Export OIDC issuer URL to ConfigMap

[illrill]

/kind feature
/area managedclusters

Describe the solution you'd like

Since CAPZ AzureManagedControlPlane is now backed by ASO ManagedCluster, we should export the cluster's OIDC issuer URL to a ConfigMap by using .spec.operatorSpec.configMaps.oidcIssuerProfile (spec).

This would be very helpful when using ASO to provision Azure resources such as FederatedIdentityCredential. This resource can read the cluster OIDC issuer URL via ConfigMap sharing, as of Azure/azure-service-operator#3125 and Azure/azure-service-operator#3126.

Additional information

The ASO ManagedCluster created by CAPZ uses API version containerservice.azure.com/v1api20210501. I think we would need to be on at least containerservice.azure.com/v1api20230201 to do this.

[CecileRobertMichon]

cc @dtzar

[dtzar]

We are using containerservice/v1api20230201 which is the latest version available from ASO right now. We will be updating to an even later version of AKS APIs once they have available (maybe 2.4.1). We're also working to light up the AKS Preview APIs in the near future.

At any rate, this is a valid feature ask. Contributions welcome 👍

[illrill]

@dtzar thanks for the feedback on the feature ask.

A bit confused by the API version comment though, I get a containerservice.azure.com/v1api20210501 ManagedCluster (redacted some names, etc).

$ k get azuremanagedcontrolplane *** -oyaml
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureManagedControlPlane
metadata:
  annotations:
    meta.helm.sh/release-name: ***
    meta.helm.sh/release-namespace: ***
  creationTimestamp: "2023-11-20T19:50:13Z"
  finalizers:
  - azuremanagedcontrolplane.infrastructure.cluster.x-k8s.io
  generation: 1
  labels:
    cluster.x-k8s.io/cluster-name: ***
  name: ***
  namespace: ***
  ownerReferences:
  - apiVersion: cluster.x-k8s.io/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: Cluster
    name: ***
    uid: fe05cd60-5ff6-4a19-88dd-e3eb771d0972
  resourceVersion: "84053"
  uid: 127ada87-08d2-458a-ac27-ff4c7f4859f6
spec:
  ...

$ k get managedcluster *** -oyaml
apiVersion: containerservice.azure.com/v1api20210501
kind: ManagedCluster
metadata:
  annotations:
    serviceoperator.azure.com/credential-from: ***-aso-secret
    serviceoperator.azure.com/latest-reconciled-generation: "1"
    serviceoperator.azure.com/operator-namespace: capz-system
    serviceoperator.azure.com/reconcile-policy: manage
    serviceoperator.azure.com/resource-id: ***
    sigs.k8s.io/cluster-api-provider-azure-last-applied-tags: '{}'
  creationTimestamp: "2023-11-20T20:05:13Z"
  finalizers:
  - serviceoperator.azure.com/finalizer
  generation: 1
  labels:
    sigs.k8s.io_cluster-api-provider-azure_owned: ***
  name: ***
  namespace: ***
  ownerReferences:
  - apiVersion: resources.azure.com/v1api20200601storage
    kind: ResourceGroup
    name: ***
    uid: 47cbf48c-b951-451a-870d-c2b5c4fa61e0
  resourceVersion: "2192507"
  uid: cd14c59e-59d4-44b7-bb7f-6cc1c1c5e975
spec:
  ...

I'm running CAPI 1.5.3 and CAPZ 1.12.0 which brings ASO 2.4.0.

$ clusterctl upgrade plan
Checking new release availability...

Latest release available for the v1beta1 API Version of Cluster API (contract):

NAME                    NAMESPACE                           TYPE                     CURRENT VERSION   NEXT VERSION
bootstrap-kubeadm       capi-kubeadm-bootstrap-system       BootstrapProvider        v1.5.3            Already up to date
control-plane-kubeadm   capi-kubeadm-control-plane-system   ControlPlaneProvider     v1.5.3            Already up to date
cluster-api             capi-system                         CoreProvider             v1.5.3            Already up to date
infrastructure-azure    capz-system                         InfrastructureProvider   v1.12.0           Already up to date

$ k -n capz-system get deployment azureserviceoperator-controller-manager -oyaml | yq .metadata.labels
app.kubernetes.io/name: azure-service-operator
app.kubernetes.io/version: v2.4.0
cluster.x-k8s.io/provider: infrastructure-azure
clusterctl.cluster.x-k8s.io: ""
control-plane: controller-manager

[nojnhuh]

@illrill That behavior isn't unexpected since Kubernetes allows you to create a resource with one API version and then see it with any other convertible API version later: https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning

I'm not exactly sure how kubectl get determines what API version to use when one isn't explicitly given, but based on kubectl get --help I think you could do kubectl get managedclusters.v1api20230201.containerservice.azure.com to see that specific representation of the resource.

[dtzar]

I was able to see the api version you mention @illrill with 1.12.1, but also with the command given by nojnhuh.

kubectl get managedclusters.v1api20230201.containerservice.azure.com  -o yaml | grep apiVersion
apiVersion: v1
- apiVersion: containerservice.azure.com/v1api20230201
    - apiVersion: resources.azure.com/v1api20200601storage

My educated guess is that when there are multiple versions of schema of the API version for that object type, kubectl defaults to displaying the first version in the list. That version is the first version for ASO see here. That doesn't mean it is the version of managedcluster it is using.

[illrill]

🥇 Thank you very much @nawazkh!