in pkg/cluster/cluster.go [145:347]
func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database.OpenShiftClusters, dbGateway database.Gateway, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD,
billing billing.Manager, doc *api.OpenShiftClusterDocument, subscriptionDoc *api.SubscriptionDocument, hiveClusterManager hive.ClusterManager, metricsEmitter metrics.Emitter,
) (Interface, error) {
r, err := azure.ParseResourceID(doc.OpenShiftCluster.ID)
if err != nil {
return nil, err
}
localFPAuthorizer, err := _env.FPAuthorizer(_env.TenantID(), nil, _env.Environment().ResourceManagerScope)
if err != nil {
return nil, err
}
// TODO: Delete once the replacement to track2 is done
fpAuthorizer, err := refreshable.NewAuthorizer(_env, subscriptionDoc.Subscription.Properties.TenantID)
if err != nil {
return nil, err
}
fpCredClusterTenant, err := _env.FPNewClientCertificateCredential(subscriptionDoc.Subscription.Properties.TenantID, nil)
if err != nil {
return nil, err
}
t, err := fpCredClusterTenant.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{_env.Environment().ResourceManagerScope}})
if err != nil {
return nil, err
}
tokenClaims, err := token.ExtractClaims(t.Token)
if err != nil {
return nil, err
}
fpspID := tokenClaims.ObjectId
fpCredRPTenant, err := _env.FPNewClientCertificateCredential(_env.TenantID(), nil)
if err != nil {
return nil, err
}
msiCredential, err := _env.NewMSITokenCredential()
if err != nil {
return nil, err
}
installViaHive, err := _env.LiveConfig().InstallViaHive(ctx)
if err != nil {
return nil, err
}
adoptByHive, err := _env.LiveConfig().AdoptByHive(ctx)
if err != nil {
return nil, err
}
clientOptions := _env.Environment().ArmClientOptions()
armInterfacesClient, err := armnetwork.NewInterfacesClient(r.SubscriptionID, fpCredClusterTenant, clientOptions)
if err != nil {
return nil, err
}
armPublicIPAddressesClient, err := armnetwork.NewPublicIPAddressesClient(r.SubscriptionID, fpCredClusterTenant, clientOptions)
if err != nil {
return nil, err
}
armLoadBalancersClient, err := armnetwork.NewLoadBalancersClient(r.SubscriptionID, fpCredClusterTenant, clientOptions)
if err != nil {
return nil, err
}
armPrivateEndpoints, err := armnetwork.NewPrivateEndpointsClient(r.SubscriptionID, fpCredClusterTenant, clientOptions)
if err != nil {
return nil, err
}
armFPPrivateEndpoints, err := armnetwork.NewPrivateEndpointsClient(_env.SubscriptionID(), fpCredRPTenant, clientOptions)
if err != nil {
return nil, err
}
armSecurityGroupsClient, err := armnetwork.NewSecurityGroupsClient(r.SubscriptionID, fpCredClusterTenant, clientOptions)
if err != nil {
return nil, err
}
armRPPrivateLinkServices, err := armnetwork.NewPrivateLinkServicesClient(_env.SubscriptionID(), msiCredential, clientOptions)
if err != nil {
return nil, err
}
storage, err := storage.NewManager(r.SubscriptionID, _env.Environment().StorageEndpointSuffix, fpCredClusterTenant, doc.OpenShiftCluster.UsesWorkloadIdentity(), clientOptions)
if err != nil {
return nil, err
}
rpBlob, err := blob.NewManager(_env.SubscriptionID(), msiCredential, clientOptions)
if err != nil {
return nil, err
}
armSubnetsClient, err := armnetwork.NewSubnetsClient(r.SubscriptionID, fpCredClusterTenant, clientOptions)
if err != nil {
return nil, err
}
armRoleDefinitionsClient, err := armauthorization.NewArmRoleDefinitionsClient(fpCredClusterTenant, r.SubscriptionID, clientOptions)
if err != nil {
return nil, err
}
platformWorkloadIdentityRolesByVersion := platformworkloadidentity.NewPlatformWorkloadIdentityRolesByVersionService()
m := &manager{
log: log,
env: _env,
db: db,
dbGateway: dbGateway,
dbOpenShiftVersions: dbOpenShiftVersions,
billing: billing,
doc: doc,
subscriptionDoc: subscriptionDoc,
fpAuthorizer: fpAuthorizer,
localFpAuthorizer: localFPAuthorizer,
metricsEmitter: metricsEmitter,
disks: compute.NewDisksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
virtualMachines: compute.NewVirtualMachinesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
interfaces: network.NewInterfacesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
armInterfaces: armInterfacesClient,
armPublicIPAddresses: armPublicIPAddressesClient,
loadBalancers: network.NewLoadBalancersClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
armLoadBalancers: armLoadBalancersClient,
armPrivateEndpoints: armPrivateEndpoints,
armSecurityGroups: armSecurityGroupsClient,
deployments: features.NewDeploymentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
resourceGroups: features.NewResourceGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
resources: features.NewResourcesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
privateZones: privatedns.NewPrivateZonesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
virtualNetworkLinks: privatedns.NewVirtualNetworkLinksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
roleAssignments: authorization.NewRoleAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
roleDefinitions: authorization.NewRoleDefinitionsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
armRoleDefinitions: armRoleDefinitionsClient,
denyAssignments: authorization.NewDenyAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
fpPrivateEndpoints: network.NewPrivateEndpointsClient(_env.Environment(), _env.SubscriptionID(), localFPAuthorizer),
armFPPrivateEndpoints: armFPPrivateEndpoints,
armRPPrivateLinkServices: armRPPrivateLinkServices,
armSubnets: armSubnetsClient,
dns: dns.NewManager(_env, fpCredRPTenant),
storage: storage,
subnet: subnet.NewManager(_env.Environment(), r.SubscriptionID, fpAuthorizer),
graph: graph.NewManager(_env, log, aead, storage),
rpBlob: rpBlob,
installViaHive: installViaHive,
adoptViaHive: adoptByHive,
hiveClusterManager: hiveClusterManager,
now: func() time.Time { return time.Now() },
openShiftClusterDocumentVersioner: new(openShiftClusterDocumentVersionerService),
platformWorkloadIdentityRolesByVersion: platformWorkloadIdentityRolesByVersion,
fpServicePrincipalID: fpspID,
}
if doc.OpenShiftCluster.UsesWorkloadIdentity() {
if m.doc.OpenShiftCluster.Properties.ProvisioningState != api.ProvisioningStateDeleting {
err = m.platformWorkloadIdentityRolesByVersion.PopulatePlatformWorkloadIdentityRolesByVersion(ctx, doc.OpenShiftCluster, dbPlatformWorkloadIdentityRoleSets)
if err != nil {
return nil, err
}
}
msiResourceId, err := m.doc.OpenShiftCluster.ClusterMsiResourceId()
if err != nil {
return nil, err
}
var msiDataplane dataplane.ClientFactory
if _env.FeatureIsSet(env.FeatureUseMockMsiRp) {
msiDataplane = _env.MockMSIResponses(msiResourceId)
} else {
msiDataplaneClientOptions, err := _env.MsiDataplaneClientOptions()
if err != nil {
return nil, err
}
// MSI dataplane client receives tenant from the bearer challenge, so we can't limit the allowed tenants in the credential
fpMSICred, err := _env.FPNewClientCertificateCredential(_env.TenantID(), []string{"*"})
if err != nil {
return nil, err
}
msiDataplane = dataplane.NewClientFactory(fpMSICred, _env.MsiRpEndpoint(), msiDataplaneClientOptions)
}
m.msiDataplane = msiDataplane
secretsClient, err := azsecrets.NewClient(azsecrets.URI(_env, _env.ClusterMsiKeyVaultName(), ""), msiCredential, _env.Environment().AzureClientOptions())
if err != nil {
return nil, fmt.Errorf("cannot create MSI key vault client: %w", err)
}
m.clusterMsiKeyVaultStore = secretsClient
}
return m, nil
}