Skip to content

Commit

Permalink
Add support of Azure authentication for ASO
Browse files Browse the repository at this point in the history
  • Loading branch information
adriananeci committed Aug 2, 2023
1 parent 7e8c80b commit 27e7a83
Show file tree
Hide file tree
Showing 8 changed files with 658 additions and 9 deletions.
5 changes: 3 additions & 2 deletions azure/scope/identity.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

const azureSecretKey = "clientSecret"
// AzureSecretKey is the value for they client secret key.
const AzureSecretKey = "clientSecret"

// CredentialsProvider defines the behavior for azure identity based credential providers.
type CredentialsProvider interface {
Expand Down Expand Up @@ -220,7 +221,7 @@ func (p *AzureCredentialsProvider) GetClientSecret(ctx context.Context) (string,
if err := p.Client.Get(ctx, key, secret); err != nil {
return "", errors.Wrap(err, "Unable to fetch ClientSecret")
}
return string(secret.Data[azureSecretKey]), nil
return string(secret.Data[AzureSecretKey]), nil
}
return "", nil
}
Expand Down
8 changes: 8 additions & 0 deletions azure/services/aso/aso.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
"sigs.k8s.io/cluster-api-provider-azure/azure"
"sigs.k8s.io/cluster-api-provider-azure/util/aso"
"sigs.k8s.io/cluster-api-provider-azure/util/tele"
"sigs.k8s.io/cluster-api/util/patch"
"sigs.k8s.io/controller-runtime/pkg/client"
Expand All @@ -46,6 +47,9 @@ const (

createOrUpdateFutureType = "ASOCreateOrUpdate"
deleteFutureType = "ASODelete"

// SecretNameAnnotation is the annotation key for ASO's credentials to use.
SecretNameAnnotation = "serviceoperator.azure.com/credential-from"
)

// Service is an implementation of the Reconciler interface. It handles creation
Expand Down Expand Up @@ -181,6 +185,10 @@ func (s *Service) CreateOrUpdateResource(ctx context.Context, spec azure.ASOReso
annotations[ReconcilePolicyAnnotation] = ReconcilePolicyManage
}

// Set the secret name annotation in order to leverage the ASO resource credential scope as defined in
// https://azure.github.io/azure-service-operator/guide/authentication/credential-scope/#resource-scope.
annotations[SecretNameAnnotation] = aso.GetASOSecretName(s.clusterName)

if len(labels) == 0 {
labels = nil
}
Expand Down
4 changes: 4 additions & 0 deletions azure/services/aso/aso_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
}))
g.Expect(created.Annotations).To(Equal(map[string]string{
ReconcilePolicyAnnotation: ReconcilePolicySkip,
SecretNameAnnotation: "cluster-aso-secret",
}))
g.Expect(created.Spec).To(Equal(asoresourcesv1.ResourceGroup_Spec{
Location: pointer.String("location"),
Expand Down Expand Up @@ -425,6 +426,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
g.Expect(c.Get(ctx, types.NamespacedName{Name: "name", Namespace: "namespace"}, updated)).To(Succeed())
g.Expect(updated.Annotations).To(Equal(map[string]string{
ReconcilePolicyAnnotation: ReconcilePolicyManage,
SecretNameAnnotation: "cluster-aso-secret",
}))
})

Expand Down Expand Up @@ -482,6 +484,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
g.Expect(c.Get(ctx, types.NamespacedName{Name: "name", Namespace: "namespace"}, updated)).To(Succeed())
g.Expect(updated.Annotations).To(Equal(map[string]string{
ReconcilePolicyAnnotation: ReconcilePolicyManage,
SecretNameAnnotation: "cluster-aso-secret",
}))
})

Expand Down Expand Up @@ -603,6 +606,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
},
Annotations: map[string]string{
ReconcilePolicyAnnotation: ReconcilePolicyManage,
SecretNameAnnotation: "cluster-aso-secret",
},
},
Spec: asoresourcesv1.ResourceGroup_Spec{
Expand Down
303 changes: 303 additions & 0 deletions controllers/asosecret_controller.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,303 @@
/*
Copyright 2023 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package controllers

import (
"context"
"fmt"
"time"

"github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/record"
"k8s.io/utils/pointer"
infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
"sigs.k8s.io/cluster-api-provider-azure/azure/scope"
"sigs.k8s.io/cluster-api-provider-azure/util/aso"
"sigs.k8s.io/cluster-api-provider-azure/util/reconciler"
"sigs.k8s.io/cluster-api-provider-azure/util/tele"
clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
"sigs.k8s.io/cluster-api/util"
"sigs.k8s.io/cluster-api/util/annotations"
"sigs.k8s.io/cluster-api/util/predicates"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
"sigs.k8s.io/controller-runtime/pkg/source"
)

// ASOSecretReconciler reconciles ASO secrets associated with AzureCluster objects.
type ASOSecretReconciler struct {
client.Client
Recorder record.EventRecorder
ReconcileTimeout time.Duration
WatchFilterValue string
}

// SetupWithManager initializes this controller with a manager.
func (asos *ASOSecretReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, options controller.Options) error {
_, log, done := tele.StartSpanWithLogger(ctx,
"controllers.ASOSecretReconciler.SetupWithManager",
tele.KVP("controller", "ASOSecret"),
)
defer done()

c, err := ctrl.NewControllerManagedBy(mgr).
WithOptions(options).
For(&infrav1.AzureCluster{}).
WithEventFilter(predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue)).
WithEventFilter(predicates.ResourceIsNotExternallyManaged(log)).
Named("ASOSecret").
Owns(&corev1.Secret{}).
Build(asos)
if err != nil {
return errors.Wrap(err, "error creating controller")
}

// Add a watch on infrav1.AzureManagedControlPlane if Cluster API 'MachinePool' feature is enabled.
if err = c.Watch(
&source.Kind{Type: &infrav1.AzureManagedControlPlane{}},
&handler.EnqueueRequestForObject{},
predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue),
); err != nil {
return errors.Wrap(err, "failed adding a watch for ready clusters")
}

// Add a watch on clusterv1.Cluster object for unpause notifications.
if err = c.Watch(
&source.Kind{Type: &clusterv1.Cluster{}},
handler.EnqueueRequestsFromMapFunc(util.ClusterToInfrastructureMapFunc(ctx, infrav1.GroupVersion.WithKind("AzureCluster"), mgr.GetClient(), &infrav1.AzureCluster{})),
predicates.ClusterUnpaused(log),
predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue),
); err != nil {
return errors.Wrap(err, "failed adding a watch for ready clusters")
}

return nil
}

// Reconcile reconciles the ASO secrets associated with AzureCluster objects.
func (asos *ASOSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, reterr error) {
ctx, cancel := context.WithTimeout(ctx, reconciler.DefaultedLoopTimeout(asos.ReconcileTimeout))
defer cancel()

ctx, log, done := tele.StartSpanWithLogger(ctx, "controllers.ASOSecret.Reconcile",
tele.KVP("namespace", req.Namespace),
tele.KVP("name", req.Name),
tele.KVP("kind", "AzureCluster"),
)
defer done()

log = log.WithValues("namespace", req.Namespace, "AzureCluster", req.Name)

// asoSecretOwner is the resource that created the identity. This could be either an AzureCluster or AzureManagedControlPlane (if AKS is enabled).
// check for AzureCluster first and if it is not found, check for AzureManagedControlPlane.
var asoSecretOwner client.Object

azureCluster := &infrav1.AzureCluster{}
checkForManagedControlPlane := false
// Fetch the AzureCluster or AzureManagedControlPlane instance
asoSecretOwner = azureCluster
err := asos.Get(ctx, req.NamespacedName, azureCluster)
if err != nil {
if apierrors.IsNotFound(err) {
checkForManagedControlPlane = true
} else {
return reconcile.Result{}, err
}
} else {
log = log.WithValues("AzureCluster", req.Name)
}

if checkForManagedControlPlane {
// Fetch the AzureManagedControlPlane instance instead
azureManagedControlPlane := &infrav1.AzureManagedControlPlane{}
asoSecretOwner = azureManagedControlPlane
err = asos.Get(ctx, req.NamespacedName, azureManagedControlPlane)
if err != nil {
if apierrors.IsNotFound(err) {
asos.Recorder.Eventf(azureCluster, corev1.EventTypeNormal, "AzureClusterObjectNotFound",
fmt.Sprintf("AzureCluster object %s/%s not found", req.Namespace, req.Name))
asos.Recorder.Eventf(azureManagedControlPlane, corev1.EventTypeNormal, "AzureManagedControlPlaneObjectNotFound",
fmt.Sprintf("AzureManagedControlPlane object %s/%s not found", req.Namespace, req.Name))
log.Info("object was not found")
return reconcile.Result{}, nil
} else {
return reconcile.Result{}, err
}
} else {
log = log.WithValues("AzureManagedControlPlane", req.Name)
}
}

var clusterIdentity *corev1.ObjectReference
var cluster *clusterv1.Cluster
var azureClient scope.AzureClients

switch ownerType := asoSecretOwner.(type) {
case *infrav1.AzureCluster:
clusterIdentity = ownerType.Spec.IdentityRef

// Fetch the Cluster.
cluster, err = util.GetOwnerCluster(ctx, asos.Client, ownerType.ObjectMeta)
if err != nil {
return reconcile.Result{}, err
}

// Create the scope.
clusterScope, err := scope.NewClusterScope(ctx, scope.ClusterScopeParams{
Client: asos.Client,
Cluster: cluster,
AzureCluster: ownerType,
})
if err != nil {
return reconcile.Result{}, errors.Wrap(err, "failed to create scope")
}

azureClient = clusterScope.AzureClients

case *infrav1.AzureManagedControlPlane:
clusterIdentity = ownerType.Spec.IdentityRef

// Fetch the Cluster.
cluster, err = util.GetOwnerCluster(ctx, asos.Client, ownerType.ObjectMeta)
if err != nil {
return reconcile.Result{}, err
}

// Create the scope.
clusterScope, err := scope.NewManagedControlPlaneScope(ctx, scope.ManagedControlPlaneScopeParams{
Client: asos.Client,
Cluster: cluster,
ControlPlane: ownerType,
})
if err != nil {
return reconcile.Result{}, errors.Wrap(err, "failed to create scope")
}

azureClient = clusterScope.AzureClients
}

if cluster == nil {
log.Info("Cluster Controller has not yet set OwnerRef")
asos.Recorder.Eventf(asoSecretOwner, corev1.EventTypeNormal, "OwnerRefNotFound",
fmt.Sprintf("Cluster Controller has not yet set OwnerRef for object %s/%s", req.Namespace, req.Name))
return reconcile.Result{}, nil
}

log = log.WithValues("cluster", cluster.Name)

// Return early if the AzureCluster or Cluster is paused.
if annotations.IsPaused(cluster, asoSecretOwner) {
log.Info(fmt.Sprintf("%s or linked Cluster is marked as paused. Won't reconcile", asoSecretOwner.GetObjectKind()))
return ctrl.Result{}, nil
}

// Construct ASO secret for this AzureCluster
newASOSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: aso.GetASOSecretName(asoSecretOwner.GetName()),
Namespace: asoSecretOwner.GetNamespace(),
Labels: map[string]string{
asoSecretOwner.GetName(): string(infrav1.ResourceLifecycleOwned),
},
},
Data: map[string][]byte{
"AZURE_SUBSCRIPTION_ID": []byte(azureClient.SubscriptionID()),
},
}

if clusterIdentity != nil {
// if the namespace isn't specified then assume it's in the same namespace as the asoSecretOwner
namespace := clusterIdentity.Namespace
if namespace == "" {
namespace = asoSecretOwner.GetNamespace()
}
identity := &infrav1.AzureClusterIdentity{}
key := client.ObjectKey{
Name: clusterIdentity.Name,
Namespace: namespace,
}
if err := asos.Get(ctx, key, identity); err != nil {
return reconcile.Result{}, errors.Wrap(err, "failed to retrieve AzureClusterIdentity")
}

newASOSecret.Data["AZURE_TENANT_ID"] = []byte(identity.Spec.TenantID)
newASOSecret.Data["AZURE_CLIENT_ID"] = []byte(identity.Spec.ClientID)

// Fetch identity secret, if it exists
key = types.NamespacedName{
Namespace: identity.Spec.ClientSecret.Namespace,
Name: identity.Spec.ClientSecret.Name,
}
identitySecret := &corev1.Secret{}
err := asos.Get(ctx, key, identitySecret)
if err != nil && !apierrors.IsNotFound(err) {
return reconcile.Result{}, errors.Wrap(err, "failed to fetch AzureClusterIdentity secret")
}

switch identity.Spec.Type {
case infrav1.ServicePrincipal, infrav1.ManualServicePrincipal:
newASOSecret.Data["AZURE_CLIENT_SECRET"] = identitySecret.Data[scope.AzureSecretKey]
case infrav1.ServicePrincipalCertificate:
newASOSecret.Data["AZURE_CLIENT_CERTIFICATE"] = identitySecret.Data["certificate"]
newASOSecret.Data["AZURE_CLIENT_CERTIFICATE_PASSWORD"] = identitySecret.Data["password"]
}
} else {
newASOSecret.Data["AZURE_TENANT_ID"] = []byte(azureClient.TenantID())
newASOSecret.Data["AZURE_CLIENT_ID"] = []byte(azureClient.ClientID())

// Populate ASO data in the following order:
// 1. Client credentials
// 2. Client certificate
if _, e := azureClient.GetClientCredentials(); e == nil {
newASOSecret.Data["AZURE_CLIENT_SECRET"] = []byte(azureClient.ClientSecret())
} else if clientCert, e := azureClient.GetClientCertificate(); e == nil {
cert, err := getCertificateFromFile(clientCert.CertificatePath)
if err != nil {
return reconcile.Result{}, errors.Wrap(err, "failed to read client certificate")
}
newASOSecret.Data["AZURE_CLIENT_CERTIFICATE"] = cert
newASOSecret.Data["AZURE_CLIENT_CERTIFICATE_PASSWORD"] = []byte(clientCert.CertificatePassword)
} else {
return reconcile.Result{}, errors.Wrap(e, "failed to configure an authentication method for ASO secret")
}
}

gvk := asoSecretOwner.GetObjectKind().GroupVersionKind()
owner := metav1.OwnerReference{
APIVersion: gvk.GroupVersion().String(),
Kind: gvk.Kind,
Name: asoSecretOwner.GetName(),
UID: asoSecretOwner.GetUID(),
Controller: pointer.Bool(true),
}

newASOSecret.OwnerReferences = []metav1.OwnerReference{owner}

if err := reconcileAzureSecret(ctx, asos.Client, owner, newASOSecret, asoSecretOwner.GetName()); err != nil {
asos.Recorder.Eventf(asoSecretOwner, corev1.EventTypeWarning, "Error reconciling ASO secret", err.Error())
return ctrl.Result{}, errors.Wrap(err, "failed to reconcile ASO secret")
}

return ctrl.Result{}, nil
}
Loading

0 comments on commit 27e7a83

Please sign in to comment.