Skip to content

Commit

Permalink
Add support of Azure authentication for ASO
Browse files Browse the repository at this point in the history
  • Loading branch information
adriananeci committed Aug 8, 2023
1 parent cb182d6 commit 9d8e6c8
Show file tree
Hide file tree
Showing 8 changed files with 758 additions and 9 deletions.
5 changes: 3 additions & 2 deletions azure/scope/identity.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

const azureSecretKey = "clientSecret"
// AzureSecretKey is the value for they client secret key.
const AzureSecretKey = "clientSecret"

// CredentialsProvider defines the behavior for azure identity based credential providers.
type CredentialsProvider interface {
Expand Down Expand Up @@ -220,7 +221,7 @@ func (p *AzureCredentialsProvider) GetClientSecret(ctx context.Context) (string,
if err := p.Client.Get(ctx, key, secret); err != nil {
return "", errors.Wrap(err, "Unable to fetch ClientSecret")
}
return string(secret.Data[azureSecretKey]), nil
return string(secret.Data[AzureSecretKey]), nil
}
return "", nil
}
Expand Down
8 changes: 8 additions & 0 deletions azure/services/aso/aso.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
"sigs.k8s.io/cluster-api-provider-azure/azure"
"sigs.k8s.io/cluster-api-provider-azure/util/aso"
"sigs.k8s.io/cluster-api-provider-azure/util/tele"
"sigs.k8s.io/cluster-api/util/patch"
"sigs.k8s.io/controller-runtime/pkg/client"
Expand All @@ -46,6 +47,9 @@ const (

createOrUpdateFutureType = "ASOCreateOrUpdate"
deleteFutureType = "ASODelete"

// SecretNameAnnotation is the annotation key for ASO's credentials to use.
SecretNameAnnotation = "serviceoperator.azure.com/credential-from"
)

// Service is an implementation of the Reconciler interface. It handles creation
Expand Down Expand Up @@ -181,6 +185,10 @@ func (s *Service) CreateOrUpdateResource(ctx context.Context, spec azure.ASOReso
annotations[ReconcilePolicyAnnotation] = ReconcilePolicyManage
}

// Set the secret name annotation in order to leverage the ASO resource credential scope as defined in
// https://azure.github.io/azure-service-operator/guide/authentication/credential-scope/#resource-scope.
annotations[SecretNameAnnotation] = aso.GetASOSecretName(s.clusterName)

if len(labels) == 0 {
labels = nil
}
Expand Down
4 changes: 4 additions & 0 deletions azure/services/aso/aso_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
}))
g.Expect(created.Annotations).To(Equal(map[string]string{
ReconcilePolicyAnnotation: ReconcilePolicySkip,
SecretNameAnnotation: "cluster-aso-secret",
}))
g.Expect(created.Spec).To(Equal(asoresourcesv1.ResourceGroup_Spec{
Location: ptr.To("location"),
Expand Down Expand Up @@ -425,6 +426,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
g.Expect(c.Get(ctx, types.NamespacedName{Name: "name", Namespace: "namespace"}, updated)).To(Succeed())
g.Expect(updated.Annotations).To(Equal(map[string]string{
ReconcilePolicyAnnotation: ReconcilePolicyManage,
SecretNameAnnotation: "cluster-aso-secret",
}))
})

Expand Down Expand Up @@ -482,6 +484,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
g.Expect(c.Get(ctx, types.NamespacedName{Name: "name", Namespace: "namespace"}, updated)).To(Succeed())
g.Expect(updated.Annotations).To(Equal(map[string]string{
ReconcilePolicyAnnotation: ReconcilePolicyManage,
SecretNameAnnotation: "cluster-aso-secret",
}))
})

Expand Down Expand Up @@ -603,6 +606,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
},
Annotations: map[string]string{
ReconcilePolicyAnnotation: ReconcilePolicyManage,
SecretNameAnnotation: "cluster-aso-secret",
},
},
Spec: asoresourcesv1.ResourceGroup_Spec{
Expand Down
Loading

0 comments on commit 9d8e6c8

Please sign in to comment.