HOSTEDCP-2019: Use Client Cert Auth for ARO HCP deployments

[bryan-cox]

Use Client Certificate Authentication for ARO HCP deployments. HyperShift will pass the needed environment variables for this authentication method: ARO_HCP_MI_CLIENT_ID, ARO_HCP_TENANT_ID, and ARO_HCP_CLIENT_CERTIFICATE_PATH.

[openshift-ci[bot]]

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

[openshift-ci-robot]

@bryan-cox: This pull request references HOSTEDCP-1994 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target only the "4.18.0" version, but multiple target versions were set.

In response to [this](https://github.com/openshift/cluster-image-registry-operator/pull/1131): >Refactor to use the Azure SDK for Go's default credential chain function, NewDefaultAzureCredential. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-image-registry-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-ci-robot]

@bryan-cox: This pull request references HOSTEDCP-2019 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target only the "4.18.0" version, but multiple target versions were set.

In response to [this](https://github.com/openshift/cluster-image-registry-operator/pull/1131): >Refactor to use the Azure SDK for Go's default credential chain function, NewDefaultAzureCredential. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-image-registry-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[bryan-cox]

/retest

[bryan-cox]

/test e2e-azure-operator

[flavianmissi]

Hi @bryan-cox, are you planning on addressing this comment? Relatedly, if your preference would be to change the entire auth path for Azure, will you be available in the future to aid investigation of potential bugs related to this change?

Additionally, what is the automated test plan for this change, if any?

[flavianmissi]

worth mentioning that the e2e-*-operator tests can be quite flaky and are also failing in a different way each run (sigh). the e2e-hypershift failures look unrelated to me.

/test e2e-aws-operator /test e2e-azure-operator

[bryan-cox]

/test e2e-hypershift

[openshift-ci-robot]

@bryan-cox: This pull request references HOSTEDCP-2019 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target only the "4.18.0" version, but multiple target versions were set.

In response to [this](https://github.com/openshift/cluster-image-registry-operator/pull/1131): >Use Client Certificate Authentication for ARO HCP deployments. HyperShift will pass the needed environment variables for this authentication method: ARO_HCP_MI_CLIENT_ID, ARO_HCP_TENANT_ID, and ARO_HCP_CLIENT_CERTIFICATE_PATH. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-image-registry-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[bryan-cox]

I tested this PR with the following PRs and was able to deploy an Azure Hosted Cluster from an AKS management cluster:

• https://github.com/openshift/hypershift/pull/4811
• https://github.com/openshift/hypershift/pull/4877
• https://github.com/openshift/hypershift/pull/4888

[bryan-cox]

/retest

[openshift-ci[bot]]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[flavianmissi]

/lgtm

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, flavianmissi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/cluster-image-registry-operator/blob/master/OWNERS)~~ [flavianmissi] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[xenolinux]

/label docs-approved

[sferich888]

/label px_approved

[openshift-ci[bot]]

@sferich888: The label(s) /label px_approved cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, no-qe, downstream-change-needed, rebase/manual, cluster-config-api-changed, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to [this](https://github.com/openshift/cluster-image-registry-operator/pull/1131#issuecomment-2435644612): >/label px_approved > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[sferich888]

/label px-approved

[xiuwang]

/label qe-approved

[openshift-ci-robot]

@bryan-cox: This pull request references HOSTEDCP-2019 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target only the "4.18.0" version, but multiple target versions were set.

In response to [this](https://github.com/openshift/cluster-image-registry-operator/pull/1131): >Use Client Certificate Authentication for ARO HCP deployments. HyperShift will pass the needed environment variables for this authentication method: ARO_HCP_MI_CLIENT_ID, ARO_HCP_TENANT_ID, and ARO_HCP_CLIENT_CERTIFICATE_PATH. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-image-registry-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-cluster-image-registry-operator This PR has been included in build ose-cluster-image-registry-operator-container-v4.18.0-202410251041.p0.g4c7e4ef.assembly.stream.el9. All builds following this will include this PR.