-
Notifications
You must be signed in to change notification settings - Fork 431
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support of Azure authentication for ASO
- Loading branch information
1 parent
7e8c80b
commit 27e7a83
Showing
8 changed files
with
658 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,303 @@ | ||
/* | ||
Copyright 2023 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package controllers | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"time" | ||
|
||
"github.com/pkg/errors" | ||
corev1 "k8s.io/api/core/v1" | ||
apierrors "k8s.io/apimachinery/pkg/api/errors" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/types" | ||
"k8s.io/client-go/tools/record" | ||
"k8s.io/utils/pointer" | ||
infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1" | ||
"sigs.k8s.io/cluster-api-provider-azure/azure/scope" | ||
"sigs.k8s.io/cluster-api-provider-azure/util/aso" | ||
"sigs.k8s.io/cluster-api-provider-azure/util/reconciler" | ||
"sigs.k8s.io/cluster-api-provider-azure/util/tele" | ||
clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1" | ||
"sigs.k8s.io/cluster-api/util" | ||
"sigs.k8s.io/cluster-api/util/annotations" | ||
"sigs.k8s.io/cluster-api/util/predicates" | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
"sigs.k8s.io/controller-runtime/pkg/controller" | ||
"sigs.k8s.io/controller-runtime/pkg/handler" | ||
"sigs.k8s.io/controller-runtime/pkg/reconcile" | ||
"sigs.k8s.io/controller-runtime/pkg/source" | ||
) | ||
|
||
// ASOSecretReconciler reconciles ASO secrets associated with AzureCluster objects. | ||
type ASOSecretReconciler struct { | ||
client.Client | ||
Recorder record.EventRecorder | ||
ReconcileTimeout time.Duration | ||
WatchFilterValue string | ||
} | ||
|
||
// SetupWithManager initializes this controller with a manager. | ||
func (asos *ASOSecretReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, options controller.Options) error { | ||
_, log, done := tele.StartSpanWithLogger(ctx, | ||
"controllers.ASOSecretReconciler.SetupWithManager", | ||
tele.KVP("controller", "ASOSecret"), | ||
) | ||
defer done() | ||
|
||
c, err := ctrl.NewControllerManagedBy(mgr). | ||
WithOptions(options). | ||
For(&infrav1.AzureCluster{}). | ||
WithEventFilter(predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue)). | ||
WithEventFilter(predicates.ResourceIsNotExternallyManaged(log)). | ||
Named("ASOSecret"). | ||
Owns(&corev1.Secret{}). | ||
Build(asos) | ||
if err != nil { | ||
return errors.Wrap(err, "error creating controller") | ||
} | ||
|
||
// Add a watch on infrav1.AzureManagedControlPlane if Cluster API 'MachinePool' feature is enabled. | ||
if err = c.Watch( | ||
&source.Kind{Type: &infrav1.AzureManagedControlPlane{}}, | ||
&handler.EnqueueRequestForObject{}, | ||
predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue), | ||
); err != nil { | ||
return errors.Wrap(err, "failed adding a watch for ready clusters") | ||
} | ||
|
||
// Add a watch on clusterv1.Cluster object for unpause notifications. | ||
if err = c.Watch( | ||
&source.Kind{Type: &clusterv1.Cluster{}}, | ||
handler.EnqueueRequestsFromMapFunc(util.ClusterToInfrastructureMapFunc(ctx, infrav1.GroupVersion.WithKind("AzureCluster"), mgr.GetClient(), &infrav1.AzureCluster{})), | ||
predicates.ClusterUnpaused(log), | ||
predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue), | ||
); err != nil { | ||
return errors.Wrap(err, "failed adding a watch for ready clusters") | ||
} | ||
|
||
return nil | ||
} | ||
|
||
// Reconcile reconciles the ASO secrets associated with AzureCluster objects. | ||
func (asos *ASOSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, reterr error) { | ||
ctx, cancel := context.WithTimeout(ctx, reconciler.DefaultedLoopTimeout(asos.ReconcileTimeout)) | ||
defer cancel() | ||
|
||
ctx, log, done := tele.StartSpanWithLogger(ctx, "controllers.ASOSecret.Reconcile", | ||
tele.KVP("namespace", req.Namespace), | ||
tele.KVP("name", req.Name), | ||
tele.KVP("kind", "AzureCluster"), | ||
) | ||
defer done() | ||
|
||
log = log.WithValues("namespace", req.Namespace, "AzureCluster", req.Name) | ||
|
||
// asoSecretOwner is the resource that created the identity. This could be either an AzureCluster or AzureManagedControlPlane (if AKS is enabled). | ||
// check for AzureCluster first and if it is not found, check for AzureManagedControlPlane. | ||
var asoSecretOwner client.Object | ||
|
||
azureCluster := &infrav1.AzureCluster{} | ||
checkForManagedControlPlane := false | ||
// Fetch the AzureCluster or AzureManagedControlPlane instance | ||
asoSecretOwner = azureCluster | ||
err := asos.Get(ctx, req.NamespacedName, azureCluster) | ||
if err != nil { | ||
if apierrors.IsNotFound(err) { | ||
checkForManagedControlPlane = true | ||
} else { | ||
return reconcile.Result{}, err | ||
} | ||
} else { | ||
log = log.WithValues("AzureCluster", req.Name) | ||
} | ||
|
||
if checkForManagedControlPlane { | ||
// Fetch the AzureManagedControlPlane instance instead | ||
azureManagedControlPlane := &infrav1.AzureManagedControlPlane{} | ||
asoSecretOwner = azureManagedControlPlane | ||
err = asos.Get(ctx, req.NamespacedName, azureManagedControlPlane) | ||
if err != nil { | ||
if apierrors.IsNotFound(err) { | ||
asos.Recorder.Eventf(azureCluster, corev1.EventTypeNormal, "AzureClusterObjectNotFound", | ||
fmt.Sprintf("AzureCluster object %s/%s not found", req.Namespace, req.Name)) | ||
asos.Recorder.Eventf(azureManagedControlPlane, corev1.EventTypeNormal, "AzureManagedControlPlaneObjectNotFound", | ||
fmt.Sprintf("AzureManagedControlPlane object %s/%s not found", req.Namespace, req.Name)) | ||
log.Info("object was not found") | ||
return reconcile.Result{}, nil | ||
} else { | ||
return reconcile.Result{}, err | ||
} | ||
} else { | ||
log = log.WithValues("AzureManagedControlPlane", req.Name) | ||
} | ||
} | ||
|
||
var clusterIdentity *corev1.ObjectReference | ||
var cluster *clusterv1.Cluster | ||
var azureClient scope.AzureClients | ||
|
||
switch ownerType := asoSecretOwner.(type) { | ||
case *infrav1.AzureCluster: | ||
clusterIdentity = ownerType.Spec.IdentityRef | ||
|
||
// Fetch the Cluster. | ||
cluster, err = util.GetOwnerCluster(ctx, asos.Client, ownerType.ObjectMeta) | ||
if err != nil { | ||
return reconcile.Result{}, err | ||
} | ||
|
||
// Create the scope. | ||
clusterScope, err := scope.NewClusterScope(ctx, scope.ClusterScopeParams{ | ||
Client: asos.Client, | ||
Cluster: cluster, | ||
AzureCluster: ownerType, | ||
}) | ||
if err != nil { | ||
return reconcile.Result{}, errors.Wrap(err, "failed to create scope") | ||
} | ||
|
||
azureClient = clusterScope.AzureClients | ||
|
||
case *infrav1.AzureManagedControlPlane: | ||
clusterIdentity = ownerType.Spec.IdentityRef | ||
|
||
// Fetch the Cluster. | ||
cluster, err = util.GetOwnerCluster(ctx, asos.Client, ownerType.ObjectMeta) | ||
if err != nil { | ||
return reconcile.Result{}, err | ||
} | ||
|
||
// Create the scope. | ||
clusterScope, err := scope.NewManagedControlPlaneScope(ctx, scope.ManagedControlPlaneScopeParams{ | ||
Client: asos.Client, | ||
Cluster: cluster, | ||
ControlPlane: ownerType, | ||
}) | ||
if err != nil { | ||
return reconcile.Result{}, errors.Wrap(err, "failed to create scope") | ||
} | ||
|
||
azureClient = clusterScope.AzureClients | ||
} | ||
|
||
if cluster == nil { | ||
log.Info("Cluster Controller has not yet set OwnerRef") | ||
asos.Recorder.Eventf(asoSecretOwner, corev1.EventTypeNormal, "OwnerRefNotFound", | ||
fmt.Sprintf("Cluster Controller has not yet set OwnerRef for object %s/%s", req.Namespace, req.Name)) | ||
return reconcile.Result{}, nil | ||
} | ||
|
||
log = log.WithValues("cluster", cluster.Name) | ||
|
||
// Return early if the AzureCluster or Cluster is paused. | ||
if annotations.IsPaused(cluster, asoSecretOwner) { | ||
log.Info(fmt.Sprintf("%s or linked Cluster is marked as paused. Won't reconcile", asoSecretOwner.GetObjectKind())) | ||
return ctrl.Result{}, nil | ||
} | ||
|
||
// Construct ASO secret for this AzureCluster | ||
newASOSecret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: aso.GetASOSecretName(asoSecretOwner.GetName()), | ||
Namespace: asoSecretOwner.GetNamespace(), | ||
Labels: map[string]string{ | ||
asoSecretOwner.GetName(): string(infrav1.ResourceLifecycleOwned), | ||
}, | ||
}, | ||
Data: map[string][]byte{ | ||
"AZURE_SUBSCRIPTION_ID": []byte(azureClient.SubscriptionID()), | ||
}, | ||
} | ||
|
||
if clusterIdentity != nil { | ||
// if the namespace isn't specified then assume it's in the same namespace as the asoSecretOwner | ||
namespace := clusterIdentity.Namespace | ||
if namespace == "" { | ||
namespace = asoSecretOwner.GetNamespace() | ||
} | ||
identity := &infrav1.AzureClusterIdentity{} | ||
key := client.ObjectKey{ | ||
Name: clusterIdentity.Name, | ||
Namespace: namespace, | ||
} | ||
if err := asos.Get(ctx, key, identity); err != nil { | ||
return reconcile.Result{}, errors.Wrap(err, "failed to retrieve AzureClusterIdentity") | ||
} | ||
|
||
newASOSecret.Data["AZURE_TENANT_ID"] = []byte(identity.Spec.TenantID) | ||
newASOSecret.Data["AZURE_CLIENT_ID"] = []byte(identity.Spec.ClientID) | ||
|
||
// Fetch identity secret, if it exists | ||
key = types.NamespacedName{ | ||
Namespace: identity.Spec.ClientSecret.Namespace, | ||
Name: identity.Spec.ClientSecret.Name, | ||
} | ||
identitySecret := &corev1.Secret{} | ||
err := asos.Get(ctx, key, identitySecret) | ||
if err != nil && !apierrors.IsNotFound(err) { | ||
return reconcile.Result{}, errors.Wrap(err, "failed to fetch AzureClusterIdentity secret") | ||
} | ||
|
||
switch identity.Spec.Type { | ||
case infrav1.ServicePrincipal, infrav1.ManualServicePrincipal: | ||
newASOSecret.Data["AZURE_CLIENT_SECRET"] = identitySecret.Data[scope.AzureSecretKey] | ||
case infrav1.ServicePrincipalCertificate: | ||
newASOSecret.Data["AZURE_CLIENT_CERTIFICATE"] = identitySecret.Data["certificate"] | ||
newASOSecret.Data["AZURE_CLIENT_CERTIFICATE_PASSWORD"] = identitySecret.Data["password"] | ||
} | ||
} else { | ||
newASOSecret.Data["AZURE_TENANT_ID"] = []byte(azureClient.TenantID()) | ||
newASOSecret.Data["AZURE_CLIENT_ID"] = []byte(azureClient.ClientID()) | ||
|
||
// Populate ASO data in the following order: | ||
// 1. Client credentials | ||
// 2. Client certificate | ||
if _, e := azureClient.GetClientCredentials(); e == nil { | ||
newASOSecret.Data["AZURE_CLIENT_SECRET"] = []byte(azureClient.ClientSecret()) | ||
} else if clientCert, e := azureClient.GetClientCertificate(); e == nil { | ||
cert, err := getCertificateFromFile(clientCert.CertificatePath) | ||
if err != nil { | ||
return reconcile.Result{}, errors.Wrap(err, "failed to read client certificate") | ||
} | ||
newASOSecret.Data["AZURE_CLIENT_CERTIFICATE"] = cert | ||
newASOSecret.Data["AZURE_CLIENT_CERTIFICATE_PASSWORD"] = []byte(clientCert.CertificatePassword) | ||
} else { | ||
return reconcile.Result{}, errors.Wrap(e, "failed to configure an authentication method for ASO secret") | ||
} | ||
} | ||
|
||
gvk := asoSecretOwner.GetObjectKind().GroupVersionKind() | ||
owner := metav1.OwnerReference{ | ||
APIVersion: gvk.GroupVersion().String(), | ||
Kind: gvk.Kind, | ||
Name: asoSecretOwner.GetName(), | ||
UID: asoSecretOwner.GetUID(), | ||
Controller: pointer.Bool(true), | ||
} | ||
|
||
newASOSecret.OwnerReferences = []metav1.OwnerReference{owner} | ||
|
||
if err := reconcileAzureSecret(ctx, asos.Client, owner, newASOSecret, asoSecretOwner.GetName()); err != nil { | ||
asos.Recorder.Eventf(asoSecretOwner, corev1.EventTypeWarning, "Error reconciling ASO secret", err.Error()) | ||
return ctrl.Result{}, errors.Wrap(err, "failed to reconcile ASO secret") | ||
} | ||
|
||
return ctrl.Result{}, nil | ||
} |
Oops, something went wrong.