Remove credentials from azure.json on worker nodes

[CecileRobertMichon]

/kind feature

Describe the solution you'd like
[A clear and concise description of what you want to happen.]
From #773 (comment)

Based on my current understanding, we do need this file on all nodes, but they may be different if desired (e.g., it doesn't appear to be required to use any credentials, msi or otherwise, on worker nodes).

We should verify that that assumption is true and only set the credentials on the azure.json secret for control planes in https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/controllers/helpers.go#L164

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

• cluster-api-provider-azure version:
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

[gab-satchi]

/assign

[gab-satchi]

/lifecycle active

[gab-satchi]

Hey @CecileRobertMichon. Looking through the code, the common flow is for the machine template to trigger the reconcile of the secret. The AzureMachineTemplate does not (and should not) care about whether the machine is a control plane or worker. Only at the AzureMachine level can we distinguish between control plane and worker but we've actively moved to having the azure.json be shared at the template level. Any ideas on how I can determine worker/control plane at the template stage? cc: @alexeldeib

[alexeldeib]

AzureMachineTemplate doesn't have any labels/ownerRefs to the object which used it, does it? It might be convenient at the CAPI layer if MachineDeployment/MachineSet could apply owner labels to the templatized infra refs, if they don't already. Not sure if that's acceptable.

If that doesn't work, we might have to do something like generate two data fields in the secret -- one for control plane, one for worker -- and differentiate in the worker/control plane manifests themselves which one we want.

[alexeldeib]

Same probably goes for machinepool and kubeadm config (except MachinePool doesn't support control plane yet, I think)

[gab-satchi]

AzureMachineTemplate doesn't have any labels/ownerRefs to the object which used it, does it?

CAPI does apply a 'cloned-from' label on any infra machines created but that is likely not reliable as you could have a machine template with 0 replicas. I'll explore the second option. Thanks!