OCPBUGS-56846: validate azure user-assigned identity existence

[jianlinliu]

Add the functionality for validating azure user-assigned identity existence before creating the cluster.

Because the validation is added in ValidateForProvisioning, only when creating cluster, the validation would happen, rather than creating manifests.

[openshift-ci-robot]

@jianlinliu: This pull request references Jira Issue OCPBUGS-56846, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sadasu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/asset/installconfig/azure/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tthvo]

/jira refresh

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-56846, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jinyunma

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/cc @patrickdillon

[jianlinliu]

/test e2e-azurestack

[jianlinliu]

/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-byo-multi-user-assigned-identity-mini-perm-arm-f28

[openshift-ci]

@jianlinliu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-byo-multi-user-assigned-identity-mini-perm-arm-f28

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/1a7bc2b0-f4e2-11f0-81fa-8901e6a8dd21-0

[jianlinliu]

/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-byo-multi-user-assigned-identity-mini-perm-arm-f28

[openshift-ci]

@jianlinliu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-byo-multi-user-assigned-identity-mini-perm-arm-f28

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/f29182c0-f4f6-11f0-97d5-8592b6ba5030-0

[openshift-ci]

@jianlinliu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/gofmt	d64c0a0	link	true	/test gofmt
ci/prow/golint	d64c0a0	link	true	/test golint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jianlinliu]

/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-byo-multi-user-assigned-identity-mini-perm-arm-f28

[openshift-ci]

@jianlinliu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-byo-multi-user-assigned-identity-mini-perm-arm-f28

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/7bb0ab30-f506-11f0-8f48-b222214a970e-0

[jianlinliu]

/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-byo-user-assigned-identity-arm-f14

[openshift-ci]

@jianlinliu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-byo-user-assigned-identity-arm-f14

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2abe81f0-f512-11f0-96bf-93f75ef891da-0

[jianlinliu]

/payload-job periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-azure-ipi-identity-none-amd-f28-destructive

[openshift-ci]

@jianlinliu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-azure-ipi-identity-none-amd-f28-destructive

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2c692f40-f513-11f0-881d-2b8a1160bf1c-0

[jianlinliu]

/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-identity-default-mini-perm-arm-f28

[openshift-ci]

@jianlinliu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-identity-default-mini-perm-arm-f28

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/968a11a0-f513-11f0-9369-e42aa065f793-0

[openshift-ci-robot]

@jianlinliu: This pull request references Jira Issue OCPBUGS-56846, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Add the functionality for validating azure user-assigned identity existence before creating the cluster.

Because the validation is added in ValidateForProvisioning, so only when creating cluster, the validation would happen, rather than creating manifests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jianlinliu]

Manually run validation when the specified user assigned identity does not exist.

$ openshift-install create cluster
INFO ipFamily is not specified in install-config; defaulting to "IPv4" 
INFO Credentials loaded from file xxxx
INFO Successfully populated MCS CA cert information: root-ca 2036-01-17T10:56:19Z 2026-01-19T10:56:19Z 
INFO Successfully populated MCS TLS cert information: root-ca 2036-01-17T10:56:19Z 2026-01-19T10:56:19Z 
INFO Master pointer ignition was modified. Saving contents to a machineconfig 
INFO Consuming Install Config from target directory 
FATAL failed to fetch Cluster Infrastructure Variables: failed to fetch dependency of "Cluster Infrastructure Variables": failed to generate asset "Platform Provisioning Check": [platform.azure.defaultMachinePlatform.identity.userAssignedIdentities[0]: Invalid value: "jialiu-test-identity": failed to validate user-assigned identity 'jialiu-test-identity' in resource group 'jialiu-test-rg': GET https://management.azure.com/subscriptions/xxxx/resourceGroups/jialiu-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/jialiu-test-identity 
FATAL -------------------------------------------------------------------------------- 
FATAL RESPONSE 404: 404 Not Found                  
FATAL ERROR CODE: ResourceNotFound                 
FATAL -------------------------------------------------------------------------------- 
FATAL {                                            
FATAL   "error": {                                 
FATAL     "code": "ResourceNotFound",              
FATAL     "message": "The Resource 'Microsoft.ManagedIdentity/userAssignedIdentities/jialiu-test-identity' under resource group 'jialiu-test-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix" 
FATAL   }                                          
FATAL }                                            
FATAL -------------------------------------------------------------------------------- 
FATAL , controlPlane.platform.azure.identity.userAssignedIdentities[0]: Invalid value: "jialiu-test-identity": failed to validate user-assigned identity 'jialiu-test-identity' in resource group 'jialiu-test-rg': GET https://management.azure.com/subscriptions/xxxx/resourceGroups/jialiu-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/jialiu-test-identity 
FATAL -------------------------------------------------------------------------------- 
FATAL RESPONSE 404: 404 Not Found                  
FATAL ERROR CODE: ResourceNotFound                 
FATAL -------------------------------------------------------------------------------- 
FATAL {                                            
FATAL   "error": {                                 
FATAL     "code": "ResourceNotFound",              
FATAL     "message": "The Resource 'Microsoft.ManagedIdentity/userAssignedIdentities/jialiu-test-identity' under resource group 'jialiu-test-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix" 
FATAL   }                                          
FATAL }                                            
FATAL -------------------------------------------------------------------------------- 
FATAL , compute[0].platform.azure.identity.userAssignedIdentities[0]: Invalid value: "jialiu-test-identity": failed to validate user-assigned identity 'jialiu-test-identity' in resource group 'jialiu-test-rg': GET https://management.azure.com/subscriptions/xxxx/resourceGroups/jialiu-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/jialiu-test-identity 
FATAL -------------------------------------------------------------------------------- 
FATAL RESPONSE 404: 404 Not Found                  
FATAL ERROR CODE: ResourceNotFound                 
FATAL -------------------------------------------------------------------------------- 
FATAL {                                            
FATAL   "error": {                                 
FATAL     "code": "ResourceNotFound",              
FATAL     "message": "The Resource 'Microsoft.ManagedIdentity/userAssignedIdentities/jialiu-test-identity' under resource group 'jialiu-test-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix" 
FATAL   }                                          
FATAL }                                            
FATAL -------------------------------------------------------------------------------- 
FATAL ]                                            

[jianlinliu]

/verified by ci and @jianlinliu

[openshift-ci-robot]

@jianlinliu: This PR has been marked as verified by ci and @jianlinliu.

Details

In response to this:

/verified by ci and @jianlinliu

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.