Add Aro-hcp proposal

[serngawy]

What type of PR is this?

/kind documentation

What this PR does / why we need it:

Proposal for ARO-HCP feature

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

TODOs:

• squashed commits
• [ X] includes documentation
• adds unit tests
• cherry-pick candidate

Release note:

None

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 53.19%. Comparing base (c3f0631) to head (d9bc85b).
Report is 54 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5605      +/-   ##
==========================================
- Coverage   53.28%   53.19%   -0.10%     
==========================================
  Files         272      272              
  Lines       29537    29582      +45     
==========================================
- Hits        15739    15735       -4     
- Misses      12983    13027      +44     
- Partials      815      820       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[serngawy]

@marek-veber

[marek-veber]

IMHO we will also need the:

• tenant_id,
• subscription_id,
• managed_resource_group_name (not only resource_group_name)
  to create a cluster, isn't it?

[serngawy]

yes, those info are provided at the azureclusteridentity

[marek-veber]

Why Subnet & SubnetRef ?
subnet id or cluster id or node pool id ? I'm not sure base on: https://github.com/Azure/ARO-HCP/blob/main/cluster-service/cluster-creation.md#creating-node-pools

Replicas & autorepare will be used from capi MachinePool?

[serngawy]

subnetRef will be referring to VirtualNetworksSubnet CR by name.
yes, replicas defined at CAPI machinePool CR

[marek-veber]

What are the keys in those maps?
What about to replace maps with structures for it?

[serngawy]

I updated the managed Identities to include all the required identities names

[bryan-cox]

Are we not planning to reuse the HyperShift API for this, rather than duplicating API efforts?

[serngawy]

no, we will re-use the Hypershift API. The naming for CRD fields is a bit different but internally with API call will set the naming as here

[bryan-cox]

Similar question as above, re: reusing HyperShift API

[bryan-cox]

Should we also list the exact role definitions each one of these will get?

[serngawy]

not sure if I understand, The field desc mentioning the role definition "control-plane" and similar for every UAMI

[bryan-cox]

Every control plane and data plane are assigned a specific Azure role definition(s) - CNTRLPLANE-171.

For example, the ingress managed identity is only assigned the "Azure Red Hat OpenShift Cluster Ingress Operator" role over the resource groups containing the VNET and the DNS Zone.

[serngawy]

okay, that is fine we will use the same role naming and keys. Would you mention the ref for it from the Hypershift repo . I don't think the Jira url above is accessible for everyone.

[bryan-cox]

The mapping of control plane to role definition to resource group does not reside from the HyperShift repo. I am not sure if it is available in some public fashion on the ARO side 🤔

[serngawy]

I checked the hypershift repo, I don't think we need to set the Azure role definition, In CAPZ we will set the role key name similar to the example here ex; control-plane, cluster-api-azure, ingress, ..etc then hypershift will set the role definition. Hypershift has the role ref here

[serngawy]

it is here in the ocm-cluster-service

[bryan-cox]

FWIW, we do not set the role definitions in HyperShift. That is assumed to be done prior to creating the HostedCluster.

The HyperShift link you mentioned is related to the HyperShift CLI, which does set the role definitions but that is only for development and testing use.

[serngawy]

hmm, so we need to have this defined some where yes/no ?
Also this is more like implementation details for the UserAssignedIdentity CR that will be created we will need to set the right spec info

[bryan-cox]

I think it would be nice to be defined somewhere.

Maybe it goes with the UserAssignedIdentity CR; is that defined somewhere?

[willie-yao]

/assign

[marek-veber]

sometimes is here badly formatted json option:
json:clusterApiAzureManagedIdentities",omitempty" -> json:"clusterApiAzureManagedIdentities,omitempty"

The " should be moved after json: . There is such a typo multiple times.

[serngawy]

Thanks fixed

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from willie-yao. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[marek-veber]

identityRef - need to be *corev1.ObjectReference in go
and in yaml:

identityRef:
   kind: AzureClusterIdentity
   name: aro-identity
   namespace: default

[marek-veber]

Suggested change

	IdentityRef *infrav1.AzureClusterIdentity `json:"identityRef,omitempty"`
	IdentityRef *corev1.ObjectReference `json:"identityRef,omitempty"`

[marek-veber]

Suggested change

	identityRef:
	name: aro-identity
	identityRef:
	kind: AzureClusterIdentity
	name: aro-identity
	namespace: default