in pkg/validate/openshiftcluster_validatedynamic.go [119:304]
func (dv *openShiftClusterDynamicValidator) Dynamic(ctx context.Context) error {
// Get all subnets
subnets := []dynamic.Subnet{{
ID: dv.oc.Properties.MasterProfile.SubnetID,
Path: "properties.masterProfile.subnetId",
}}
workerProfiles, propertyName := api.GetEnrichedWorkerProfiles(dv.oc.Properties)
for i, wp := range workerProfiles {
subnets = append(subnets, dynamic.Subnet{
ID: wp.SubnetID,
Path: fmt.Sprintf("properties.%s[%d].subnetId", propertyName, i),
})
}
tenantID := dv.subscriptionDoc.Subscription.Properties.TenantID
fpClientCred, err := dv.env.FPNewClientCertificateCredential(tenantID, nil)
if err != nil {
return err
}
aroEnv := dv.env.Environment()
clientOptions := &azcore.ClientOptions{
PerCallPolicies: []policy.Policy{azureclient.NewLoggingPolicy()},
}
pdpClient, err := client.NewRemotePDPClient(
fmt.Sprintf(aroEnv.Endpoint, dv.env.Location()),
aroEnv.OAuthScope,
fpClientCred,
clientOptions,
)
if err != nil {
return err
}
scopes := []string{dv.env.Environment().ResourceManagerScope}
var spDynamic dynamic.Dynamic
if !dv.oc.UsesWorkloadIdentity() {
// SP validation
spp := dv.oc.Properties.ServicePrincipalProfile
options := dv.env.Environment().ClientSecretCredentialOptions()
spClientCred, err := azidentity.NewClientSecretCredential(
tenantID, spp.ClientID, string(spp.ClientSecret), options)
if err != nil {
return err
}
err = ensureAccessTokenClaims(ctx, spClientCred, scopes)
if err != nil {
return err
}
spDynamic, err = dynamic.NewValidator(
dv.log,
dv.env,
dv.env.Environment(),
dv.subscriptionDoc.ID,
dv.fpAuthorizer,
&spp.ClientID,
dynamic.AuthorizerClusterServicePrincipal,
spClientCred,
pdpClient,
)
if err != nil {
return err
}
err = spDynamic.ValidateServicePrincipal(ctx, spClientCred)
if err != nil {
return err
}
} else {
//ClusterMSI Validation
cmsiDynamic, err := dynamic.NewValidator(
dv.log,
dv.env,
dv.env.Environment(),
dv.subscriptionDoc.ID,
dv.fpAuthorizer,
nil,
dynamic.AuthorizerClusterUserAssignedIdentity,
dv.clusterMSICredential,
pdpClient,
)
if err != nil {
return err
}
err = cmsiDynamic.ValidateClusterUserAssignedIdentity(ctx, dv.oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities, dv.roleDefinitions)
if err != nil {
return err
}
// PlatformWorkloadIdentity Validation
spDynamic, err = dynamic.NewValidator(
dv.log,
dv.env,
dv.env.Environment(),
dv.subscriptionDoc.ID,
dv.fpAuthorizer,
nil,
dynamic.AuthorizerWorkloadIdentity,
fpClientCred,
pdpClient,
)
if err != nil {
return err
}
err = spDynamic.ValidatePlatformWorkloadIdentityProfile(ctx, dv.oc, dv.platformWorkloadIdentityRolesByVersion.GetPlatformWorkloadIdentityRolesByRoleName(), dv.roleDefinitions, dv.clusterMsiFederatedIdentityCredentials, dv.platformWorkloadIdentities)
if err != nil {
return err
}
}
err = spDynamic.ValidateVnet(
ctx,
dv.oc.Location,
subnets,
dv.oc.Properties.NetworkProfile.PodCIDR,
dv.oc.Properties.NetworkProfile.ServiceCIDR,
)
if err != nil {
return err
}
err = spDynamic.ValidateSubnets(ctx, dv.oc, subnets)
if err != nil {
return err
}
err = spDynamic.ValidateDiskEncryptionSets(ctx, dv.oc)
if err != nil {
return err
}
err = spDynamic.ValidatePreConfiguredNSGs(ctx, dv.oc, subnets)
if err != nil {
return err
}
err = ensureAccessTokenClaims(ctx, fpClientCred, scopes)
if err != nil {
return err
}
// FP validation
fpDynamic, err := dynamic.NewValidator(
dv.log,
dv.env,
dv.env.Environment(),
dv.subscriptionDoc.ID,
dv.fpAuthorizer,
to.StringPtr(dv.env.FPClientID()),
dynamic.AuthorizerFirstParty,
fpClientCred,
pdpClient,
)
if err != nil {
return err
}
err = fpDynamic.ValidateVnet(
ctx,
dv.oc.Location,
subnets,
dv.oc.Properties.NetworkProfile.PodCIDR,
dv.oc.Properties.NetworkProfile.ServiceCIDR,
)
if err != nil {
return err
}
err = fpDynamic.ValidateDiskEncryptionSets(ctx, dv.oc)
if err != nil {
return err
}
err = fpDynamic.ValidatePreConfiguredNSGs(ctx, dv.oc, subnets)
if err != nil {
return err
}
err = fpDynamic.ValidateLoadBalancerProfile(ctx, dv.oc)
if err != nil {
return err
}
return nil
}