adding multi tenancy for controller using aad-pod-identity

api/v1alpha2/azurecluster_conversion.go

@@ -61,6 +61,7 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error { // nolint
 
 	dst.Status.FailureDomains = restored.Status.FailureDomains
 	dst.Spec.NetworkSpec.Vnet.CIDRBlocks = restored.Spec.NetworkSpec.Vnet.CIDRBlocks
+	dst.Spec.IdentityRef = restored.Spec.IdentityRef
 
 	for _, restoredSubnet := range restored.Spec.NetworkSpec.Subnets {
 		if restoredSubnet != nil {

api/v1alpha3/azurecluster_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha3
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha3"
 )
@@ -25,6 +26,9 @@ const (
 	// ClusterFinalizer allows ReconcileAzureCluster to clean up Azure resources associated with AzureCluster before
 	// removing it from the apiserver.
 	ClusterFinalizer = "azurecluster.infrastructure.cluster.x-k8s.io"
+
+	// ClusterLabelNamespace indicates the namespace of the cluster
+	ClusterLabelNamespace = "azurecluster.infrastructure.cluster.x-k8s.io/cluster-namespace"
 )
 
 // AzureClusterSpec defines the desired state of AzureCluster
@@ -48,6 +52,10 @@ type AzureClusterSpec struct {
 	// ones added by default.
 	// +optional
 	AdditionalTags Tags `json:"additionalTags,omitempty"`
+
+	// IdentityRef is a reference to a AzureIdentity to be used when reconciling this cluster
+	// +optional
+	IdentityRef *corev1.ObjectReference `json:"identityRef,omitempty"`
 }
 
 // AzureClusterStatus defines the observed state of AzureCluster

api/v1alpha3/azureclusteridentity_types.go

@@ -0,0 +1,105 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha3"
+)
+
+// AzureClusterIdentitySpec defines the parameters that are used to create an AzureIdentity
+type AzureClusterIdentitySpec struct {
+	// UserAssignedMSI or Service Principal
+	Type IdentityType `json:"type"`
+	// User assigned MSI resource id.
+	// +optional
+	ResourceID string `json:"resourceID,omitempty"`
+	// Both User Assigned MSI and SP can use this field.
+	ClientID string `json:"clientID"`
+	// ClientSecret is a secret reference which should contain either a Service Principal password or certificate secret.
+	// +optional
+	ClientSecret corev1.SecretReference `json:"clientSecret,omitempty"`
+	// Service principal primary tenant id.
+	TenantID string `json:"tenantID"`
+	// AllowedNamespaces is an array of namespaces that AzureClusters can
+	// use this Identity from.
+	//
+	// An empty list (default) indicates that AzureClusters can use this
+	// Identity from any namespace. This field is intentionally not a
+	// pointer because the nil behavior (no namespaces) is undesirable here.
+	// +optional
+	AllowedNamespaces []string `json:"allowedNamespaces"`
+}
+
+// AzureClusterIdentityStatus defines the observed state of AzureClusterIdentity
+type AzureClusterIdentityStatus struct {
+	// Conditions defines current service state of the AzureClusterIdentity.
+	// +optional
+	Conditions clusterv1.Conditions `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=azureclusteridentities,scope=Namespaced,categories=cluster-api
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+
+// AzureClusterIdentity is the Schema for the azureclustersidentities API
+type AzureClusterIdentity struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AzureClusterIdentitySpec   `json:"spec,omitempty"`
+	Status AzureClusterIdentityStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// AzureClusterIdentityList contains a list of AzureClusterIdentity
+type AzureClusterIdentityList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AzureClusterIdentity `json:"items"`
+}
+
+// GetConditions returns the list of conditions for an AzureClusterIdentity API object.
+func (c *AzureClusterIdentity) GetConditions() clusterv1.Conditions {
+	return c.Status.Conditions
+}
+
+// SetConditions will set the given conditions on an AzureClusterIdentity object
+func (c *AzureClusterIdentity) SetConditions(conditions clusterv1.Conditions) {
+	c.Status.Conditions = conditions
+}
+
+// ClusterNamespaceAllowed indicates if the cluster namespace is allowed
+func (c *AzureClusterIdentity) ClusterNamespaceAllowed(namespace string) bool {
+	if len(c.Spec.AllowedNamespaces) == 0 {
+		return true
+	}
+	for _, v := range c.Spec.AllowedNamespaces {
+		if v == namespace {
+			return true
+		}
+	}
+
+	return false
+}
+
+func init() {
+	SchemeBuilder.Register(&AzureClusterIdentity{}, &AzureClusterIdentityList{})
+}

api/v1alpha3/azureclusteridentity_types_test.go

@@ -0,0 +1,71 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestAllowedNamespaces(t *testing.T) {
+	g := NewWithT(t)
+
+	tests := []struct {
+		name             string
+		identity         *AzureClusterIdentity
+		clusterNamespace string
+		expected         bool
+	}{
+		{
+			name: "allow any cluster namespace when empty",
+			identity: &AzureClusterIdentity{
+				Spec: AzureClusterIdentitySpec{
+					AllowedNamespaces: []string{},
+				},
+			},
+			clusterNamespace: "default",
+			expected:         true,
+		},
+		{
+			name: "allow cluster with namespace in list",
+			identity: &AzureClusterIdentity{
+				Spec: AzureClusterIdentitySpec{
+					AllowedNamespaces: []string{"namespace24", "namespace32"},
+				},
+			},
+			clusterNamespace: "namespace24",
+			expected:         true,
+		},
+		{
+			name: "don't allow cluster with namespace not in list",
+			identity: &AzureClusterIdentity{
+				Spec: AzureClusterIdentitySpec{
+					AllowedNamespaces: []string{"namespace24", "namespace32"},
+				},
+			},
+			clusterNamespace: "namespace8",
+			expected:         false,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			actual := tc.identity.ClusterNamespaceAllowed(tc.clusterNamespace)
+			g.Expect(actual).To(Equal(tc.expected))
+		})
+	}
+}

api/v1alpha3/conditions_consts.go

@@ -26,6 +26,8 @@ const (
 	LoadBalancerProvisioningReason = "LoadBalancerProvisioning"
 	// LoadBalancerProvisioningFailedReason used for failure during provisioning of loadbalancer.
 	LoadBalancerProvisioningFailedReason = "LoadBalancerProvisioningFailed"
+	// NamespaceNotAllowedByIdentity used to indicate cluster in a namespace not allowed by identity
+	NamespaceNotAllowedByIdentity = "NamespaceNotAllowedByIdentity"
 )
 
 // AzureMachine Conditions and Reasons

api/v1alpha3/types.go

@@ -21,6 +21,8 @@ import (
 )
 
 const (
+	// ControllerNamespace is the namespace where controller manager will run
+	ControllerNamespace = "capz-system"
 	// ControlPlane machine label
 	ControlPlane string = "control-plane"
 	// Node machine label
@@ -321,6 +323,25 @@ type UserAssignedIdentity struct {
 	ProviderID string `json:"providerID"`
 }
 
+const (
+	// AzureIdentityBindingSelector is the label used to match with the AzureIdentityBinding
+	// For the controller to match an identity binding, it needs a [label] with the key `aadpodidbinding`
+	// whose value is that of the `selector:` field in the `AzureIdentityBinding`.
+	AzureIdentityBindingSelector = "capz-controller-aadpodidentity-selector"
+)
+
+// IdentityType represents different types of identities.
+// +kubebuilder:validation:Enum=ServicePrincipal;UserAssignedMSI
+type IdentityType string
+
+const (
+	// UserAssignedMSI represents a user-assigned identity.
+	UserAssignedMSI IdentityType = "UserAssignedMSI"
+
+	// ServicePrincipal represents a service principal.
+	ServicePrincipal IdentityType = "ServicePrincipal"
+)
+
 // OSDisk defines the operating system disk for a VM.
 type OSDisk struct {
 	OSType           string            `json:"osType"`