Add support of Azure authentication for ASO

kubernetes-sigs · Aug 2, 2023 · 27e7a83 · 27e7a83
1 parent 7e8c80b
commit 27e7a83
Show file tree

Hide file tree

Showing 8 changed files with 658 additions and 9 deletions.
diff --git a/azure/scope/identity.go b/azure/scope/identity.go
@@ -42,7 +42,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-const azureSecretKey = "clientSecret"
+// AzureSecretKey is the value for they client secret key.
+const AzureSecretKey = "clientSecret"
 
 // CredentialsProvider defines the behavior for azure identity based credential providers.
 type CredentialsProvider interface {
@@ -220,7 +221,7 @@ func (p *AzureCredentialsProvider) GetClientSecret(ctx context.Context) (string,
 		if err := p.Client.Get(ctx, key, secret); err != nil {
 			return "", errors.Wrap(err, "Unable to fetch ClientSecret")
 		}
-		return string(secret.Data[azureSecretKey]), nil
+		return string(secret.Data[AzureSecretKey]), nil
 	}
 	return "", nil
 }

diff --git a/azure/services/aso/aso.go b/azure/services/aso/aso.go
@@ -29,6 +29,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
 	"sigs.k8s.io/cluster-api-provider-azure/azure"
+	"sigs.k8s.io/cluster-api-provider-azure/util/aso"
 	"sigs.k8s.io/cluster-api-provider-azure/util/tele"
 	"sigs.k8s.io/cluster-api/util/patch"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -46,6 +47,9 @@ const (
 
 	createOrUpdateFutureType = "ASOCreateOrUpdate"
 	deleteFutureType         = "ASODelete"
+
+	// SecretNameAnnotation is the annotation key for ASO's credentials to use.
+	SecretNameAnnotation = "serviceoperator.azure.com/credential-from"
 )
 
 // Service is an implementation of the Reconciler interface. It handles creation
@@ -181,6 +185,10 @@ func (s *Service) CreateOrUpdateResource(ctx context.Context, spec azure.ASOReso
 		annotations[ReconcilePolicyAnnotation] = ReconcilePolicyManage
 	}
 
+	// Set the secret name annotation in order to leverage the ASO resource credential scope as defined in
+	// https://azure.github.io/azure-service-operator/guide/authentication/credential-scope/#resource-scope.
+	annotations[SecretNameAnnotation] = aso.GetASOSecretName(s.clusterName)
+
 	if len(labels) == 0 {
 		labels = nil
 	}

diff --git a/azure/services/aso/aso_test.go b/azure/services/aso/aso_test.go
@@ -149,6 +149,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
 		}))
 		g.Expect(created.Annotations).To(Equal(map[string]string{
 			ReconcilePolicyAnnotation: ReconcilePolicySkip,
+			SecretNameAnnotation:      "cluster-aso-secret",
 		}))
 		g.Expect(created.Spec).To(Equal(asoresourcesv1.ResourceGroup_Spec{
 			Location: pointer.String("location"),
@@ -425,6 +426,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
 		g.Expect(c.Get(ctx, types.NamespacedName{Name: "name", Namespace: "namespace"}, updated)).To(Succeed())
 		g.Expect(updated.Annotations).To(Equal(map[string]string{
 			ReconcilePolicyAnnotation: ReconcilePolicyManage,
+			SecretNameAnnotation:      "cluster-aso-secret",
 		}))
 	})
 
@@ -482,6 +484,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
 		g.Expect(c.Get(ctx, types.NamespacedName{Name: "name", Namespace: "namespace"}, updated)).To(Succeed())
 		g.Expect(updated.Annotations).To(Equal(map[string]string{
 			ReconcilePolicyAnnotation: ReconcilePolicyManage,
+			SecretNameAnnotation:      "cluster-aso-secret",
 		}))
 	})
 
@@ -603,6 +606,7 @@ func TestCreateOrUpdateResource(t *testing.T) {
 				},
 				Annotations: map[string]string{
 					ReconcilePolicyAnnotation: ReconcilePolicyManage,
+					SecretNameAnnotation:      "cluster-aso-secret",
 				},
 			},
 			Spec: asoresourcesv1.ResourceGroup_Spec{

diff --git a/controllers/asosecret_controller.go b/controllers/asosecret_controller.go
@@ -0,0 +1,303 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/utils/pointer"
+	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
+	"sigs.k8s.io/cluster-api-provider-azure/azure/scope"
+	"sigs.k8s.io/cluster-api-provider-azure/util/aso"
+	"sigs.k8s.io/cluster-api-provider-azure/util/reconciler"
+	"sigs.k8s.io/cluster-api-provider-azure/util/tele"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	"sigs.k8s.io/cluster-api/util"
+	"sigs.k8s.io/cluster-api/util/annotations"
+	"sigs.k8s.io/cluster-api/util/predicates"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+// ASOSecretReconciler reconciles ASO secrets associated with AzureCluster objects.
+type ASOSecretReconciler struct {
+	client.Client
+	Recorder         record.EventRecorder
+	ReconcileTimeout time.Duration
+	WatchFilterValue string
+}
+
+// SetupWithManager initializes this controller with a manager.
+func (asos *ASOSecretReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, options controller.Options) error {
+	_, log, done := tele.StartSpanWithLogger(ctx,
+		"controllers.ASOSecretReconciler.SetupWithManager",
+		tele.KVP("controller", "ASOSecret"),
+	)
+	defer done()
+
+	c, err := ctrl.NewControllerManagedBy(mgr).
+		WithOptions(options).
+		For(&infrav1.AzureCluster{}).
+		WithEventFilter(predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue)).
+		WithEventFilter(predicates.ResourceIsNotExternallyManaged(log)).
+		Named("ASOSecret").
+		Owns(&corev1.Secret{}).
+		Build(asos)
+	if err != nil {
+		return errors.Wrap(err, "error creating controller")
+	}
+
+	// Add a watch on infrav1.AzureManagedControlPlane if Cluster API 'MachinePool' feature is enabled.
+	if err = c.Watch(
+		&source.Kind{Type: &infrav1.AzureManagedControlPlane{}},
+		&handler.EnqueueRequestForObject{},
+		predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue),
+	); err != nil {
+		return errors.Wrap(err, "failed adding a watch for ready clusters")
+	}
+
+	// Add a watch on clusterv1.Cluster object for unpause notifications.
+	if err = c.Watch(
+		&source.Kind{Type: &clusterv1.Cluster{}},
+		handler.EnqueueRequestsFromMapFunc(util.ClusterToInfrastructureMapFunc(ctx, infrav1.GroupVersion.WithKind("AzureCluster"), mgr.GetClient(), &infrav1.AzureCluster{})),
+		predicates.ClusterUnpaused(log),
+		predicates.ResourceNotPausedAndHasFilterLabel(log, asos.WatchFilterValue),
+	); err != nil {
+		return errors.Wrap(err, "failed adding a watch for ready clusters")
+	}
+
+	return nil
+}
+
+// Reconcile reconciles the ASO secrets associated with AzureCluster objects.
+func (asos *ASOSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, reterr error) {
+	ctx, cancel := context.WithTimeout(ctx, reconciler.DefaultedLoopTimeout(asos.ReconcileTimeout))
+	defer cancel()
+
+	ctx, log, done := tele.StartSpanWithLogger(ctx, "controllers.ASOSecret.Reconcile",
+		tele.KVP("namespace", req.Namespace),
+		tele.KVP("name", req.Name),
+		tele.KVP("kind", "AzureCluster"),
+	)
+	defer done()
+
+	log = log.WithValues("namespace", req.Namespace, "AzureCluster", req.Name)
+
+	// asoSecretOwner is the resource that created the identity. This could be either an AzureCluster or AzureManagedControlPlane (if AKS is enabled).
+	// check for AzureCluster first and if it is not found, check for AzureManagedControlPlane.
+	var asoSecretOwner client.Object
+
+	azureCluster := &infrav1.AzureCluster{}
+	checkForManagedControlPlane := false
+	// Fetch the AzureCluster or AzureManagedControlPlane instance
+	asoSecretOwner = azureCluster
+	err := asos.Get(ctx, req.NamespacedName, azureCluster)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			checkForManagedControlPlane = true
+		} else {
+			return reconcile.Result{}, err
+		}
+	} else {
+		log = log.WithValues("AzureCluster", req.Name)
+	}
+
+	if checkForManagedControlPlane {
+		// Fetch the AzureManagedControlPlane instance instead
+		azureManagedControlPlane := &infrav1.AzureManagedControlPlane{}
+		asoSecretOwner = azureManagedControlPlane
+		err = asos.Get(ctx, req.NamespacedName, azureManagedControlPlane)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				asos.Recorder.Eventf(azureCluster, corev1.EventTypeNormal, "AzureClusterObjectNotFound",
+					fmt.Sprintf("AzureCluster object %s/%s not found", req.Namespace, req.Name))
+				asos.Recorder.Eventf(azureManagedControlPlane, corev1.EventTypeNormal, "AzureManagedControlPlaneObjectNotFound",
+					fmt.Sprintf("AzureManagedControlPlane object %s/%s not found", req.Namespace, req.Name))
+				log.Info("object was not found")
+				return reconcile.Result{}, nil
+			} else {
+				return reconcile.Result{}, err
+			}
+		} else {
+			log = log.WithValues("AzureManagedControlPlane", req.Name)
+		}
+	}
+
+	var clusterIdentity *corev1.ObjectReference
+	var cluster *clusterv1.Cluster
+	var azureClient scope.AzureClients
+
+	switch ownerType := asoSecretOwner.(type) {
+	case *infrav1.AzureCluster:
+		clusterIdentity = ownerType.Spec.IdentityRef
+
+		// Fetch the Cluster.
+		cluster, err = util.GetOwnerCluster(ctx, asos.Client, ownerType.ObjectMeta)
+		if err != nil {
+			return reconcile.Result{}, err
+		}
+
+		// Create the scope.
+		clusterScope, err := scope.NewClusterScope(ctx, scope.ClusterScopeParams{
+			Client:       asos.Client,
+			Cluster:      cluster,
+			AzureCluster: ownerType,
+		})
+		if err != nil {
+			return reconcile.Result{}, errors.Wrap(err, "failed to create scope")
+		}
+
+		azureClient = clusterScope.AzureClients
+
+	case *infrav1.AzureManagedControlPlane:
+		clusterIdentity = ownerType.Spec.IdentityRef
+
+		// Fetch the Cluster.
+		cluster, err = util.GetOwnerCluster(ctx, asos.Client, ownerType.ObjectMeta)
+		if err != nil {
+			return reconcile.Result{}, err
+		}
+
+		// Create the scope.
+		clusterScope, err := scope.NewManagedControlPlaneScope(ctx, scope.ManagedControlPlaneScopeParams{
+			Client:       asos.Client,
+			Cluster:      cluster,
+			ControlPlane: ownerType,
+		})
+		if err != nil {
+			return reconcile.Result{}, errors.Wrap(err, "failed to create scope")
+		}
+
+		azureClient = clusterScope.AzureClients
+	}
+
+	if cluster == nil {
+		log.Info("Cluster Controller has not yet set OwnerRef")
+		asos.Recorder.Eventf(asoSecretOwner, corev1.EventTypeNormal, "OwnerRefNotFound",
+			fmt.Sprintf("Cluster Controller has not yet set OwnerRef for object %s/%s", req.Namespace, req.Name))
+		return reconcile.Result{}, nil
+	}
+
+	log = log.WithValues("cluster", cluster.Name)
+
+	// Return early if the AzureCluster or Cluster is paused.
+	if annotations.IsPaused(cluster, asoSecretOwner) {
+		log.Info(fmt.Sprintf("%s or linked Cluster is marked as paused. Won't reconcile", asoSecretOwner.GetObjectKind()))
+		return ctrl.Result{}, nil
+	}
+
+	// Construct ASO secret for this AzureCluster
+	newASOSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      aso.GetASOSecretName(asoSecretOwner.GetName()),
+			Namespace: asoSecretOwner.GetNamespace(),
+			Labels: map[string]string{
+				asoSecretOwner.GetName(): string(infrav1.ResourceLifecycleOwned),
+			},
+		},
+		Data: map[string][]byte{
+			"AZURE_SUBSCRIPTION_ID": []byte(azureClient.SubscriptionID()),
+		},
+	}
+
+	if clusterIdentity != nil {
+		// if the namespace isn't specified then assume it's in the same namespace as the asoSecretOwner
+		namespace := clusterIdentity.Namespace
+		if namespace == "" {
+			namespace = asoSecretOwner.GetNamespace()
+		}
+		identity := &infrav1.AzureClusterIdentity{}
+		key := client.ObjectKey{
+			Name:      clusterIdentity.Name,
+			Namespace: namespace,
+		}
+		if err := asos.Get(ctx, key, identity); err != nil {
+			return reconcile.Result{}, errors.Wrap(err, "failed to retrieve AzureClusterIdentity")
+		}
+
+		newASOSecret.Data["AZURE_TENANT_ID"] = []byte(identity.Spec.TenantID)
+		newASOSecret.Data["AZURE_CLIENT_ID"] = []byte(identity.Spec.ClientID)
+
+		// Fetch identity secret, if it exists
+		key = types.NamespacedName{
+			Namespace: identity.Spec.ClientSecret.Namespace,
+			Name:      identity.Spec.ClientSecret.Name,
+		}
+		identitySecret := &corev1.Secret{}
+		err := asos.Get(ctx, key, identitySecret)
+		if err != nil && !apierrors.IsNotFound(err) {
+			return reconcile.Result{}, errors.Wrap(err, "failed to fetch AzureClusterIdentity secret")
+		}
+
+		switch identity.Spec.Type {
+		case infrav1.ServicePrincipal, infrav1.ManualServicePrincipal:
+			newASOSecret.Data["AZURE_CLIENT_SECRET"] = identitySecret.Data[scope.AzureSecretKey]
+		case infrav1.ServicePrincipalCertificate:
+			newASOSecret.Data["AZURE_CLIENT_CERTIFICATE"] = identitySecret.Data["certificate"]
+			newASOSecret.Data["AZURE_CLIENT_CERTIFICATE_PASSWORD"] = identitySecret.Data["password"]
+		}
+	} else {
+		newASOSecret.Data["AZURE_TENANT_ID"] = []byte(azureClient.TenantID())
+		newASOSecret.Data["AZURE_CLIENT_ID"] = []byte(azureClient.ClientID())
+
+		// Populate ASO data in the following order:
+		// 1. Client credentials
+		// 2. Client certificate
+		if _, e := azureClient.GetClientCredentials(); e == nil {
+			newASOSecret.Data["AZURE_CLIENT_SECRET"] = []byte(azureClient.ClientSecret())
+		} else if clientCert, e := azureClient.GetClientCertificate(); e == nil {
+			cert, err := getCertificateFromFile(clientCert.CertificatePath)
+			if err != nil {
+				return reconcile.Result{}, errors.Wrap(err, "failed to read client certificate")
+			}
+			newASOSecret.Data["AZURE_CLIENT_CERTIFICATE"] = cert
+			newASOSecret.Data["AZURE_CLIENT_CERTIFICATE_PASSWORD"] = []byte(clientCert.CertificatePassword)
+		} else {
+			return reconcile.Result{}, errors.Wrap(e, "failed to configure an authentication method for ASO secret")
+		}
+	}
+
+	gvk := asoSecretOwner.GetObjectKind().GroupVersionKind()
+	owner := metav1.OwnerReference{
+		APIVersion: gvk.GroupVersion().String(),
+		Kind:       gvk.Kind,
+		Name:       asoSecretOwner.GetName(),
+		UID:        asoSecretOwner.GetUID(),
+		Controller: pointer.Bool(true),
+	}
+
+	newASOSecret.OwnerReferences = []metav1.OwnerReference{owner}
+
+	if err := reconcileAzureSecret(ctx, asos.Client, owner, newASOSecret, asoSecretOwner.GetName()); err != nil {
+		asos.Recorder.Eventf(asoSecretOwner, corev1.EventTypeWarning, "Error reconciling ASO secret", err.Error())
+		return ctrl.Result{}, errors.Wrap(err, "failed to reconcile ASO secret")
+	}
+
+	return ctrl.Result{}, nil
+}