoft.Compute/images/delete\", -${required_permissions} -""" -fi - -if [[ "${ENABLE_MIN_PERMISSION_FOR_DES}" == "true" ]]; then - required_permissions=""" -\"Microsoft.Compute/diskEncryptionSets/read\", -\"Microsoft.Compute/diskEncryptionSets/write\", -\"Microsoft.Compute/diskEncryptionSets/delete\", -\"Microsoft.KeyVault/vaults/read\", -\"Microsoft.KeyVault/vaults/write\", -\"Microsoft.KeyVault/vaults/delete\", -\"Microsoft.KeyVault/vaults/deploy/action\", -\"Microsoft.KeyVault/vaults/keys/read\", -\"Microsoft.KeyVault/vaults/keys/write\", -${required_permissions} -""" -fi - -custom_role_name_json="{}" -if [[ -n "${AZURE_PERMISSION_FOR_CLUSTER_SP}" ]]; then - sp_role="${AZURE_PERMISSION_FOR_CLUSTER_SP}" -else - create_role_definition_json "${CUSTOM_ROLE_NAME}" "${required_permissions}" "${ROLE_DEFINITION}" - echo "Creating custom role..." - create_custom_role "${ROLE_DEFINITION}" "${CUSTOM_ROLE_NAME}" - # for destroy - custom_role_name_json=$(echo "${custom_role_name_json}" | jq -c -S ". +={\"cluster\":\"${CUSTOM_ROLE_NAME}\"}") - echo "${custom_role_name_json}" > "${SHARED_DIR}/azure_custom_role_name" - sp_role="${CUSTOM_ROLE_NAME}" -fi -echo "Creating sp with custom role..." -create_sp_with_custom_role "${SP_NAME}" "${sp_role}" "${AZURE_AUTH_SUBSCRIPTOIN_ID}" "${SP_OUTPUT}" -sp_id=$(jq -r .appId "${SP_OUTPUT}") -sp_password=$(jq -r .password "${SP_OUTPUT}") -sp_tenant=$(jq -r .tenant "${SP_OUTPUT}") -if [[ "${sp_id}" == "" ]] || [[ "${sp_password}" == "" ]]; then - echo "Unable to get service principal id or password, exit..." - exit 1 +if [[ -z "${sp_list}" ]]; then + echo "Both AZURE_INSTALL_USE_MINIMAL_PERMISSIONS and ENABLE_MIN_PERMISSION_FOR_STS are disabled, skip this step to create service principal with minimal permission!" + exit 0 fi -echo "New service principal id: ${sp_id}" -cat < "${SHARED_DIR}/azure_minimal_permission" -{"subscriptionId":"${AZURE_AUTH_SUBSCRIPTOIN_ID}","clientId":"${sp_id}","tenantId":"${sp_tenant}","clientSecret":"${sp_password}"} -EOF -# for destroy -echo "${sp_id}" > "${SHARED_DIR}/azure_sp_id" -rm -f ${SP_OUTPUT} - -# create SP with minimal permission for CCO to create required Azure resources when using workload identity -if [[ "${ENABLE_MIN_PERMISSION_FOR_STS}" == "true" ]]; then - sts_required_permissions=""" -\"Microsoft.Resources/subscriptions/resourceGroups/read\", -\"Microsoft.Resources/subscriptions/resourceGroups/write\", -\"Microsoft.Resources/subscriptions/resourceGroups/delete\", -\"Microsoft.Authorization/roleAssignments/read\", -\"Microsoft.Authorization/roleAssignments/delete\", -\"Microsoft.Authorization/roleAssignments/write\", -\"Microsoft.Authorization/roleDefinitions/read\", -\"Microsoft.Authorization/roleDefinitions/write\", -\"Microsoft.Authorization/roleDefinitions/delete\", -\"Microsoft.Storage/storageAccounts/listkeys/action\", -\"Microsoft.Storage/storageAccounts/delete\", -\"Microsoft.Storage/storageAccounts/read\", -\"Microsoft.Storage/storageAccounts/write\", -\"Microsoft.Storage/storageAccounts/blobServices/containers/write\", -\"Microsoft.Storage/storageAccounts/blobServices/containers/delete\", -\"Microsoft.Storage/storageAccounts/blobServices/containers/read\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/delete\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/read\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/write\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write\", -\"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete\", -\"Microsoft.Storage/register/action\", -\"Microsoft.ManagedIdentity/register/action\" -""" - sts_role_name="${CLUSTER_NAME}-custom-role-sts" - sts_role_definition="${ARTIFACT_DIR}/azure-custom-role-definition-sts-minimal-permissions.json" - sts_sp_name="${CLUSTER_NAME}-sp-sts" - sts_sp_output=$(mktemp) - - echo "Create SP with minimal permission for CCO" - create_role_definition_json "${sts_role_name}" "${sts_required_permissions}" "${sts_role_definition}" - create_custom_role "${sts_role_definition}" "${sts_role_name}" - # for destroy - custom_role_name_json=$(echo "${custom_role_name_json}" | jq -c -S ". +={\"ccoctl\":\"${sts_role_name}\"}") - echo "${custom_role_name_json}" > "${SHARED_DIR}/azure_custom_role_name" - sts_sp_role="${sts_role_name}" - create_sp_with_custom_role "${sts_sp_name}" "${sts_sp_role}" "${AZURE_AUTH_SUBSCRIPTOIN_ID}" "${sts_sp_output}" - sts_sp_id=$(jq -r .appId "${sts_sp_output}") - sts_sp_password=$(jq -r .password "${sts_sp_output}") - sts_sp_tenant=$(jq -r .tenant "${sts_sp_output}") +for sp_type in ${sp_list}; do + sp_name="${CLUSTER_NAME}-sp-${sp_type}" + sp_output="$(mktemp)" + if [[ -n "${AZURE_PERMISSION_FOR_CLUSTER_SP}" ]] && [[ "${sp_type}" == "cluster" ]]; then + role_name="${AZURE_PERMISSION_FOR_CLUSTER_SP}" + else + [[ ! -f "${SHARED_DIR}/azure_custom_role_name" ]] && echo "Unable to find file /azure_custom_role_name, abort..." && exit 1 + role_name=$(jq -r ".${sp_type}" "${SHARED_DIR}/azure_custom_role_name") + fi - if [[ "${sts_sp_id}" == "" ]] || [[ "${sts_sp_password}" == "" ]]; then + echo "Creating ${sp_type} sp with role ${role_name} granted..." + create_sp_with_custom_role "${sp_name}" "${role_name}" "${AZURE_AUTH_SUBSCRIPTOIN_ID}" "${sp_output}" + sp_id=$(jq -r .appId "${sp_output}") + sp_password=$(jq -r .password "${sp_output}") + sp_tenant=$(jq -r .tenant "${sp_output}") + if [[ "${sp_id}" == "" ]] || [[ "${sp_password}" == "" ]]; then echo "Unable to get service principal id or password, exit..." exit 1 fi - echo "New service principal id: ${sts_sp_id}" - cat < "${SHARED_DIR}/azure_minimal_permission_sts" -{"subscriptionId":"${AZURE_AUTH_SUBSCRIPTOIN_ID}","clientId":"${sts_sp_id}","tenantId":"${sts_sp_tenant}","clientSecret":"${sts_sp_password}"} + echo "New service principal id: ${sp_id}" + os_sp_file_name="azure_minimal_permission" + if [[ "${sp_type}" != "cluster" ]]; then + os_sp_file_name="azure_minimal_permission_${sp_type}" + fi + cat < "${SHARED_DIR}/${os_sp_file_name}" +{"subscriptionId":"${AZURE_AUTH_SUBSCRIPTOIN_ID}","clientId":"${sp_id}","tenantId":"${sp_tenant}","clientSecret":"${sp_password}"} EOF + # for destroy - echo "${sts_sp_id}" >> "${SHARED_DIR}/azure_sp_id" - rm -rf ${sts_sp_output} -fi + echo "${sp_id}" >> "${SHARED_DIR}/azure_sp_id" + rm -f ${sp_output} + + # ensure that role assignment creation is successful + echo "Ensure that role ${role_name} assigned successfully" + cmd="az role assignment list --role '${role_name}'" + run_cmd_with_retries "${cmd}" +done diff --git a/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-ref.yaml b/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-ref.yaml index 58d6d568961c2..3cd9c8972c5ca 100644 --- a/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-ref.yaml +++ b/ci-operator/step-registry/azure/provision/service-principal/minimal-permission/azure-provision-service-principal-minimal-permission-ref.yaml @@ -19,23 +19,15 @@ ref: documentation: |- The provision way to set up cluster to test installation with Azure crendentials with minimal permissions. Valid value: IPI UPI - - name: ENABLE_MIN_PERMISSION_FOR_MARKETPLACE - default: "false" - documentation: |- - Assign addtional permissions for SP to install cluster with marketplace image - - name: ENABLE_MIN_PERMISSION_FOR_DES - default: "false" - documentation: |- - Assign additional permissions for SP to install cluster configured disk encryption set - - name: ENABLE_MIN_PERMISSION_FOR_STS - default: "false" - documentation: |- - Assign minimal permissions for SP to create workload identity related azure resources by CCO. - name: AZURE_PERMISSION_FOR_CLUSTER_SP default: "" documentation: |- Define permission assigned to cluster service principal. If not defined, will create customer role with minimal permission and assign to cluster sp on scope of subscription. + - name: ENABLE_MIN_PERMISSION_FOR_STS + default: "false" + documentation: |- + Assign minimal permissions for SP to create workload identity related azure resources by ccoctl. - name: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS default: "no" documentation: |- diff --git a/ci-operator/step-registry/azure/provision/vnet/azure-provision-vnet-commands.sh b/ci-operator/step-registry/azure/provision/vnet/azure-provision-vnet-commands.sh index 7594037b2b57e..e7683c532a050 100644 --- a/ci-operator/step-registry/azure/provision/vnet/azure-provision-vnet-commands.sh +++ b/ci-operator/step-registry/azure/provision/vnet/azure-provision-vnet-commands.sh @@ -120,17 +120,6 @@ if [ X"$ret" != X"0" ]; then exit 1 fi -# Assigne proper permissions to resource group where vnet will be created -if [[ -n "${AZURE_PERMISSION_FOR_VNET_RG}" ]]; then - cluster_sp_id=${AZURE_AUTH_CLIENT_ID} - if [[ -f "${SHARED_DIR}/azure_minimal_permission" ]]; then - cluster_sp_id=$(jq -r '.clientId' "${SHARED_DIR}/azure_minimal_permission") - fi - resource_group_id=$(az group show -g "${RESOURCE_GROUP}" --query id -otsv) - echo "Assigin role '${AZURE_PERMISSION_FOR_VNET_RG}' to resource group ${RESOURCE_GROUP}" - run_command "az role assignment create --assignee ${cluster_sp_id} --role '${AZURE_PERMISSION_FOR_VNET_RG}' --scope ${resource_group_id} -o jsonc" -fi - VNET_BASE_NAME="${NAMESPACE}-${UNIQUE_HASH}" # create vnet diff --git a/ci-operator/step-registry/azure/provision/vnet/azure-provision-vnet-ref.yaml b/ci-operator/step-registry/azure/provision/vnet/azure-provision-vnet-ref.yaml index f07603fa27fb8..2f4ec4730c9c9 100644 --- a/ci-operator/step-registry/azure/provision/vnet/azure-provision-vnet-ref.yaml +++ b/ci-operator/step-registry/azure/provision/vnet/azure-provision-vnet-ref.yaml @@ -27,10 +27,6 @@ ref: documentation: |- Format: "key1=value1 key2=value2" Add customer tags on existing vnet to test shared tags added by installer is not overriden. - - name: AZURE_PERMISSION_FOR_VNET_RG - default: "" - documentation: |- - Role assigned to cluster sp on scope of resource group where vnet reside in. - name: AZURE_CUSTOM_NSG default: "no" documentation: |- diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/capability/baselinecaps/vset/additionalcaps/provision/cucushift-installer-rehearse-azure-ipi-capability-baselinecaps-vset-additionalcaps-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/capability/baselinecaps/vset/additionalcaps/provision/cucushift-installer-rehearse-azure-ipi-capability-baselinecaps-vset-additionalcaps-provision-chain.yaml index be9e4a6c35a1f..871ca905a9e40 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/capability/baselinecaps/vset/additionalcaps/provision/cucushift-installer-rehearse-azure-ipi-capability-baselinecaps-vset-additionalcaps-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/capability/baselinecaps/vset/additionalcaps/provision/cucushift-installer-rehearse-azure-ipi-capability-baselinecaps-vset-additionalcaps-provision-chain.yaml @@ -4,7 +4,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-capability-baselinecaps-vset - ref: ipi-conf-capability-additionalcaps - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/capability/baselinecaps/vset/provision/cucushift-installer-rehearse-azure-ipi-capability-baselinecaps-vset-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/capability/baselinecaps/vset/provision/cucushift-installer-rehearse-azure-ipi-capability-baselinecaps-vset-provision-chain.yaml index d744261da5e4d..f0453e79fec42 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/capability/baselinecaps/vset/provision/cucushift-installer-rehearse-azure-ipi-capability-baselinecaps-vset-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/capability/baselinecaps/vset/provision/cucushift-installer-rehearse-azure-ipi-capability-baselinecaps-vset-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: ipi-conf-capability-baselinecaps-vset - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/managed-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-managed-identity-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/managed-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-managed-identity-provision-chain.yaml index fa5bd538b23ca..f22d7478edc1b 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/managed-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-managed-identity-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/managed-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-managed-identity-provision-chain.yaml @@ -4,11 +4,11 @@ chain: - ref: azure-provision-resourcegroup - ref: azure-provision-vnet - chain: azure-provision-bastionhost - - ref: azure-provision-service-principal-minimal-permission - - ref: azure-provision-bastionhost-managed-identity - chain: ipi-conf-azure - ref: ipi-conf-azure-sharednetwork - ref: ipi-conf-manual-creds + - ref: azure-provision-custom-role + - ref: azure-provision-bastionhost-managed-identity - ref: ipi-conf-azure-oidc-creds-provision - ref: ipi-conf-azure-provisioned-resourcegroup - ref: ipi-install-rbac diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.yaml index 9efcd3e2a65fc..5e3ef66fa4d4b 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: ipi-conf-manual-creds - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - ref: ipi-conf-azure-oidc-creds-provision - ref: ipi-conf-azure-provisioned-resourcegroup - chain: ipi-install diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/confidential/confidentialvm/provision/cucushift-installer-rehearse-azure-ipi-confidential-confidentialvm-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/confidential/confidentialvm/provision/cucushift-installer-rehearse-azure-ipi-confidential-confidentialvm-provision-chain.yaml index 80870adce9399..90e9cd015bb0e 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/confidential/confidentialvm/provision/cucushift-installer-rehearse-azure-ipi-confidential-confidentialvm-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/confidential/confidentialvm/provision/cucushift-installer-rehearse-azure-ipi-confidential-confidentialvm-provision-chain.yaml @@ -4,7 +4,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-confidential - ref: ipi-conf-azure-custom-region - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/confidential/trustedlaunch/provision/cucushift-installer-rehearse-azure-ipi-confidential-trustedlaunch-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/confidential/trustedlaunch/provision/cucushift-installer-rehearse-azure-ipi-confidential-trustedlaunch-provision-chain.yaml index feb2cfda21d9a..687fa5f809b9d 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/confidential/trustedlaunch/provision/cucushift-installer-rehearse-azure-ipi-confidential-trustedlaunch-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/confidential/trustedlaunch/provision/cucushift-installer-rehearse-azure-ipi-confidential-trustedlaunch-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: ipi-conf-azure-confidential - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/default/provision/cucushift-installer-rehearse-azure-ipi-default-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/default/provision/cucushift-installer-rehearse-azure-ipi-default-provision-chain.yaml index a68a3f9b406de..f54a4ddaadc48 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/default/provision/cucushift-installer-rehearse-azure-ipi-default-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/default/provision/cucushift-installer-rehearse-azure-ipi-default-provision-chain.yaml @@ -1,9 +1,9 @@ chain: as: cucushift-installer-rehearse-azure-ipi-default-provision steps: - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-conf - ref: ipi-conf-azure-default + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - chain: cucushift-installer-check - chain: cucushift-installer-check-azure diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-disconnected-cco-manual-workload-identity-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-disconnected-cco-manual-workload-identity-provision-chain.yaml index 3e2c90460e59f..67405a6b3b5cc 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-disconnected-cco-manual-workload-identity-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/cco-manual-workload-identity/provision/cucushift-installer-rehearse-azure-ipi-disconnected-cco-manual-workload-identity-provision-chain.yaml @@ -8,11 +8,11 @@ chain: - chain: mirror-images-payload - chain: ipi-conf-azure - ref: ipi-conf-manual-creds + - chain: azure-provision-service-principal-minimal-permission - ref: ipi-conf-azure-oidc-creds-provision - ref: ipi-conf-azure-provisioned-resourcegroup - ref: ipi-conf-mirror - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-install-install - ref: ipi-install-times-collection - ref: enable-qe-catalogsource-disconnected diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/firewall/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-firewall-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/firewall/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-firewall-provision-chain.yaml index 604ece285a3a1..e8216d1634eea 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/firewall/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-firewall-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/firewall/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-firewall-provision-chain.yaml @@ -11,8 +11,8 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-mirror - ref: ipi-conf-azure-provisionednetwork + - chain: azure-provision-service-principal-minimal-permission - ref: ipi-install-install - - ref: azure-provision-service-principal-minimal-permission - ref: ipi-install-times-collection - ref: enable-qe-catalogsource-disconnected - ref: mirror-images-tag-images diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-provision-chain.yaml index b9a9c0d901402..173fdf08e211d 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-provision-chain.yaml @@ -11,7 +11,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-mirror - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - ref: ipi-install-install - ref: ipi-install-times-collection - ref: enable-qe-catalogsource-disconnected diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/techpreview/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-techpreview-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/techpreview/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-techpreview-provision-chain.yaml index 2afb6085ad25a..44d310242b29e 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/techpreview/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-techpreview-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/fullyprivate/techpreview/provision/cucushift-installer-rehearse-azure-ipi-disconnected-fullyprivate-techpreview-provision-chain.yaml @@ -12,7 +12,7 @@ chain: - ref: ipi-conf-mirror - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-techpreview-do-not-use - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - ref: ipi-install-install - ref: ipi-install-times-collection - ref: enable-qe-catalogsource-disconnected diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/provision/cucushift-installer-rehearse-azure-ipi-disconnected-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/provision/cucushift-installer-rehearse-azure-ipi-disconnected-provision-chain.yaml index 6679771c6c966..fa2807be34d40 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/provision/cucushift-installer-rehearse-azure-ipi-disconnected-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disconnected/provision/cucushift-installer-rehearse-azure-ipi-disconnected-provision-chain.yaml @@ -9,7 +9,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-mirror - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - ref: ipi-install-install - ref: ipi-install-times-collection - ref: enable-qe-catalogsource-disconnected diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disk-encryption-set/day2/provision/cucushift-installer-rehearse-azure-ipi-disk-encryption-set-day2-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disk-encryption-set/day2/provision/cucushift-installer-rehearse-azure-ipi-disk-encryption-set-day2-provision-chain.yaml index b43e858faf5c1..e78e098af4041 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disk-encryption-set/day2/provision/cucushift-installer-rehearse-azure-ipi-disk-encryption-set-day2-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disk-encryption-set/day2/provision/cucushift-installer-rehearse-azure-ipi-disk-encryption-set-day2-provision-chain.yaml @@ -2,7 +2,7 @@ chain: as: cucushift-installer-rehearse-azure-ipi-disk-encryption-set-day2-provision steps: - chain: ipi-conf-azure - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: azure-provision-disk-encryption-set-day2-system-managed-key - ref: enable-qe-catalogsource diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disk-encryption-set/provision/cucushift-installer-rehearse-azure-ipi-disk-encryption-set-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disk-encryption-set/provision/cucushift-installer-rehearse-azure-ipi-disk-encryption-set-provision-chain.yaml index 30411426ac912..b5d35e7734bf0 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disk-encryption-set/provision/cucushift-installer-rehearse-azure-ipi-disk-encryption-set-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disk-encryption-set/provision/cucushift-installer-rehearse-azure-ipi-disk-encryption-set-provision-chain.yaml @@ -1,13 +1,14 @@ chain: as: cucushift-installer-rehearse-azure-ipi-disk-encryption-set-provision steps: - - ref: azure-provision-service-principal-minimal-permission - ref: azure-provision-resourcegroup - ref: azure-provision-disk-encryption-set - ref: ipi-conf - ref: ipi-conf-telemetry - ref: ipi-conf-azure - ref: ipi-conf-azure-provisioned-des + - chain: azure-provision-service-principal-minimal-permission + - ref: azure-provision-disk-encryption-set-assign-role - chain: ipi-install - ref: azure-provision-disk-encryption-set-grant-permission - ref: ipi-install-post-monitoringpvc diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disktype/disksize/provision/cucushift-installer-rehearse-azure-ipi-disktype-disksize-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disktype/disksize/provision/cucushift-installer-rehearse-azure-ipi-disktype-disksize-provision-chain.yaml index 5dd393a3fb6d9..9bc8d8af4e6a3 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disktype/disksize/provision/cucushift-installer-rehearse-azure-ipi-disktype-disksize-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disktype/disksize/provision/cucushift-installer-rehearse-azure-ipi-disktype-disksize-provision-chain.yaml @@ -4,7 +4,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-osdisk-disktype - ref: ipi-conf-azure-osdisk-disksize - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disktype/provision/cucushift-installer-rehearse-azure-ipi-disktype-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disktype/provision/cucushift-installer-rehearse-azure-ipi-disktype-provision-chain.yaml index 15291e800c7ce..b09bdabcf0dcf 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disktype/provision/cucushift-installer-rehearse-azure-ipi-disktype-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/disktype/provision/cucushift-installer-rehearse-azure-ipi-disktype-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: ipi-conf-azure-osdisk-disktype - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/firewall/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-firewall-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/firewall/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-firewall-provision-chain.yaml index 623c34d5ff330..ce116e11d4360 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/firewall/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-firewall-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/firewall/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-firewall-provision-chain.yaml @@ -8,7 +8,7 @@ chain: - ref: proxy-config-generate - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/internal-registry/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-internal-registry-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/internal-registry/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-internal-registry-provision-chain.yaml index 461141d10e161..5c47e4d5d1df2 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/internal-registry/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-internal-registry-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/internal-registry/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-internal-registry-provision-chain.yaml @@ -9,7 +9,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-azure-internal-image-registry - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-provision-chain.yaml index d316899b74ce3..0407b2d2cd6a8 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-provision-chain.yaml @@ -8,7 +8,7 @@ chain: - ref: proxy-config-generate - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/proxy/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-proxy-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/proxy/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-proxy-provision-chain.yaml index b81d620cfbd61..e5d02b932cfc5 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/proxy/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-proxy-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/fullyprivate/proxy/provision/cucushift-installer-rehearse-azure-ipi-fullyprivate-proxy-provision-chain.yaml @@ -8,7 +8,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-proxy - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/generation/provision/cucushift-installer-rehearse-azure-ipi-generation-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/generation/provision/cucushift-installer-rehearse-azure-ipi-generation-provision-chain.yaml index 18dab85af4880..e559acc27a075 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/generation/provision/cucushift-installer-rehearse-azure-ipi-generation-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/generation/provision/cucushift-installer-rehearse-azure-ipi-generation-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: ipi-conf-azure-custom-region - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ingress/custom-controller/provision/cucushift-installer-rehearse-azure-ipi-ingress-custom-controller-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ingress/custom-controller/provision/cucushift-installer-rehearse-azure-ipi-ingress-custom-controller-provision-chain.yaml index a73bd980fe681..619e74aaede1e 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ingress/custom-controller/provision/cucushift-installer-rehearse-azure-ipi-ingress-custom-controller-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ingress/custom-controller/provision/cucushift-installer-rehearse-azure-ipi-ingress-custom-controller-provision-chain.yaml @@ -5,7 +5,7 @@ chain: - ref: azure-provision-vnet - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - ref: ingress-azure-custom-ingresscontroller diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/marketplace/generation/provision/cucushift-installer-rehearse-azure-ipi-marketplace-generation-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/marketplace/generation/provision/cucushift-installer-rehearse-azure-ipi-marketplace-generation-provision-chain.yaml index e22571b73d0d0..0966e1bb20ef3 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/marketplace/generation/provision/cucushift-installer-rehearse-azure-ipi-marketplace-generation-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/marketplace/generation/provision/cucushift-installer-rehearse-azure-ipi-marketplace-generation-provision-chain.yaml @@ -4,7 +4,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - ref: ipi-conf-azure-custom-region - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/marketplace/provision/cucushift-installer-rehearse-azure-ipi-marketplace-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/marketplace/provision/cucushift-installer-rehearse-azure-ipi-marketplace-provision-chain.yaml index cf46baafabb34..8de1a04683ff4 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/marketplace/provision/cucushift-installer-rehearse-azure-ipi-marketplace-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/marketplace/provision/cucushift-installer-rehearse-azure-ipi-marketplace-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: ipi-conf-azure-osimage - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/ipsec/provision/cucushift-installer-rehearse-azure-ipi-ovn-ipsec-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/ipsec/provision/cucushift-installer-rehearse-azure-ipi-ovn-ipsec-provision-chain.yaml index 06185dbc2ce9d..b0e61078f7bf7 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/ipsec/provision/cucushift-installer-rehearse-azure-ipi-ovn-ipsec-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/ipsec/provision/cucushift-installer-rehearse-azure-ipi-ovn-ipsec-provision-chain.yaml @@ -4,7 +4,7 @@ chain: - chain: ipi-conf-azure - ref: ovn-conf - ref: ovn-conf-ipsec-manifest - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/provision/cucushift-installer-rehearse-azure-ipi-ovn-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/provision/cucushift-installer-rehearse-azure-ipi-ovn-provision-chain.yaml index 0ccd417818c48..065984aaf5ebd 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/provision/cucushift-installer-rehearse-azure-ipi-ovn-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/provision/cucushift-installer-rehearse-azure-ipi-ovn-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: ovn-conf - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/sdn2ovn/provision/cucushift-installer-rehearse-azure-ipi-ovn-sdn2ovn-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/sdn2ovn/provision/cucushift-installer-rehearse-azure-ipi-ovn-sdn2ovn-provision-chain.yaml index 95073a9aa9f4b..9ab49287bf736 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/sdn2ovn/provision/cucushift-installer-rehearse-azure-ipi-ovn-sdn2ovn-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/sdn2ovn/provision/cucushift-installer-rehearse-azure-ipi-ovn-sdn2ovn-provision-chain.yaml @@ -2,7 +2,7 @@ chain: as: cucushift-installer-rehearse-azure-ipi-ovn-sdn2ovn-provision steps: - chain: ipi-conf-azure - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ovn-sdn-migration - ref: enable-qe-catalogsource diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/winc/provision/cucushift-installer-rehearse-azure-ipi-ovn-winc-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/winc/provision/cucushift-installer-rehearse-azure-ipi-ovn-winc-provision-chain.yaml index ef112214c2821..3e6090dd4f667 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/winc/provision/cucushift-installer-rehearse-azure-ipi-ovn-winc-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ovn/winc/provision/cucushift-installer-rehearse-azure-ipi-ovn-winc-provision-chain.yaml @@ -4,7 +4,7 @@ chain: - chain: ipi-conf-azure - ref: ovn-conf - ref: ovn-conf-hybrid-manifest - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - ref: ssh-bastion diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/post-featureset/provision/cucushift-installer-rehearse-azure-ipi-post-featureset-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/post-featureset/provision/cucushift-installer-rehearse-azure-ipi-post-featureset-provision-chain.yaml index 5c501fe8802c8..d967e80a610d2 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/post-featureset/provision/cucushift-installer-rehearse-azure-ipi-post-featureset-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/post-featureset/provision/cucushift-installer-rehearse-azure-ipi-post-featureset-provision-chain.yaml @@ -2,7 +2,7 @@ chain: as: cucushift-installer-rehearse-azure-ipi-post-featureset-provision steps: - chain: ipi-conf-azure - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-install-post-featureset - ref: enable-qe-catalogsource diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/marketplace/provision/cucushift-installer-rehearse-azure-ipi-private-marketplace-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/marketplace/provision/cucushift-installer-rehearse-azure-ipi-private-marketplace-provision-chain.yaml index 6a72e7d5f6054..71e354822a798 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/marketplace/provision/cucushift-installer-rehearse-azure-ipi-private-marketplace-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/marketplace/provision/cucushift-installer-rehearse-azure-ipi-private-marketplace-provision-chain.yaml @@ -8,7 +8,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-azure-osimage - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/networking-type/minimal-permission/provision/cucushift-installer-rehearse-azure-ipi-private-networking-type-minimal-permission-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/networking-type/minimal-permission/provision/cucushift-installer-rehearse-azure-ipi-private-networking-type-minimal-permission-provision-chain.yaml index a0250a53f1764..da59843aca622 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/networking-type/minimal-permission/provision/cucushift-installer-rehearse-azure-ipi-private-networking-type-minimal-permission-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/networking-type/minimal-permission/provision/cucushift-installer-rehearse-azure-ipi-private-networking-type-minimal-permission-provision-chain.yaml @@ -1,15 +1,16 @@ chain: as: cucushift-installer-rehearse-azure-ipi-private-networking-type-minimal-permission-provision steps: - - ref: azure-provision-service-principal-minimal-permission + - chain: ipi-conf-azure - ref: azure-provision-resourcegroup - ref: azure-provision-vnet - chain: azure-provision-bastionhost - ref: proxy-config-generate - - chain: ipi-conf-azure - ref: ipi-conf-azure-resourcegroup - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-azure-networking-type + - ref: azure-provision-service-principal-minimal-permission + - ref: ipi-conf-azure-resourcegroup-assign-role - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check @@ -19,10 +20,6 @@ chain: default: "Internal" - name: AZURE_INSTALL_USE_MINIMAL_PERMISSIONS default: "yes" - - name: AZURE_PERMISSION_FOR_VNET_RG - default: "Network Contributor" - - name: AZURE_PERMISSION_FOR_CLUSTER_RG - default: "Contributor" - name: AZURE_PERMISSION_FOR_CLUSTER_SP default: "User Access Administrator" documentation: |- diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/networking-type/provision/cucushift-installer-rehearse-azure-ipi-private-networking-type-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/networking-type/provision/cucushift-installer-rehearse-azure-ipi-private-networking-type-provision-chain.yaml index f55009f934e4a..dad497bdc5459 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/networking-type/provision/cucushift-installer-rehearse-azure-ipi-private-networking-type-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/networking-type/provision/cucushift-installer-rehearse-azure-ipi-private-networking-type-provision-chain.yaml @@ -8,6 +8,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-azure-networking-type + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/ovn/provision/cucushift-installer-rehearse-azure-ipi-private-ovn-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/ovn/provision/cucushift-installer-rehearse-azure-ipi-private-ovn-provision-chain.yaml index a90d6f62201e9..77aa61e4c48d1 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/ovn/provision/cucushift-installer-rehearse-azure-ipi-private-ovn-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/ovn/provision/cucushift-installer-rehearse-azure-ipi-private-ovn-provision-chain.yaml @@ -8,6 +8,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - ref: ovn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/provision/cucushift-installer-rehearse-azure-ipi-private-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/provision/cucushift-installer-rehearse-azure-ipi-private-provision-chain.yaml index 50cb3cafcbf6b..d8a22d94ca99b 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/provision/cucushift-installer-rehearse-azure-ipi-private-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/provision/cucushift-installer-rehearse-azure-ipi-private-provision-chain.yaml @@ -7,7 +7,7 @@ chain: - ref: proxy-config-generate - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/sdn/provision/cucushift-installer-rehearse-azure-ipi-private-sdn-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/sdn/provision/cucushift-installer-rehearse-azure-ipi-private-sdn-provision-chain.yaml index a9244cb9053e7..6407c3199036b 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/sdn/provision/cucushift-installer-rehearse-azure-ipi-private-sdn-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/sdn/provision/cucushift-installer-rehearse-azure-ipi-private-sdn-provision-chain.yaml @@ -8,6 +8,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - ref: sdn-conf + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/sshkey/provision/cucushift-installer-rehearse-azure-ipi-private-sshkey-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/sshkey/provision/cucushift-installer-rehearse-azure-ipi-private-sshkey-provision-chain.yaml index 58a41a1b30846..e49060794802d 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/sshkey/provision/cucushift-installer-rehearse-azure-ipi-private-sshkey-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/private/sshkey/provision/cucushift-installer-rehearse-azure-ipi-private-sshkey-provision-chain.yaml @@ -8,6 +8,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-sshkey + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/provision/cucushift-installer-rehearse-azure-ipi-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/provision/cucushift-installer-rehearse-azure-ipi-provision-chain.yaml index e8bb47ca4e878..38cf55507eeb6 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/provision/cucushift-installer-rehearse-azure-ipi-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/provision/cucushift-installer-rehearse-azure-ipi-provision-chain.yaml @@ -2,7 +2,7 @@ chain: as: cucushift-installer-rehearse-azure-ipi-provision steps: - chain: ipi-conf-azure - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/proxy/provision/cucushift-installer-rehearse-azure-ipi-proxy-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/proxy/provision/cucushift-installer-rehearse-azure-ipi-proxy-provision-chain.yaml index dc5553daf1054..182d97b3fe22f 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/proxy/provision/cucushift-installer-rehearse-azure-ipi-proxy-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/proxy/provision/cucushift-installer-rehearse-azure-ipi-proxy-provision-chain.yaml @@ -7,7 +7,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-proxy - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/proxy/techpreview/provision/cucushift-installer-rehearse-azure-ipi-proxy-techpreview-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/proxy/techpreview/provision/cucushift-installer-rehearse-azure-ipi-proxy-techpreview-provision-chain.yaml index 53c6b4f48d9bf..545420cc07735 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/proxy/techpreview/provision/cucushift-installer-rehearse-azure-ipi-proxy-techpreview-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/proxy/techpreview/provision/cucushift-installer-rehearse-azure-ipi-proxy-techpreview-provision-chain.yaml @@ -8,7 +8,7 @@ chain: - ref: ipi-conf-proxy - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-techpreview-do-not-use - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/public-to-private/provision/cucushift-installer-rehearse-azure-ipi-public-to-private-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/public-to-private/provision/cucushift-installer-rehearse-azure-ipi-public-to-private-provision-chain.yaml index ebc11098beab4..ea89fe5336814 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/public-to-private/provision/cucushift-installer-rehearse-azure-ipi-public-to-private-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/public-to-private/provision/cucushift-installer-rehearse-azure-ipi-public-to-private-provision-chain.yaml @@ -2,7 +2,7 @@ chain: as: cucushift-installer-rehearse-azure-ipi-public-to-private-provision steps: - chain: ipi-conf-azure - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: azure-provision-bastionhost diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/apiserver-ingress-external/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-apiserver-ingress-external-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/apiserver-ingress-external/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-apiserver-ingress-external-provision-chain.yaml index 147b4592244e0..7afca1e58c8c6 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/apiserver-ingress-external/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-apiserver-ingress-external-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/apiserver-ingress-external/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-apiserver-ingress-external-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: ipi-conf-operator-publish-strategy - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/apiserver-internal/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-apiserver-internal-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/apiserver-internal/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-apiserver-internal-provision-chain.yaml index 6054c875231d2..8f7821dc89002 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/apiserver-internal/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-apiserver-internal-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/apiserver-internal/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-apiserver-internal-provision-chain.yaml @@ -8,7 +8,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-operator-publish-strategy - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/ingress-internal/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-ingress-internal-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/ingress-internal/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-ingress-internal-provision-chain.yaml index bb8876fe172cb..226d89607e7d9 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/ingress-internal/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-ingress-internal-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/publish-mixed/ingress-internal/provision/cucushift-installer-rehearse-azure-ipi-publish-mixed-ingress-internal-provision-chain.yaml @@ -8,7 +8,7 @@ chain: - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - ref: ipi-conf-operator-publish-strategy - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/resourcegroup/provision/cucushift-installer-rehearse-azure-ipi-resourcegroup-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/resourcegroup/provision/cucushift-installer-rehearse-azure-ipi-resourcegroup-provision-chain.yaml index ac8d3f89ae539..347975001f2db 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/resourcegroup/provision/cucushift-installer-rehearse-azure-ipi-resourcegroup-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/resourcegroup/provision/cucushift-installer-rehearse-azure-ipi-resourcegroup-provision-chain.yaml @@ -2,7 +2,7 @@ chain: as: cucushift-installer-rehearse-azure-ipi-resourcegroup-provision steps: - chain: ipi-conf-azure-resourcegroup - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sdn/provision/cucushift-installer-rehearse-azure-ipi-sdn-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sdn/provision/cucushift-installer-rehearse-azure-ipi-sdn-provision-chain.yaml index ba1e979df5864..5874cf3912247 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sdn/provision/cucushift-installer-rehearse-azure-ipi-sdn-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sdn/provision/cucushift-installer-rehearse-azure-ipi-sdn-provision-chain.yaml @@ -3,7 +3,7 @@ chain: steps: - chain: ipi-conf-azure - ref: sdn-conf - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/ovn/ipv4-subnet/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-ovn-ipv4-subnet-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/ovn/ipv4-subnet/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-ovn-ipv4-subnet-provision-chain.yaml index 158f30e2679d4..213da26dec394 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/ovn/ipv4-subnet/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-ovn-ipv4-subnet-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/ovn/ipv4-subnet/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-ovn-ipv4-subnet-provision-chain.yaml @@ -5,7 +5,7 @@ chain: - ref: azure-provision-vnet - chain: ipi-conf-azure-sharednetwork - ref: ovn-conf-ipv4-internal-subnet - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-provision-chain.yaml index e06b182925c0b..14609add1fa0b 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-provision-chain.yaml @@ -4,6 +4,7 @@ chain: - ref: azure-provision-resourcegroup - ref: azure-provision-vnet - chain: ipi-conf-azure-sharednetwork + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/public-to-private/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-public-to-private-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/public-to-private/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-public-to-private-provision-chain.yaml index ae1a65c32ebf5..9624c00d1c50c 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/public-to-private/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-public-to-private-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sharednetwork/public-to-private/provision/cucushift-installer-rehearse-azure-ipi-sharednetwork-public-to-private-provision-chain.yaml @@ -4,7 +4,7 @@ chain: - ref: azure-provision-resourcegroup - ref: azure-provision-vnet - chain: ipi-conf-azure-sharednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: azure-provision-bastionhost diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sno/provision/cucushift-installer-rehearse-azure-ipi-sno-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sno/provision/cucushift-installer-rehearse-azure-ipi-sno-provision-chain.yaml index a46ae527320bb..9374b9b4075e5 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sno/provision/cucushift-installer-rehearse-azure-ipi-sno-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/sno/provision/cucushift-installer-rehearse-azure-ipi-sno-provision-chain.yaml @@ -6,7 +6,7 @@ chain: - ref: ipi-conf-azure - ref: single-node-conf-azure - ref: ipi-install-monitoringpvc - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: cucushift-installer-check-sno - ref: enable-qe-catalogsource diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ultrassd-disk/provision/cucushift-installer-rehearse-azure-ipi-ultrassd-disk-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ultrassd-disk/provision/cucushift-installer-rehearse-azure-ipi-ultrassd-disk-provision-chain.yaml index 4f2dd1a11d651..0d13e38b4b191 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ultrassd-disk/provision/cucushift-installer-rehearse-azure-ipi-ultrassd-disk-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/ultrassd-disk/provision/cucushift-installer-rehearse-azure-ipi-ultrassd-disk-provision-chain.yaml @@ -7,7 +7,7 @@ chain: - ref: ipi-conf-azure-custom-region - ref: ipi-conf-azure-custom-az - ref: ipi-conf-azure-ultrassd - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/usertags/storage-account-encryption/provision/cucushift-installer-rehearse-azure-ipi-usertags-storage-account-encryption-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/usertags/storage-account-encryption/provision/cucushift-installer-rehearse-azure-ipi-usertags-storage-account-encryption-provision-chain.yaml index 7a66c528a10a1..e388979158eb5 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/usertags/storage-account-encryption/provision/cucushift-installer-rehearse-azure-ipi-usertags-storage-account-encryption-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/usertags/storage-account-encryption/provision/cucushift-installer-rehearse-azure-ipi-usertags-storage-account-encryption-provision-chain.yaml @@ -5,7 +5,7 @@ chain: - ref: azure-provision-customer-managed-key - chain: ipi-conf-azure - ref: ipi-conf-azure-storage-account-encryption - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - chain: cucushift-installer-check diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/workers-rhel8/provision/cucushift-installer-rehearse-azure-ipi-workers-rhel8-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/workers-rhel8/provision/cucushift-installer-rehearse-azure-ipi-workers-rhel8-provision-chain.yaml index 2832be691a1aa..ae13fdad13582 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/workers-rhel8/provision/cucushift-installer-rehearse-azure-ipi-workers-rhel8-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/ipi/workers-rhel8/provision/cucushift-installer-rehearse-azure-ipi-workers-rhel8-provision-chain.yaml @@ -6,7 +6,7 @@ chain: - chain: azure-provision-bastionhost - chain: ipi-conf-azure - ref: ipi-conf-azure-provisionednetwork - - ref: azure-provision-service-principal-minimal-permission + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: enable-qe-catalogsource - ref: workers-rhel-azure-provision diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/upi/minimal-permission/provision/cucushift-installer-rehearse-azure-upi-minimal-permission-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/upi/minimal-permission/provision/cucushift-installer-rehearse-azure-upi-minimal-permission-provision-chain.yaml index 745ebba07d2ae..b1d95a1199a27 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/upi/minimal-permission/provision/cucushift-installer-rehearse-azure-upi-minimal-permission-provision-chain.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/upi/minimal-permission/provision/cucushift-installer-rehearse-azure-upi-minimal-permission-provision-chain.yaml @@ -1,8 +1,12 @@ chain: as: cucushift-installer-rehearse-azure-upi-minimal-permission-provision steps: - - ref: azure-provision-service-principal-minimal-permission - - chain: cucushift-installer-rehearse-azure-upi-provision + - ref: ipi-install-rbac + - chain: ipi-conf-azure + - chain: azure-provision-service-principal-minimal-permission + - ref: upi-install-azure + - ref: enable-qe-catalogsource + - chain: cucushift-installer-check env: - name: CLUSTER_TYPE_MIN_PERMISSOIN default: "UPI" diff --git a/ci-operator/step-registry/ipi/azure/pre/ipi-azure-pre-chain.yaml b/ci-operator/step-registry/ipi/azure/pre/ipi-azure-pre-chain.yaml index 9585ea79e718b..003292108a8f1 100644 --- a/ci-operator/step-registry/ipi/azure/pre/ipi-azure-pre-chain.yaml +++ b/ci-operator/step-registry/ipi/azure/pre/ipi-azure-pre-chain.yaml @@ -1,8 +1,8 @@ chain: as: ipi-azure-pre steps: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-conf-azure + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac documentation: |- diff --git a/ci-operator/step-registry/ipi/azure/pre/resourcegroup/ipi-azure-pre-resourcegroup-chain.yaml b/ci-operator/step-registry/ipi/azure/pre/resourcegroup/ipi-azure-pre-resourcegroup-chain.yaml index 638e3185e19dc..70a9664dbb1c4 100644 --- a/ci-operator/step-registry/ipi/azure/pre/resourcegroup/ipi-azure-pre-resourcegroup-chain.yaml +++ b/ci-operator/step-registry/ipi/azure/pre/resourcegroup/ipi-azure-pre-resourcegroup-chain.yaml @@ -2,6 +2,7 @@ chain: as: ipi-azure-pre-resourcegroup steps: - chain: ipi-conf-azure-resourcegroup + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac documentation: |- diff --git a/ci-operator/step-registry/ipi/azure/pre/sharednetwork/ipi-azure-pre-sharednetwork-chain.yaml b/ci-operator/step-registry/ipi/azure/pre/sharednetwork/ipi-azure-pre-sharednetwork-chain.yaml index e65ac17b2adbb..bfc9f0712d032 100644 --- a/ci-operator/step-registry/ipi/azure/pre/sharednetwork/ipi-azure-pre-sharednetwork-chain.yaml +++ b/ci-operator/step-registry/ipi/azure/pre/sharednetwork/ipi-azure-pre-sharednetwork-chain.yaml @@ -2,6 +2,7 @@ chain: as: ipi-azure-pre-sharednetwork steps: - chain: ipi-conf-azure-sharednetwork + - chain: azure-provision-service-principal-minimal-permission - chain: ipi-install - ref: ipi-azure-rbac documentation: |- diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/OWNERS b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/OWNERS index 7c25fe772bcd1..6c74f89ded169 100644 --- a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/OWNERS +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/OWNERS @@ -2,3 +2,5 @@ approvers: - jhixson74 - patrickdillon - staebler +- jianlinliu +- jinyunma diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/OWNERS b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-commands.sh b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-commands.sh new file mode 100755 index 0000000000000..79d1d274f6e66 --- /dev/null +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-commands.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +# save the exit code for junit xml file generated in step gather-must-gather +# pre configuration steps before running installation, exit code 100 if failed, +# save to install-pre-config-status.txt +# post check steps after cluster installation, exit code 101 if failed, +# save to install-post-check-status.txt +EXIT_CODE=100 +trap 'if [[ "$?" == 0 ]]; then EXIT_CODE=0; fi; echo "${EXIT_CODE}" > "${SHARED_DIR}/install-pre-config-status.txt"' EXIT TERM + +CONFIG="${SHARED_DIR}/install-config.yaml" + +cluster_rg=$(yq-go r ${CONFIG} 'platform.azure.resourceGroupName') +vnet_rg=$(yq-go r ${CONFIG} 'platform.azure.networkResourceGroupName') + +if [[ -z "${cluster_rg}" ]] && [[ -z "${vnet_rg}" ]]; then + echo "This step used to grant proper permissions on scope of cluster rg or vnet rg, but both rg are empty, skip..." + exit 0 +fi + +# az should already be there +command -v az + +# set the parameters we'll need as env vars +AZURE_AUTH_LOCATION="${CLUSTER_PROFILE_DIR}/osServicePrincipal.json" +AZURE_AUTH_CLIENT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientId)" +AZURE_AUTH_CLIENT_SECRET="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientSecret)" +AZURE_AUTH_TENANT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .tenantId)" + +# log in with az +az login --service-principal -u "${AZURE_AUTH_CLIENT_ID}" -p "${AZURE_AUTH_CLIENT_SECRET}" --tenant "${AZURE_AUTH_TENANT_ID}" --output none + +cluster_sp_id=${AZURE_AUTH_CLIENT_ID} +if [[ -f "${SHARED_DIR}/azure_minimal_permission" ]]; then + cluster_sp_id=$(jq -r '.clientId' "${SHARED_DIR}/azure_minimal_permission") +fi + +# Assign system role "Contributor" to cluster sp on scope of resource group where cluster to be created. +if [[ -n "${cluster_rg}" ]]; then + cluster_rg_id=$(az group show -g "${cluster_rg}" --query id -otsv) + echo "Assign role 'Contributor' to ${cluster_rg_id} with scope over resource group ${cluster_rg}" + az role assignment create --assignee ${cluster_sp_id} --role "Contributor" --scope ${cluster_rg_id} -o jsonc +fi + +# Assign system role "Network Contributor" to cluster sp on scope of resource group where vnet reside in +if [[ -n "${vnet_rg}" ]]; then + vnet_rg_id=$(az group show -g "${vnet_rg}" --query id -otsv) + echo "Assign role 'Network Contributor' to ${cluster_sp_id} with scope over resource group ${vnet_rg}" + az role assignment create --assignee ${cluster_sp_id} --role "Network Contributor" --scope ${vnet_rg_id} -o jsonc +fi diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-ref.metadata.json b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-ref.metadata.json new file mode 100644 index 0000000000000..d85a33ac1e509 --- /dev/null +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-ref.metadata.json @@ -0,0 +1,12 @@ +{ + "path": "ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-ref.yaml", + "owners": { + "approvers": [ + "jhixson74", + "patrickdillon", + "staebler", + "jianlinliu", + "jinyunma" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-ref.yaml b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-ref.yaml new file mode 100644 index 0000000000000..c7110368e8fd6 --- /dev/null +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/assign-role/ipi-conf-azure-resourcegroup-assign-role-ref.yaml @@ -0,0 +1,14 @@ +ref: + as: ipi-conf-azure-resourcegroup-assign-role + from_image: + namespace: ocp + name: "4.12" + tag: upi-installer + grace_period: 10m + commands: ipi-conf-azure-resourcegroup-assign-role-commands.sh + resources: + requests: + cpu: 10m + memory: 100Mi + documentation: |- + The IPI Azure configure step generates the Azure-specific install-config.yaml contents based on the cluster profile and optional input files. diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-chain.metadata.json b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-chain.metadata.json index d710f62189b19..e1afebf663d16 100644 --- a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-chain.metadata.json +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-chain.metadata.json @@ -4,7 +4,9 @@ "approvers": [ "jhixson74", "patrickdillon", - "staebler" + "staebler", + "jianlinliu", + "jinyunma" ] } } \ No newline at end of file diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-commands.sh b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-commands.sh index bde10d39b2ef4..794232e672ac8 100755 --- a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-commands.sh +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-commands.sh @@ -26,17 +26,6 @@ az login --service-principal -u "${AZURE_AUTH_CLIENT_ID}" -p "${AZURE_AUTH_CLIEN # create resource group prior to installation az group create -l "${azure_region}" -n "${existing_rg}" -# Assigne proper permissions to resource group where cluster will be created -if [[ -n "${AZURE_PERMISSION_FOR_CLUSTER_RG}" ]]; then - cluster_sp_id=${AZURE_AUTH_CLIENT_ID} - if [[ -f "${SHARED_DIR}/azure_minimal_permission" ]]; then - cluster_sp_id=$(jq -r '.clientId' "${SHARED_DIR}/azure_minimal_permission") - fi - resource_group_id=$(az group show -g "${existing_rg}" --query id -otsv) - echo "Assigin role '${AZURE_PERMISSION_FOR_CLUSTER_RG}' to resource group ${existing_rg}" - az role assignment create --assignee ${cluster_sp_id} --role "${AZURE_PERMISSION_FOR_CLUSTER_RG}" --scope ${resource_group_id} -o jsonc -fi - # create a patch with existing resource group configuration cat > "${PATCH}" << EOF platform: diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-ref.metadata.json b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-ref.metadata.json index 317537cd3fbb3..f343834643c9f 100644 --- a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-ref.metadata.json +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-ref.metadata.json @@ -4,7 +4,9 @@ "approvers": [ "jhixson74", "patrickdillon", - "staebler" + "staebler", + "jianlinliu", + "jinyunma" ] } } \ No newline at end of file diff --git a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-ref.yaml b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-ref.yaml index 89b60197d8119..3e63348eaee72 100644 --- a/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-ref.yaml +++ b/ci-operator/step-registry/ipi/conf/azure/resourcegroup/ipi-conf-azure-resourcegroup-ref.yaml @@ -9,10 +9,5 @@ ref: requests: cpu: 10m memory: 100Mi - env: - - name: AZURE_PERMISSION_FOR_CLUSTER_RG - default: "" - documentation: |- - Role assigned to cluster sp on scope of existing resource group where cluster is created. documentation: |- The IPI Azure configure step generates the Azure-specific install-config.yaml contents based on the cluster profile and optional input files. diff --git a/ci-operator/step-registry/openshift/e2e/azure/resourcegroup/openshift-e2e-azure-resourcegroup-workflow.yaml b/ci-operator/step-registry/openshift/e2e/azure/resourcegroup/openshift-e2e-azure-resourcegroup-workflow.yaml index ebfca45d45e8e..731d89d6bfab3 100644 --- a/ci-operator/step-registry/openshift/e2e/azure/resourcegroup/openshift-e2e-azure-resourcegroup-workflow.yaml +++ b/ci-operator/step-registry/openshift/e2e/azure/resourcegroup/openshift-e2e-azure-resourcegroup-workflow.yaml @@ -2,7 +2,6 @@ workflow: as: openshift-e2e-azure-resourcegroup steps: pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-azure-pre-resourcegroup test: - ref: openshift-e2e-test diff --git a/ci-operator/step-registry/openshift/e2e/azure/sharednetwork/openshift-e2e-azure-sharednetwork-workflow.yaml b/ci-operator/step-registry/openshift/e2e/azure/sharednetwork/openshift-e2e-azure-sharednetwork-workflow.yaml index 564ae8b811dd2..05c223edc6bf8 100644 --- a/ci-operator/step-registry/openshift/e2e/azure/sharednetwork/openshift-e2e-azure-sharednetwork-workflow.yaml +++ b/ci-operator/step-registry/openshift/e2e/azure/sharednetwork/openshift-e2e-azure-sharednetwork-workflow.yaml @@ -2,7 +2,6 @@ workflow: as: openshift-e2e-azure-sharednetwork steps: pre: - - ref: azure-provision-service-principal-minimal-permission - chain: ipi-azure-pre-sharednetwork test: - ref: openshift-e2e-test