From 2b8881b77422edf547d313a5d8c5533bd4b5da87 Mon Sep 17 00:00:00 2001
From: Robin Deeboonchai <rdeeboonchai@microsoft.com>
Date: Wed, 28 Aug 2024 02:00:23 -0700
Subject: [PATCH] chore: fallback for unsupported workload identity in cpa 1.27

---
 .../cloudprovider/azure/azure_client.go       | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/cluster-autoscaler/cloudprovider/azure/azure_client.go b/cluster-autoscaler/cloudprovider/azure/azure_client.go
index e125d8eb2c97..f99d1d4b9973 100644
--- a/cluster-autoscaler/cloudprovider/azure/azure_client.go
+++ b/cluster-autoscaler/cloudprovider/azure/azure_client.go
@@ -19,6 +19,7 @@ package azure
 import (
 	"context"
 	"fmt"
+	"os"
 
 	_ "go.uber.org/mock/mockgen/model" // for go:generate
 
@@ -32,6 +33,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v4"
 	"github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2022-03-01/compute"
 	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/azure/auth"
 
@@ -173,12 +175,38 @@ type azClient struct {
 	agentPoolClient                 AgentPoolsClient
 }
 
+// Only exist due to cloud-provider-azure not yet supporting workload identity in 1.27
+func newServicePrincipalTokenForWorkloadIdentity(config *Config, env *azure.Environment) (*adal.ServicePrincipalToken, error) {
+	oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, config.TenantID)
+	if err != nil {
+		return nil, fmt.Errorf("creating the OAuth config: %v", err)
+	}
+
+	klog.V(2).Infoln("azure: using workload identity extension to retrieve access token")
+	jwt, err := os.ReadFile(config.AADFederatedTokenFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read a file with a federated token: %v", err)
+	}
+	//nolint SA1019 - deprecated package
+	token, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, config.AADClientID, string(jwt), env.ResourceManagerEndpoint)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create a workload identity token: %v", err)
+	}
+	return token, nil
+}
+
 func newAuthorizer(config *Config, env *azure.Environment) (autorest.Authorizer, error) {
 	switch config.AuthMethod {
 	case authMethodCLI:
 		return auth.NewAuthorizerFromCLI()
 	case "", authMethodPrincipal:
-		token, err := providerazureconfig.GetServicePrincipalToken(&config.AzureAuthConfig, env, "")
+		var token *adal.ServicePrincipalToken
+		var err error
+		if config.UseFederatedWorkloadIdentityExtension {
+			token, err = newServicePrincipalTokenForWorkloadIdentity(config, env)
+		} else {
+			token, err = providerazureconfig.GetServicePrincipalToken(&config.AzureAuthConfig, env, "")
+		}
 		if err != nil {
 			return nil, fmt.Errorf("retrieve service principal token: %v", err)
 		}