add ux for workload identity for cloud provider azure

Signed-off-by: Ashutosh Kumar <[email protected]>
kubernetes-sigs · Oct 16, 2023 · 4bf0aa8 · 4bf0aa8
1 parent b7de934
commit 4bf0aa8
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 1 deletion.
diff --git a/api/v1beta1/types.go b/api/v1beta1/types.go
@@ -534,7 +534,7 @@ type AzureSharedGalleryImage struct {
 }
 
 // VMIdentity defines the identity of the virtual machine, if configured.
-// +kubebuilder:validation:Enum=None;SystemAssigned;UserAssigned
+// +kubebuilder:validation:Enum=None;SystemAssigned;UserAssigned;WorkloadIdentity
 type VMIdentity string
 
 const (
@@ -544,6 +544,8 @@ const (
 	VMIdentitySystemAssigned VMIdentity = "SystemAssigned"
 	// VMIdentityUserAssigned ...
 	VMIdentityUserAssigned VMIdentity = "UserAssigned"
+	// VMIdentityWorkloadIdentity ...
+	VMIdentityWorkloadIdentity VMIdentity = "WorkloadIdentity"
 )
 
 // SpotEvictionPolicy defines the eviction policy for spot VMs, if configured.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml
@@ -96,6 +96,7 @@ spec:
                 - None
                 - SystemAssigned
                 - UserAssigned
+                - WorkloadIdentity
                 type: string
               location:
                 description: Location is the Azure region location e.g. westus2

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml
@@ -260,6 +260,7 @@ spec:
                 - None
                 - SystemAssigned
                 - UserAssigned
+                - WorkloadIdentity
                 type: string
               image:
                 description: Image is used to provide details of an image to use during

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml
@@ -283,6 +283,7 @@ spec:
                         - None
                         - SystemAssigned
                         - UserAssigned
+                        - WorkloadIdentity
                         type: string
                       image:
                         description: Image is used to provide details of an image

diff --git a/controllers/helpers.go b/controllers/helpers.go
@@ -68,6 +68,10 @@ const (
 	deprecatedManagerCredsWarning = "You're using deprecated functionality: " +
 		"Using Azure credentials from the manager environment is deprecated and will be removed in future releases. " +
 		"Please specify an AzureClusterIdentity for the AzureCluster instead, see: https://capz.sigs.k8s.io/topics/multitenancy.html "
+	// ToDo: Find a way to make this configurable for a user.
+	// This is the path where the projected service account token should be present for
+	// cloud provider azure.
+	aadFederatedTokenFilePath = "/var/run/secrets/azure/tokens/azure-identity-token" //nolint:gosec // Path of projected service account token
 )
 
 type (
@@ -203,6 +207,8 @@ func GetCloudProviderSecret(d azure.ClusterScoper, namespace, name string, owner
 		controlPlaneConfig, workerNodeConfig = userAssignedIdentityCloudProviderConfig(d, userIdentityID)
 	case infrav1.VMIdentityNone:
 		controlPlaneConfig, workerNodeConfig = newCloudProviderConfig(d)
+	case infrav1.VMIdentityWorkloadIdentity:
+		controlPlaneConfig, workerNodeConfig = workloadIdentityCloudProviderConfig(d)
 	}
 
 	// Enable VMSS Flexible nodes if MachinePools are enabled
@@ -245,6 +251,19 @@ func systemAssignedIdentityCloudProviderConfig(d azure.ClusterScoper) (cpConfig
 	return controlPlaneConfig, workerConfig
 }
 
+func workloadIdentityCloudProviderConfig(d azure.ClusterScoper) (cpConfig *CloudProviderConfig, wkConfig *CloudProviderConfig) {
+	controlPlaneConfig, workerConfig := newCloudProviderConfig(d)
+	// secret is not needed in workload identity.
+	controlPlaneConfig.AadClientSecret = ""
+	controlPlaneConfig.UseFederatedWorkloadIdentityExtension = true
+	controlPlaneConfig.AADFederatedTokenFile = aadFederatedTokenFilePath
+
+	workerConfig.AadClientSecret = ""
+	workerConfig.UseFederatedWorkloadIdentityExtension = true
+	workerConfig.AADFederatedTokenFile = aadFederatedTokenFilePath
+	return controlPlaneConfig, workerConfig
+}
+
 func userAssignedIdentityCloudProviderConfig(d azure.ClusterScoper, identityID string) (cpConfig *CloudProviderConfig, wkConfig *CloudProviderConfig) {
 	controlPlaneConfig, workerConfig := newCloudProviderConfig(d)
 	controlPlaneConfig.AadClientID = ""
@@ -343,6 +362,12 @@ type CloudProviderConfig struct {
 	UseInstanceMetadata          bool   `json:"useInstanceMetadata"`
 	EnableVmssFlexNodes          bool   `json:"enableVmssFlexNodes,omitempty"`
 	UserAssignedIdentityID       string `json:"userAssignedIdentityID,omitempty"`
+	// AADFederatedTokenFile is the path of AAD federated token file
+	// Cloud provider azure should be deployed by projecting service account
+	// token volume as part of their pod spec
+	AADFederatedTokenFile string `json:"aadFederatedTokenFile,omitempty"`
+	// Use workload identity federation for the virtual machine to access Azure ARM APIs
+	UseFederatedWorkloadIdentityExtension bool `json:"useFederatedWorkloadIdentityExtension,omitempty"`
 	CloudProviderRateLimitConfig
 	BackOffConfig
 }