Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement UserAssignedMSI auth for ASO #3743

Closed
1 task done
Tracked by #3527 ...
nojnhuh opened this issue Jul 19, 2023 · 3 comments · Fixed by #3932
Closed
1 task done
Tracked by #3527 ...

Implement UserAssignedMSI auth for ASO #3743

nojnhuh opened this issue Jul 19, 2023 · 3 comments · Fixed by #3932
Assignees
Milestone

Comments

@nojnhuh
Copy link
Contributor

nojnhuh commented Jul 19, 2023

Follow-up from #3526

CAPZ currently allows users to create an AzureClusterIdentity with spec.type=UserAssignedMSI driven by AAD Pod Identity and does not require the manual setup steps of Workload Identity. The same credentials in this case should be propagated to CAPZ's ASO.

If AAD Pod Identity support is removed from CAPZ before #3527 closes, then this issue would no longer need to be implemented.

see also:
https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#deprecated-managed-identity-aad-pod-identity

Dependencies

Preview Give feedback
  1. capz high-priority
    super-harsh
@nojnhuh
Copy link
Contributor Author

nojnhuh commented Jul 25, 2023

To recap yesterday's discussion with @CecileRobertMichon to help me understand this:

  • CAPZ uses AAD Pod ID currently to enable the ServicePrincipal and ServicePrincipalCertificate AzureClusterIdentity types.
  • ASO's documented instructions for Service Principal do not involve AAD Pod ID, though configuring a Service Principal with AAD Pod ID does work.
  • If we have the option to either configure or not configure ASO to use AAD Pod ID, we'll opt not to use AAD Pod ID, though if some users report issues because they rely on auth going through AAD Pod Identity, we can add that capability as needed.

To follow up with some of the open questions:

Does the NMI pod intercept IMDS requests from ASO when AAD Pod ID is not configured explicitly?

No AFAICT. I don't see any new logs in the NMI pod when creating an ASO resource with a Service Principal like this: https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#service-principal-using-a-client-secret

Does ASO support managed identities either with or without AAD Pod Identity (excluding Workload ID)?

Yes with AAD Pod ID, not without. I can get managed identity working with these instructions: https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#deprecated-managed-identity-aad-pod-identity. Those steps modify the global aso-controller-settings secret though, and if I try to use the managed identity client ID in a secret referenced by a resource's credential-from annotation ASO hits an error that indicates it's trying to use Workload ID, so I'm not sure ASO supports multi-tenant managed identity setups with AAD Pod ID. Still looking into that.

@nojnhuh nojnhuh added this to the v1.11 milestone Jul 27, 2023
@nojnhuh
Copy link
Contributor Author

nojnhuh commented Jul 28, 2023

I re-scoped this issue to reflect #3698 no longer implementing UserAssignedMSI AzureClusterIdentities due to the newly-discovered ASO gap. More details in the issue description.

/retitle Implement UserAssignedMSI auth for ASO

@k8s-ci-robot k8s-ci-robot changed the title Allow authentication with AAD Pod Identity for ASO Implement UserAssignedMSI auth for ASO Jul 28, 2023
@nojnhuh nojnhuh mentioned this issue Aug 9, 2023
4 tasks
@nojnhuh nojnhuh moved this to Blocked in CAPZ Planning Aug 23, 2023
@nojnhuh
Copy link
Contributor Author

nojnhuh commented Aug 30, 2023

/assign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

1 participant