openshift · openshift-merge-robot · Jun 22, 2023 · May 17, 2023 · May 17, 2023 · May 23, 2023
diff --git a/assets/controller.yaml b/assets/controller.yaml
@@ -53,6 +53,7 @@ spec:
             - --output-file-path=/etc/merged-cloud-config/cloud.conf
             # Force disable node's managed identity, azure-disk-credentials Secret should be used.
             - --disable-identity-extension-auth
+            - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY}
           env:
             - name: AZURE_CLIENT_ID
               valueFrom:
@@ -64,6 +65,19 @@ spec:
                 secretKeyRef:
                   name: azure-disk-credentials
                   key: azure_client_secret
+                  optional: true
+            - name: AZURE_TENANT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: azure-disk-credentials
+                  key: azure_tenant_id
+                  optional: true
+            - name: AZURE_FEDERATED_TOKEN_FILE
+              valueFrom:
+                secretKeyRef:
+                  name: azure-disk-credentials
+                  key: azure_federated_token_file
+                  optional: true
           volumeMounts:
             - name: host-cloud-config
               mountPath: /etc/cloud-config
@@ -109,6 +123,9 @@ spec:
             - name: msi
               mountPath: /var/lib/waagent/ManagedIdentity-Settings
               readOnly: true
+            - name: bound-sa-token
+              mountPath: /var/run/secrets/openshift/serviceaccount
+              readOnly: true
           resources:
             requests:
               memory: 50Mi
@@ -352,3 +369,9 @@ spec:
             secretName: azure-disk-csi-driver-controller-metrics-serving-cert
         - name: merged-cloud-config
           emptydir:
+        - name: bound-sa-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: token
+                audience: openshift
diff --git a/assets/node.yaml b/assets/node.yaml
@@ -39,6 +39,7 @@ spec:
             - --output-file-path=/etc/merged-cloud-config/cloud.conf
             # Force disable node's managed identity, azure-disk-credentials Secret should be used.
             - --disable-identity-extension-auth
+            - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY}
           env:
             - name: AZURE_CLIENT_ID
               valueFrom:
@@ -50,6 +51,19 @@ spec:
                 secretKeyRef:
                   name: azure-disk-credentials
                   key: azure_client_secret
+                  optional: true
+            - name: AZURE_TENANT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: azure-disk-credentials
+                  key: azure_tenant_id
+                  optional: true
+            - name: AZURE_FEDERATED_TOKEN_FILE
+              valueFrom:
+                secretKeyRef:
+                  name: azure-disk-credentials
+                  key: azure_federated_token_file
+                  optional: true
           volumeMounts:
             - name: host-cloud-config
               mountPath: /etc/cloud-config

diff --git a/pkg/azurestackhub/azure_stack_hub_test.go b/pkg/azurestackhub/azure_stack_hub_test.go
@@ -41,7 +41,7 @@ func TestInjectPodSpecHappyPath(t *testing.T) {
 	assert.Nil(t, yaml.Unmarshal(file, dep))
 
 	injectEnvAndMounts(&dep.Spec.Template.Spec)
-	assert.Len(t, dep.Spec.Template.Spec.Volumes, 6)
+	assert.Len(t, dep.Spec.Template.Spec.Volumes, 7)
 	foundCfgVolume := false
 	for _, v := range dep.Spec.Template.Spec.Volumes {
 		if v.Name == azureCfgName {
@@ -59,7 +59,7 @@ func TestInjectPodSpecHappyPath(t *testing.T) {
 		}
 	}
 	assert.NotNil(t, csiDriver, "no csi-driver container found")
-	assert.Len(t, csiDriver.VolumeMounts, 4)
+	assert.Len(t, csiDriver.VolumeMounts, 5)
 	foundCfgVolumeMount := false
 	for _, v := range csiDriver.VolumeMounts {
 		if v.Name == azureCfgName {

diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -3,6 +3,7 @@ package operator
 import (
 	"context"
 	"fmt"
+	configv1 "github.com/openshift/api/config/v1"
 	"os"
 	"strings"
 	"time"
@@ -29,6 +30,8 @@ import (
 	"github.com/openshift/library-go/pkg/operator/csi/csidrivernodeservicecontroller"
 	goc "github.com/openshift/library-go/pkg/operator/genericoperatorclient"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
+
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 )
 
 const (
@@ -40,8 +43,9 @@ const (
 	trustedCAConfigMap       = "azure-disk-csi-driver-trusted-ca-bundle"
 	resync                   = 20 * time.Minute
 
-	ccmOperatorImageEnvName = "CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE"
-	diskEncryptionSetID     = "diskEncryptionSetID"
+	ccmOperatorImageEnvName        = "CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE"
+	diskEncryptionSetID            = "diskEncryptionSetID"
+	operatorImageVersionEnvVarName = "OPERATOR_IMAGE_VERSION"
 )
 
 func RunOperator(ctx context.Context, controllerConfig *controllercmd.ControllerContext) error {
@@ -101,6 +105,42 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		go azureStackConfigSyncer.Run(ctx, 1)
 	}
 
+	desiredVersion := os.Getenv(operatorImageVersionEnvVarName)
+	missingVersion := "0.0.1-snapshot"
+
+	featureGateAccessor := featuregates.NewFeatureGateAccess(
+		desiredVersion,
+		missingVersion,
+		configInformers.Config().V1().ClusterVersions(),
+		configInformers.Config().V1().FeatureGates(),
+		controllerConfig.EventRecorder,
+	)
+	go featureGateAccessor.Run(ctx)
+	go configInformers.Start(ctx.Done())
+
+	select {
+	case <-featureGateAccessor.InitialFeatureGatesObserved():
+		featureGates, _ := featureGateAccessor.CurrentFeatureGates()
+		klog.Info("FeatureGates initialized", "knownFeatures", featureGates.KnownFeatures())
+	case <-time.After(1 * time.Minute):
+		klog.Error(nil, "timed out waiting for FeatureGate detection")
+		return fmt.Errorf("timed out waiting for FeatureGate detection")
+	}
+
+	featureGates, err := featureGateAccessor.CurrentFeatureGates()
+	if err != nil {
+		return err
+	}
+
+	deploymentAsset := &assetWithReplacement{}
+	if featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity) {
+		deploymentAsset.Replace("${ENABLE_AZURE_WORKLOAD_IDENTITY}", "true")
+	} else {
+		deploymentAsset.Replace("${ENABLE_AZURE_WORKLOAD_IDENTITY}", "false")
+	}
+
+	deploymentAsset.Replace("${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE}", os.Getenv(ccmOperatorImageEnvName))
+
 	csiControllerSet := csicontrollerset.NewCSIControllerSet(
 		operatorClient,
 		controllerConfig.EventRecorder,
@@ -160,7 +200,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		configInformers,
 	).WithCSIDriverControllerService(
 		"AzureDiskDriverControllerServiceController",
-		assetWithImageReplaced(),
+		deploymentAsset.GetAssetFunc(),
 		"controller.yaml",
 		kubeClient,
 		kubeInformersForNamespaces.InformersFor(defaultNamespace),
@@ -181,7 +221,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		csidrivercontrollerservicecontroller.WithSecretHashAnnotationHook(defaultNamespace, secretName, secretInformer),
 	).WithCSIDriverNodeService(
 		"AzureDiskDriverNodeServiceController",
-		assetWithImageReplaced(),
+		deploymentAsset.GetAssetFunc(),
 		"node.yaml",
 		kubeClient,
 		kubeInformersForNamespaces.InformersFor(defaultNamespace),
@@ -227,14 +267,22 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 	return fmt.Errorf("stopped")
 }
 
-func assetWithImageReplaced() func(name string) ([]byte, error) {
+type assetWithReplacement []string
+
+func (r *assetWithReplacement) Replace(old, new string) {
+	*r = append(*r, old, new)
+}
+
+func (r *assetWithReplacement) GetAssetFunc() func(name string) ([]byte, error) {
 	return func(name string) ([]byte, error) {
 		assetBytes, err := assets.ReadFile(name)
 		if err != nil {
 			return assetBytes, err
 		}
-		asset := string(assetBytes)
-		asset = strings.ReplaceAll(asset, "${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE}", os.Getenv(ccmOperatorImageEnvName))
+
+		replacer := strings.NewReplacer(*r...)
+		asset := replacer.Replace(string(assetBytes))
+
 		return []byte(asset), nil
 	}
 }
diff --git a/...r/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/featuregate.go b/...r/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/featuregate.go
diff --git a/...shift/library-go/pkg/operator/configobserver/featuregates/hardcoded_featuregate_reader.go b/...shift/library-go/pkg/operator/configobserver/featuregates/hardcoded_featuregate_reader.go