From 4bf0aa818d0d05a7bfa8501a97b4328dbeaaeef6 Mon Sep 17 00:00:00 2001 From: Ashutosh Kumar Date: Tue, 17 Oct 2023 01:36:20 +0530 Subject: [PATCH] add ux for workload identity for cloud provider azure Signed-off-by: Ashutosh Kumar --- api/v1beta1/types.go | 4 ++- ...re.cluster.x-k8s.io_azuremachinepools.yaml | 1 + ...ucture.cluster.x-k8s.io_azuremachines.yaml | 1 + ...luster.x-k8s.io_azuremachinetemplates.yaml | 1 + controllers/helpers.go | 25 +++++++++++++++++++ 5 files changed, 31 insertions(+), 1 deletion(-) diff --git a/api/v1beta1/types.go b/api/v1beta1/types.go index 56a81c2066f..cc5e9044a5d 100644 --- a/api/v1beta1/types.go +++ b/api/v1beta1/types.go @@ -534,7 +534,7 @@ type AzureSharedGalleryImage struct { } // VMIdentity defines the identity of the virtual machine, if configured. -// +kubebuilder:validation:Enum=None;SystemAssigned;UserAssigned +// +kubebuilder:validation:Enum=None;SystemAssigned;UserAssigned;WorkloadIdentity type VMIdentity string const ( @@ -544,6 +544,8 @@ const ( VMIdentitySystemAssigned VMIdentity = "SystemAssigned" // VMIdentityUserAssigned ... VMIdentityUserAssigned VMIdentity = "UserAssigned" + // VMIdentityWorkloadIdentity ... + VMIdentityWorkloadIdentity VMIdentity = "WorkloadIdentity" ) // SpotEvictionPolicy defines the eviction policy for spot VMs, if configured. diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml index 8621e9e4d49..91c74d255a1 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml @@ -96,6 +96,7 @@ spec: - None - SystemAssigned - UserAssigned + - WorkloadIdentity type: string location: description: Location is the Azure region location e.g. westus2 diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml index ee785c2c7eb..e10ff9bfb01 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml @@ -260,6 +260,7 @@ spec: - None - SystemAssigned - UserAssigned + - WorkloadIdentity type: string image: description: Image is used to provide details of an image to use during diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml index c08ae0f96fd..1d0e086a0cf 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml @@ -283,6 +283,7 @@ spec: - None - SystemAssigned - UserAssigned + - WorkloadIdentity type: string image: description: Image is used to provide details of an image diff --git a/controllers/helpers.go b/controllers/helpers.go index 9d8b40c98b6..afcf8e7e007 100644 --- a/controllers/helpers.go +++ b/controllers/helpers.go @@ -68,6 +68,10 @@ const ( deprecatedManagerCredsWarning = "You're using deprecated functionality: " + "Using Azure credentials from the manager environment is deprecated and will be removed in future releases. " + "Please specify an AzureClusterIdentity for the AzureCluster instead, see: https://capz.sigs.k8s.io/topics/multitenancy.html " + // ToDo: Find a way to make this configurable for a user. + // This is the path where the projected service account token should be present for + // cloud provider azure. + aadFederatedTokenFilePath = "/var/run/secrets/azure/tokens/azure-identity-token" //nolint:gosec // Path of projected service account token ) type ( @@ -203,6 +207,8 @@ func GetCloudProviderSecret(d azure.ClusterScoper, namespace, name string, owner controlPlaneConfig, workerNodeConfig = userAssignedIdentityCloudProviderConfig(d, userIdentityID) case infrav1.VMIdentityNone: controlPlaneConfig, workerNodeConfig = newCloudProviderConfig(d) + case infrav1.VMIdentityWorkloadIdentity: + controlPlaneConfig, workerNodeConfig = workloadIdentityCloudProviderConfig(d) } // Enable VMSS Flexible nodes if MachinePools are enabled @@ -245,6 +251,19 @@ func systemAssignedIdentityCloudProviderConfig(d azure.ClusterScoper) (cpConfig return controlPlaneConfig, workerConfig } +func workloadIdentityCloudProviderConfig(d azure.ClusterScoper) (cpConfig *CloudProviderConfig, wkConfig *CloudProviderConfig) { + controlPlaneConfig, workerConfig := newCloudProviderConfig(d) + // secret is not needed in workload identity. + controlPlaneConfig.AadClientSecret = "" + controlPlaneConfig.UseFederatedWorkloadIdentityExtension = true + controlPlaneConfig.AADFederatedTokenFile = aadFederatedTokenFilePath + + workerConfig.AadClientSecret = "" + workerConfig.UseFederatedWorkloadIdentityExtension = true + workerConfig.AADFederatedTokenFile = aadFederatedTokenFilePath + return controlPlaneConfig, workerConfig +} + func userAssignedIdentityCloudProviderConfig(d azure.ClusterScoper, identityID string) (cpConfig *CloudProviderConfig, wkConfig *CloudProviderConfig) { controlPlaneConfig, workerConfig := newCloudProviderConfig(d) controlPlaneConfig.AadClientID = "" @@ -343,6 +362,12 @@ type CloudProviderConfig struct { UseInstanceMetadata bool `json:"useInstanceMetadata"` EnableVmssFlexNodes bool `json:"enableVmssFlexNodes,omitempty"` UserAssignedIdentityID string `json:"userAssignedIdentityID,omitempty"` + // AADFederatedTokenFile is the path of AAD federated token file + // Cloud provider azure should be deployed by projecting service account + // token volume as part of their pod spec + AADFederatedTokenFile string `json:"aadFederatedTokenFile,omitempty"` + // Use workload identity federation for the virtual machine to access Azure ARM APIs + UseFederatedWorkloadIdentityExtension bool `json:"useFederatedWorkloadIdentityExtension,omitempty"` CloudProviderRateLimitConfig BackOffConfig }