Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Azure authentication in ASO #3698

Merged
merged 1 commit into from
Aug 9, 2023

Conversation

adriananeci
Copy link
Contributor

@adriananeci adriananeci commented Jul 10, 2023

What type of PR is this?
/kind feature

What this PR does / why we need it:

More context is described in the ASO proposal: https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/docs/proposals/20230123-azure-service-operator.md#security-model

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #3526

Special notes for your reviewer:

Because we can have multiple AzureClusterIdentity objects created inside the same namespace, we cannot make use of https://azure.github.io/azure-service-operator/guide/authentication/credential-scope/#namespace-scope so we'll have to reside only on global scope or resource scope

Haven't added any tests yet. I'll add those after the initial review since I'm looking for some early feedback to make sure I'm on the right path.

  • cherry-pick candidate

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Add support for Azure authentication in ASO

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 10, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @adriananeci. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 10, 2023
@nojnhuh
Copy link
Contributor

nojnhuh commented Jul 10, 2023

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 10, 2023
@adriananeci
Copy link
Contributor Author

/retest

@codecov
Copy link

codecov bot commented Jul 11, 2023

Codecov Report

Patch coverage: 60.90% and project coverage change: +0.09% 🎉

Comparison is base (cb182d6) 54.74% compared to head (13f4eca) 54.83%.
Report is 4 commits behind head on main.

❗ Current head 13f4eca differs from pull request most recent head 9d8e6c8. Consider uploading reports for the commit 9d8e6c8 to get more accurate results

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3698      +/-   ##
==========================================
+ Coverage   54.74%   54.83%   +0.09%     
==========================================
  Files         187      188       +1     
  Lines       19051    19331     +280     
==========================================
+ Hits        10429    10600     +171     
- Misses       8057     8150      +93     
- Partials      565      581      +16     
Files Changed Coverage Δ
azure/scope/identity.go 37.20% <0.00%> (ø)
controllers/helpers.go 54.24% <23.07%> (-0.46%) ⬇️
controllers/asosecret_controller.go 62.66% <62.66%> (ø)
azure/services/aso/aso.go 88.60% <100.00%> (-4.18%) ⬇️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 11, 2023
@nojnhuh
Copy link
Contributor

nojnhuh commented Jul 11, 2023

Adding WIP while we're not ready to merge this yet:
/retitle [WIP] Add support for Azure authentication in ASO

@k8s-ci-robot k8s-ci-robot changed the title Add support for Azure authentication in ASO [WIP] Add support for Azure authentication in ASO Jul 11, 2023
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 11, 2023
Copy link
Contributor

@nojnhuh nojnhuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall approach looks good to me.

For the other ASO PRs, I've been splitting up those into non-functional changes (w.r.t. the current behavior) that get merged and functional changes (to be included in a PR resolving #3527) that I've been managing in my fork. The new controller and creation of ASO secrets here don't seem like they would break current behavior though so we may not need to split anything out here.

@CecileRobertMichon Do we have existing e2e coverage for all these different ways of authenticating to Azure?

azure/scope/identity.go Outdated Show resolved Hide resolved
azure/scope/identity.go Outdated Show resolved Hide resolved
azure/services/asogroups/spec.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 13, 2023
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 13, 2023
@nojnhuh
Copy link
Contributor

nojnhuh commented Jul 14, 2023

(reminder to squash once we get lgtms)

/hold

And @adriananeci feel free to remove the [WIP] from the title once you're finished and let me know so I can give this another look.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 14, 2023
@adriananeci
Copy link
Contributor Author

/retest

@adriananeci adriananeci changed the title [WIP] Add support for Azure authentication in ASO Add support for Azure authentication in ASO Jul 14, 2023
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 14, 2023
@adriananeci
Copy link
Contributor Author

@nojnhuh I think this is ready for another round reviews now

controllers/azureclusteridentity_controller.go Outdated Show resolved Hide resolved
azure/scope/identity.go Outdated Show resolved Hide resolved
azure/scope/identity.go Outdated Show resolved Hide resolved
azure/scope/cluster.go Outdated Show resolved Hide resolved
azure/scope/identity.go Outdated Show resolved Hide resolved
azure/scope/identity.go Outdated Show resolved Hide resolved
controllers/asosecret_controller.go Outdated Show resolved Hide resolved
controllers/asosecret_controller.go Show resolved Hide resolved
controllers/asosecret_controller.go Outdated Show resolved Hide resolved
controllers/asosecret_controller.go Outdated Show resolved Hide resolved
APIVersion: gvk.GroupVersion().String(),
Kind: gvk.Kind,
Name: asoSecretOwner.GetName(),
UID: asoSecretOwner.GetUID(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it seems fair to say this is controlling the secret?

Suggested change
UID: asoSecretOwner.GetUID(),
UID: asoSecretOwner.GetUID(),
Controller: pointer.Bool(true),

@CecileRobertMichon Is there a reason the AzureJSON controllers don't set this? It seems like that's necessary for Owns() to work:

// Owns defines types of Objects being generated by the ControllerManagedBy, and configures the ControllerManagedBy to respond to
// create / delete / update events by reconciling the owner object. This is the equivalent of calling
// Watches(&source.Kind{Type: }, &handler.EnqueueRequestForOwner{OwnerType: apiType, IsController: true}).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't set which part?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The controller: true in the ownerRef on the generated Secret.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 1, 2023
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 2, 2023
Copy link
Contributor

@nojnhuh nojnhuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could've sworn I posted these comments the other day, but I see that GitHub still shows (most of) them as "pending." I think I've seen some other weird things with review comments lately too so maybe I'm not as crazy as I think...

controllers/asosecret_controller_test.go Outdated Show resolved Hide resolved
controllers/asosecret_controller_test.go Outdated Show resolved Hide resolved
controllers/asosecret_controller_test.go Outdated Show resolved Hide resolved
controllers/asosecret_controller.go Outdated Show resolved Hide resolved
controllers/asosecret_controller_test.go Show resolved Hide resolved
controllers/asosecret_controller.go Show resolved Hide resolved
controllers/asosecret_controller_test.go Show resolved Hide resolved
controllers/asosecret_controller_test.go Outdated Show resolved Hide resolved
APIVersion: gvk.GroupVersion().String(),
Kind: gvk.Kind,
Name: asoSecretOwner.GetName(),
UID: asoSecretOwner.GetUID(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The controller: true in the ownerRef on the generated Secret.

Copy link
Contributor

@nojnhuh nojnhuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @CecileRobertMichon

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Aug 8, 2023
Copy link
Contributor

@nojnhuh nojnhuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 8, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 80f6232c5213b9662b6cd5f9a37373628b2f499e

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 8, 2023
@adriananeci
Copy link
Contributor Author

/assign @CecileRobertMichon

Copy link
Contributor

@CecileRobertMichon CecileRobertMichon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Great work @adriananeci 🎉

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 8, 2023
@k8s-ci-robot k8s-ci-robot merged commit 760fcfd into kubernetes-sigs:main Aug 9, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.11 milestone Aug 9, 2023
@adriananeci adriananeci deleted the aso_secrets branch August 9, 2023 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Implement all currently supported flavors of Azure authentication for ASO
7 participants