enable HYPERSHIFT_AZURE_ASSIGN_SERVICE_PRINCIPAL_ROLES and remove skip-service-principal-deletion param

[heliubj18]

1. enable HYPERSHIFT_AZURE_ASSIGN_SERVICE_PRINCIPAL_ROLES
2. remove skip-service-principal-deletion param to fix e2e failures

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: heliubj18
Once this PR has been reviewed and has the lgtm label, please assign liangquanli930 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• ci-operator/step-registry/azure/provision/service-principal/hypershift/OWNERS [heliubj18]
• ci-operator/step-registry/cucushift/installer/rehearse/azure/aks/hypershift/OWNERS [heliubj18]
• ci-operator/step-registry/hypershift/azure/create/OWNERS
• ci-operator/step-registry/hypershift/azure/destroy/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

Should this whole block just be removed now?

[heliubj18]

Here it prepares one managed identity file hypershift_azure_mi_file.json used in the azure provision chain when HYPERSHIFT_AZURE_CP_MI is true and it is also needed by HYPERSHIFT_AZURE_ASSIGN_SERVICE_PRINCIPAL_ROLES

release/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml

Line 171 in ba456e4

if [[ $HYPERSHIFT_AZURE_CP_MI == "true" ]]; then

https://github.com/openshift/hypershift/blob/92bbcedfa4951be1c4edbba6465342a37fb6fda7/cmd/infra/azure/create.go#L223

And in the hypershift validation, this HYPERSHIFT_AZURE_CP_MI is needed when TechPreviewEnabled is enabled. So I have to keep that logic here.
https://github.com/openshift/hypershift/blob/001b0daa3ceecb87ab0a3388b4cff40338b7d633/cmd/cluster/azure/create.go#L141

[heliubj18]

@bryan-cox One question: If we don't prepare the service principal in advance, is there another step or a specific area within Hypershift that handles the creation of service principals? Thank you!

[bryan-cox]

No, we removed the creation of SPs on purpose as it contributes to Azure quota issues. The direction from Red Hat and Microsoft were to reuse SPs as much as we can.

[heliubj18]

OK, I will prepare some permanent SPs manually and store them into the vault to use them in the step. thanks

[heliubj18]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7

[openshift-ci-robot]

@heliubj18: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci-robot]

[REHEARSALNOTIFIER]
@heliubj18: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-hypershift-main-e2e-azure-aks-ovn-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.20-e2e-azure-aks-ovn-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.19-e2e-azure-aks-ovn-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.18-e2e-azure-aks-ovn-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.17-e2e-azure-aks-ovn-conformance	openshift/hypershift	presubmit	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-4.18-upgrade-from-stable-4.17-azure-aks-hypershift-registry-overrides-replace-guest-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-azure-aks-ovn-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.18-azure-aks-hypershift-etcd-disk-encryption-replace-guest-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-azure-aks-hypershift-registry-overrides-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-azure-aks-hypershift-disaster-recovery-infra-guest-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-cilium-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-ext-oidc-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-azure-aks-hypershift-ext-oidc-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-azure-aks-hypershift-etcd-disk-encryption-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-azure-aks-hypershift-byo-vnet-fips-guest-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-azure-aks-hypershift-byo-vnet-fips-guest-f14-longduration	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-azure-aks-hypershift-byo-vnet-fips-mgmt-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-rollback-nightly-azure-aks-hypershift-byo-vnet-replace-guest-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-disaster-recovery-infra-guest-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-azure-aks-hypershift-byo-vnet-fips-guest-f14-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-byo-vnet-fips-guest-f14-destructive	N/A	periodic	Registry content changed

A total of 60 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@heliubj18: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7	33190d4	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[heliubj18]

it can not work with HYPERSHIFT_AZURE_ASSIGN_SERVICE_PRINCIPAL_ROLES due to lack of az client in the HO image.
Confirmed with dev engineers, close this pr until the HO image includes the az cli
/close

[openshift-ci]

@heliubj18: Closed this PR.

In response to this:

it can not work with HYPERSHIFT_AZURE_ASSIGN_SERVICE_PRINCIPAL_ROLES due to lack of az client in the HO image.
Confirmed with dev engineers, close this pr until the HO image includes the az cli
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.