Skip to content

OCPBUGS-63698: fix(azure): remove CSI secret ownership from hypershift-operator #7157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Jan 5, 2026
Merged

OCPBUGS-63698: fix(azure): remove CSI secret ownership from hypershift-operator #7157

openshift-merge-bot merged 1 commit into from
Jan 5, 2026
+6 −24

Conversation

@bryan-cox
Copy link
Member

@bryan-cox bryan-cox commented Nov 5, 2025
edited
Loading

Summary

This PR enables Azure Disk and File CSI drivers to work correctly on self-managed Azure HyperShift clusters by fixing the credential secret ownership and ensuring proper authentication configuration.

Changes

1. Move CSI Secret Ownership to control-plane-operator

  • Removed disk-csi and file-csi credential management from hypershift-operator's ReconcileCredentials function
  • Control-plane-operator now has full ownership of CSI driver secrets (azure-disk-csi-config, azure-file-csi-config)
  • Fixes ownership conflict where hypershift-operator was replacing the entire secret.Data map, wiping out the cloud.conf field

2. Authentication Flow

The proper authentication flow for self-managed Azure is:

  • HyperShift → control-plane-operator → CSI driver
  • control-plane-operator creates secrets with proper cloud.conf JSON configuration
  • cloud.conf includes: useFederatedWorkloadIdentityExtension: true, aadClientId, aadFederatedTokenFile
  • Token-minter sidecar (injected by csi-operator) creates the token file
  • Azure SDK uses federated workload identity to authenticate

Related PRs

Testing

  • Verify CSI driver pods start successfully on self-managed Azure clusters
  • Verify azure-disk-csi-config and azure-file-csi-config secrets contain cloud.conf key
  • Verify PVC creation and mounting works correctly
  • Verify ARO HCP clusters still work (they use different auth mechanism)

Fixes: OCPBUGS-63698

Signed-off-by: Bryan Cox brcox@redhat.com

@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Nov 5, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 5, 2025
@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Nov 5, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 5, 2025

@bryan-cox: This pull request references Jira Issue OCPBUGS-63698, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

This PR enables Azure Disk and File CSI drivers to work correctly on self-managed Azure HyperShift clusters by fixing the credential secret ownership and ensuring proper authentication configuration.

Changes

1. Move CSI Secret Ownership to control-plane-operator

  • Removed disk-csi and file-csi credential management from hypershift-operator's ReconcileCredentials function
  • Control-plane-operator now has full ownership of CSI driver secrets (azure-disk-csi-config, azure-file-csi-config)
  • Fixes ownership conflict where hypershift-operator was replacing the entire secret.Data map, wiping out the cloud.conf field

2. Authentication Flow

The proper authentication flow for self-managed Azure is:

  • HyperShift → control-plane-operator → CSI driver
  • control-plane-operator creates secrets with proper cloud.conf JSON configuration
  • cloud.conf includes: useFederatedWorkloadIdentityExtension: true, aadClientId, aadFederatedTokenFile
  • Token-minter sidecar (injected by csi-operator) creates the token file
  • Azure SDK uses federated workload identity to authenticate

Related PRs

Testing

  • Verify CSI driver pods start successfully on self-managed Azure clusters
  • Verify azure-disk-csi-config and azure-file-csi-config secrets contain cloud.conf key
  • Verify PVC creation and mounting works correctly
  • Verify ARO HCP clusters still work (they use different auth mechanism)

Fixes: OCPBUGS-63698

Signed-off-by: Bryan Cox brcox@redhat.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 5, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 5, 2025
edited
Loading

Walkthrough

Removed disk and file CSI credential management from Azure platform reconciliation in hypershift-operator. These credentials are now handled by control-plane-operator instead. Corresponding test expectations were updated to reflect reduced credential entries and secret counts.

Changes

Cohort / File(s) Summary
Azure CSI credential removal
hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go, hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure_test.go		 Removed disk CSI and file CSI from credentialConfigs list; added comment noting CSI driver credentials are now managed by control-plane-operator. Updated test expectations: expected secret count reduced from 5 to 3; removed disk-csi and file-csi entries from expected client IDs map; adjusted secret counting and existence checks across test scenarios.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

  • Verify test expectations align with credential removal (secret count changes from 5 to 3)
  • Confirm no unintended side effects from removing disk-csi and file-csi entries in the credentialConfigs list
  • Review test scenarios under different configurations (MANAGED_SERVICE = ARO-HCP) to ensure behavior is correctly validated
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 23cb8b3 and 761ba8e.

📒 Files selected for processing (2)
  • hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go (1 hunks)
  • hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure_test.go (3 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure_test.go
🔇 Additional comments (6)
hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go (2)

291-292: LGTM!

The comment clearly explains the architectural change and helps future maintainers understand why CSI driver credentials are no longer managed here.

292-309: Control-plane-operator CSI secret management is properly implemented.

The removal of disk-csi and file-csi credentials from hypershift-operator is correctly paired with control-plane-operator changes. The target operator has complete CSI secret management infrastructure in place:

  • azure-disk-csi-config and azure-file-csi-config are registered as manifest adapters with proper adapt functions
  • Both adapters populate secrets with workloadIdentities from HCP configuration
  • The storage component enables CSI management for Azure platforms

Deployment ordering between operators is an operational concern handled outside this code review and should be verified through release/deployment procedures if not already documented.

hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure_test.go (4)

277-277: LGTM!

The updated expectation correctly reflects that hypershift-operator now creates only 3 secrets (ingress, image-registry, cncc) instead of 5. The inline comment clearly explains why disk/file CSI secrets are excluded.

Minor note: The test case name "creates all credential secrets" is technically no longer accurate since CSI credentials are excluded, but the comment clarifies this adequately.

297-302: LGTM!

The expectedClientIDs map correctly reflects the reduced set of credentials now managed by hypershift-operator. The comment clearly explains that disk/file CSI credentials are handled by control-plane-operator.

339-339: LGTM!

The expectation correctly reflects that only the CNCC secret is created when ingress and image-registry capabilities are disabled and CSI credentials are managed by control-plane-operator. The comment provides clear context.

347-352: LGTM!

The validation logic and comments correctly verify that:

  • Disabled capabilities (ingress, image-registry) result in absent secrets
  • CNCC secret is still created
  • Disk/file CSI secrets are not expected (managed by control-plane-operator)

The test assertions accurately validate the expected behavior.

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci bot added area/documentation Indicates the PR includes changes for documentation area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release labels Nov 5, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 5, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed do-not-merge/needs-area labels Nov 5, 2025
This was referenced Nov 5, 2025
Open
Merged
@bryan-cox
Copy link
Member Author

bryan-cox commented Nov 5, 2025

Detailed Authentication Flow for Azure CSI Drivers on Self-Managed HyperShift

This PR is part of a 3-PR solution. Here's the complete end-to-end authentication flow with exact code references:

1. HyperShift Operator - Removes CSI Secret Ownership

File: hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go:290-309

Removes disk-csi and file-csi from the credential configs, leaving only ingress and image-registry. This prevents hypershift-operator from managing CSI secrets.

2. Control-Plane Operator - Registers CSI Secret Adapters

File: control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go:48-60

WithManifestAdapter(
    "azure-disk-csi-config.yaml",
    component.WithAdaptFunction(adaptAzureCSIDiskSecret),
    component.EnableForPlatform(hyperv1.AzurePlatform),
).
WithManifestAdapter(
    "azure-file-csi-config.yaml",
    component.WithAdaptFunction(adaptAzureCSIFileSecret),
    component.EnableForPlatform(hyperv1.AzurePlatform),
)

3. Control-Plane Operator - Creates cloud.conf JSON

File: control-plane-operator/controllers/hostedcontrolplane/v2/storage/azure.go:20-53

func adaptAzureCSISecret(cpContext component.WorkloadContext, ...) error {
    azureConfig := azure.AzureConfig{
        Cloud:          azureSpec.Cloud,
        TenantID:       azureSpec.TenantID,
        SubscriptionID: azureSpec.SubscriptionID,
        ResourceGroup:  azureSpec.ResourceGroupName,
        Location:       azureSpec.Location,
    }

    if azureutil.IsSelfManagedAzure(cpContext.HCP.Spec.Platform.Type) {
        azureConfig.UseFederatedWorkloadIdentityExtension = true  // Line 34
        azureConfig.AADClientID = string(workloadIdentity.ClientID)  // Line 35
        azureConfig.AADFederatedTokenFile = "/var/run/secrets/openshift/serviceaccount/token"  // Line 36
    }

    // Get vnet info needed by CSI drivers
    azureConfig.VnetName, azureConfig.VnetResourceGroup, _ = azureutil.GetVnetNameAndResourceGroupFromVnetID(azureSpec.VnetID)

    serializedConfig, _ := json.MarshalIndent(azureConfig, "", "  ")
    secret.Data[azure.ConfigKey] = serializedConfig  // ConfigKey = "cloud.conf"
}

4. Cluster-Storage-Operator - Passes HYPERSHIFT_IMAGE

File: cluster-storage-operator/pkg/operator/csidriveroperator/hypershift_deployment_controller.go:159-170
PR: openshift/cluster-storage-operator#643

// For self-managed Azure (not ARO HCP), pass HYPERSHIFT_IMAGE to enable token-minter sidecars
if os.Getenv("ARO_HCP_SECRET_PROVIDER_CLASS_FOR_DISK") == "" && requiredCopy.Name == "azure-disk-csi-driver-operator" {
    if hyperShiftImage := os.Getenv("HYPERSHIFT_IMAGE"); hyperShiftImage != "" {
        envVars = append(envVars, corev1.EnvVar{Name: "HYPERSHIFT_IMAGE", Value: hyperShiftImage})
    }
}

5. CSI-Operator - Injects token-minter Sidecar

File: csi-operator/pkg/driver/common/operator/hooks.go:262-308
PR: openshift/csi-operator#461

func WithTokenMinter(serviceAccountName string) dc.DeploymentHookFunc {
    return func(_ *opv1.OperatorSpec, deployment *appsv1.Deployment) error {
        hyperShiftImage := os.Getenv("HYPERSHIFT_IMAGE")
        if hyperShiftImage == "" {
            return nil  // Skip if not set
        }

        tokenMinter := corev1.Container{
            Name:  "token-minter",
            Image: hyperShiftImage,
            Command: []string{"/usr/bin/control-plane-operator", "token-minter"},
            Args: []string{
                "--service-account-namespace=openshift-cluster-csi-drivers",
                "--service-account-name=" + serviceAccountName,
                "--token-audience=openshift",
                "--token-file=/var/run/secrets/openshift/serviceaccount/token",
                "--kubeconfig=/etc/hosted-kubernetes/kubeconfig",
            },
            VolumeMounts: []corev1.VolumeMount{
                {Name: "bound-sa-token", MountPath: "/var/run/secrets/openshift/serviceaccount"},
                {Name: "hosted-kubeconfig", MountPath: "/etc/hosted-kubernetes", ReadOnly: true},
            },
        }
        deployment.Spec.Template.Spec.Containers = append(deployment.Spec.Template.Spec.Containers, tokenMinter)
    }
}

6. CSI Driver Pod - Reads cloud.conf and Uses Token

The resulting CSI driver controller pod has:

containers:
- name: csi-driver
  env:
  - name: AZURE_CREDENTIAL_FILE
    value: /etc/kubernetes/cloud.conf      # Points to cloud.conf
  volumeMounts:
  - mountPath: /etc/kubernetes/
    name: cloud-config                     # Mounts the secret with cloud.conf
  - mountPath: /var/run/secrets/openshift/serviceaccount
    name: bound-sa-token                   # Token created by token-minter

- name: token-minter
  command: [/usr/bin/control-plane-operator, token-minter]
  args:
  - --service-account-namespace=openshift-cluster-csi-drivers
  - --service-account-name=azure-disk-csi-driver-controller-sa
  - --token-file=/var/run/secrets/openshift/serviceaccount/token
  - --kubeconfig=/etc/hosted-kubernetes/kubeconfig

volumes:
- name: cloud-config
  secret:
    secretName: azure-disk-csi-config      # Secret created by CPO with cloud.conf
- name: bound-sa-token
  emptyDir:
    medium: Memory                         # Shared volume for token

7. Azure SDK - Authenticates Using Workload Identity

The Azure SDK inside the CSI driver reads:

  1. cloud.conf at /etc/kubernetes/cloud.conf containing: 
    {
  "useFederatedWorkloadIdentityExtension": true,
  "aadClientId": "<workload-identity-client-id>",
  "aadFederatedTokenFile": "/var/run/secrets/openshift/serviceaccount/token",
  "tenantId": "...",
  "subscriptionId": "...",
  "resourceGroup": "...",
  "location": "...",
  "vnetName": "...",
  "vnetResourceGroup": "..."
}
  2. Service account token at /var/run/secrets/openshift/serviceaccount/token (created by token-minter)
  3. Azure SDK exchanges the token for Azure credentials via workload identity federation

Summary

This PR removes CSI secret management from hypershift-operator, allowing control-plane-operator to maintain full ownership with its existing, correct logic. The other two PRs enable the CSI driver operators to inject the token-minter sidecar that creates the tokens the CSI drivers need for authentication.

Fixes: OCPBUGS-63698

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 11, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 8, 2025
@openshift-ci openshift-ci bot added the area/platform/azure PR/issue for Azure (AzurePlatform) platform label Dec 8, 2025
@bryan-cox
Copy link
Member Author

bryan-cox commented Dec 9, 2025

/test all

@bryan-cox
feat(azure): move CSI secret ownership to control-plane-operator
761ba8e 
Remove disk-csi and file-csi credential management from hypershift-operator's
ReconcileCredentials function. These secrets are now fully managed by
control-plane-operator which creates them with the proper cloud.conf JSON
configuration needed by the CSI drivers.

This fixes an ownership conflict where hypershift-operator was replacing
the entire secret.Data map, wiping out the cloud.conf field that
control-plane-operator was adding.

Fixes: OCPBUGS-63698

Signed-off-by: Bryan Cox <brcox@redhat.com>
Commit-Message-Assisted-by: Claude (via Claude Code)
@bryan-cox
Copy link
Member Author

bryan-cox commented Dec 10, 2025

/test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 12, 2025

@duanwei33: This PR was included in a payload test run from openshift/cluster-storage-operator#643
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-azure-ipi-ovn-hypershift-guest-f7

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/7142dd10-d6fe-11f0-8d59-3afbbfee03e5-0

@bryan-cox
Copy link
Member Author

bryan-cox commented Dec 18, 2025

/auto-cc

@openshift-ci openshift-ci bot requested review from enxebre and muraee December 18, 2025 13:28
@bryan-cox bryan-cox changed the title OCPBUGS-63698: Enable Azure CSI drivers on self-managed HyperShift clusters OCPBUGS-63698: feat(azure): remove CSI secret ownership from hypershift-operator Dec 18, 2025
@bryan-cox bryan-cox changed the title OCPBUGS-63698: feat(azure): remove CSI secret ownership from hypershift-operator OCPBUGS-63698: fix(azure): remove CSI secret ownership from hypershift-operator Dec 18, 2025
@muraee
Copy link
Contributor

muraee commented Dec 18, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 18, 2025
@bryan-cox bryan-cox marked this pull request as ready for review December 18, 2025 17:20
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 18, 2025
@openshift-ci openshift-ci bot requested review from devguyio and jparrill December 18, 2025 17:21
@duanwei33
Copy link

duanwei33 commented Jan 4, 2026

The pre-merge testing was performed with openshift/cluster-storage-operator#643, openshift/csi-operator#461, and #7157.

All regression test cases passed, with the exception of the azurefile-nfs snapshot. This failure is due to a known limitation in azurefile-nfs, and Jira OCPBUGS-69882 has been filed to track it.

LGTM from the storage QE side.

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 5, 2026

/retest

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 5, 2026
edited
Loading

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-4-20 761ba8e link true /test e2e-aws-4-20

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 5, 2026

/retest-required

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 5, 2026

/verified by @duanwei33

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jan 5, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 5, 2026

@bryan-cox: This PR has been marked as verified by @duanwei33.

Details

In response to this:

/verified by @duanwei33

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 5, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 5, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 5, 2026

@bryan-cox: This pull request references Jira Issue OCPBUGS-63698, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (wduan@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 5, 2026

/retest

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 5, 2026

/override "Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main"

@bryan-cox
Copy link
Member Author

bryan-cox commented Jan 5, 2026

/override "Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main"

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 5, 2026

@bryan-cox: Overrode contexts on behalf of bryan-cox: Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main

Details

In response to this:

/override "Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 5, 2026

@bryan-cox: Overrode contexts on behalf of bryan-cox: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main

Details

In response to this:

/override "Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot openshift-merge-bot bot merged commit 941f016 into openshift:main Jan 5, 2026
22 of 24 checks passed
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 5, 2026

@bryan-cox: Jira Issue OCPBUGS-63698: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-63698 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Summary

This PR enables Azure Disk and File CSI drivers to work correctly on self-managed Azure HyperShift clusters by fixing the credential secret ownership and ensuring proper authentication configuration.

Changes

1. Move CSI Secret Ownership to control-plane-operator

  • Removed disk-csi and file-csi credential management from hypershift-operator's ReconcileCredentials function
  • Control-plane-operator now has full ownership of CSI driver secrets (azure-disk-csi-config, azure-file-csi-config)
  • Fixes ownership conflict where hypershift-operator was replacing the entire secret.Data map, wiping out the cloud.conf field

2. Authentication Flow

The proper authentication flow for self-managed Azure is:

  • HyperShift → control-plane-operator → CSI driver
  • control-plane-operator creates secrets with proper cloud.conf JSON configuration
  • cloud.conf includes: useFederatedWorkloadIdentityExtension: true, aadClientId, aadFederatedTokenFile
  • Token-minter sidecar (injected by csi-operator) creates the token file
  • Azure SDK uses federated workload identity to authenticate

Related PRs

Testing

  • Verify CSI driver pods start successfully on self-managed Azure clusters
  • Verify azure-disk-csi-config and azure-file-csi-config secrets contain cloud.conf key
  • Verify PVC creation and mounting works correctly
  • Verify ARO HCP clusters still work (they use different auth mechanism)

Fixes: OCPBUGS-63698

Signed-off-by: Bryan Cox brcox@redhat.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enxebre enxebre Awaiting requested review from enxebre

@muraee muraee Awaiting requested review from muraee

@devguyio devguyio Awaiting requested review from devguyio

@jparrill jparrill Awaiting requested review from jparrill

Assignees

@muraee muraee

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/documentation Indicates the PR includes changes for documentation area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release area/platform/azure PR/issue for Azure (AzurePlatform) platform jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bryan-cox @openshift-ci-robot @muraee @duanwei33 @openshift-merge-robot