Add new authentication type UserAssignedIdentityCredentials #5421
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
kind/feature
k8s-ci-robot
added
cncf-cla: yes
bryan-cox
changed the title
bryan-cox
changed the title
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5421 +/- ##
==========================================
+ Coverage 52.56% 52.58% +0.02%
==========================================
Files 272 272
Lines 29423 29468 +45
==========================================
+ Hits 15465 15495 +30
- Misses 13151 13165 +14
- Partials 807 808 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
k8s-ci-robot
added
size/L
bryan-cox
force-pushed
the
add-UAIdentityCreds
branch
from
bd3805c to
f56022b
Compare
|
/test all |
bryan-cox
force-pushed
the
add-UAIdentityCreds
branch
from
f56022b to
7ccf8c6
Compare
k8s-ci-robot
added
the
needs-rebase
bryan-cox
force-pushed
the
add-UAIdentityCreds
branch
from
7ccf8c6 to
c87574e
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/test all |
|
/test pull-cluster-api-provider-azure-e2e-aks |
k8s-ci-robot
added
the
needs-rebase
bryan-cox
force-pushed
the
add-UAIdentityCreds
branch
from
c87574e to
3c7c616
Compare
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/retest |
| @@ -62,6 +62,14 @@ type AzureClusterIdentitySpec struct { | |||
| // CertPath is the path where certificates exist. When set, it takes precedence over ClientSecret for types that use certs like ServicePrincipalCertificate. | |||
| // +optional | |||
| CertPath string `json:"certPath,omitempty"` | |||
| // UserAssignedIdentityCredentialsPath is the path where an existing JSON file exists containing the JSON format of | |||
| // a UserAssignedIdentityCredentials struct. | |||
| // See the msi-dataplane for more details on UserAssignedIdentityCredentials - https://github.com/Azure/msi-dataplane/blob/63fb37d3a1aaac130120624674df795d2e088083/pkg/dataplane/internal/generated_client.go#L156C6-L156C37 | |||
There was a problem hiding this comment.
nit: Are you able to shorten this link here to main or another branch rather than the full sha?
There was a problem hiding this comment.
This actually worked out because they moved the place where this was defined 😅
| if authErr != nil { | ||
| return nil, authErr | ||
| } | ||
|
|
There was a problem hiding this comment.
Are you able to add some test cases to TestGetTokenCredential to cover this new flow?
| // UserAssignedIdentityCredentialsCloudType is used with UserAssignedIdentityCredentialsPath to specify the Cloud | ||
| // type. Can only be one of the following values: public, china, or usgovernment | ||
| // If a value is not specified, defaults to AzurePublicCloud | ||
| UserAssignedIdentityCredentialsCloudType string `json:"userAssignedIdentityCredentialsCloudType,omitempty"` |
There was a problem hiding this comment.
For these new types, can you add some defaulting and validating webhooks to azureclusteridentity_webhook.go and azureclusteridentity_validation.go respectively? For example, these should not be set if IdentityType is not UserAssignedIdentityCredential. Some logic also needs to exist to set the default for UserAssignedIdentityCredentialsCloudType depending on IdentityType`
There was a problem hiding this comment.
Hey @willie-yao I updated azureclusteridentity_validation.go. I don't understand what is needed for 'azureclusteridentity_webhook.go' as I didn't see any defaulting for other identity types, but I could be missing it.
go.mod
Outdated
| @@ -1,8 +1,8 @@ | |||
| module sigs.k8s.io/cluster-api-provider-azure | |||
|
|
|||
| go 1.22.7 | |||
| go 1.23.0 | |||
There was a problem hiding this comment.
Can this go bump be its own PR that we merge before this one?
There was a problem hiding this comment.
This comment is OBE based on - #5421 (comment)
This commit adds documentation for UserAssignedIdentityCredentials. Signed-off-by: Bryan Cox <[email protected]>
bryan-cox
force-pushed
the
add-UAIdentityCreds
branch
from
4814884 to
5adb9d7
Compare
|
/test ls |
|
@nawazkh: The specified target(s) for The following commands are available to trigger optional jobs: Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test pull-cluster-api-provider-azure-e2e-optional |
|
Thank you for putting this together! |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 42b42043afee4e6d6bfd007c9e269529bfa48a3b
|
This commit adds a new authentication type, UserAssignedIdentityCredentials. This allows a 1st party Microsoft application to authenticate using a managed identity's certificate, which is accessed through the MSI data plane. More information on this authentication type can be found here - https://github .com/Azure/msi-dataplane/blob/63fb37d3a1aaac130120624674df795d2e088083 /pkg/dataplane/reloadCredentials.go#L60. Signed-off-by: Bryan Cox <[email protected]>
bryan-cox
force-pushed
the
add-UAIdentityCreds
branch
from
5adb9d7 to
b51f5eb
Compare
k8s-ci-robot
removed
the
lgtm
|
/retest-required |
1 similar comment
|
/retest-required |
|
/retest |
|
@nawazkh can I get another tag on this one please? |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 2231b0e6809f85e2750efe57bf089a36c71dbd53
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: nawazkh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
This pull request adds the capability to authenticate with Azure using a new authentication type available only to 1st party Microsoft applications, UserAssignedIdentityCredentials. More information on this new authentication type can be found here - https://github.com/Azure/msi-dataplane/blob/main/pkg/dataplane/reloadCredentials.go#L60.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):N/A
Special notes for your reviewer:
TODOs:
Release note: