Add support for Azure authentication in ASO

[adriananeci]

What type of PR is this?
/kind feature

What this PR does / why we need it:

More context is described in the ASO proposal: https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/docs/proposals/20230123-azure-service-operator.md#security-model

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #3526

Special notes for your reviewer:

Because we can have multiple AzureClusterIdentity objects created inside the same namespace, we cannot make use of https://azure.github.io/azure-service-operator/guide/authentication/credential-scope/#namespace-scope so we'll have to reside only on global scope or resource scope

Haven't added any tests yet. I'll add those after the initial review since I'm looking for some early feedback to make sure I'm on the right path.

• cherry-pick candidate

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Add support for Azure authentication in ASO

[k8s-ci-robot]

Hi @adriananeci. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nojnhuh]

/ok-to-test

[adriananeci]

/retest

[codecov]

Codecov Report

Patch coverage: 60.90% and project coverage change: +0.09% 🎉

Comparison is base (cb182d6) 54.74% compared to head (13f4eca) 54.83%.
Report is 4 commits behind head on main.

❗ Current head 13f4eca differs from pull request most recent head 9d8e6c8. Consider uploading reports for the commit 9d8e6c8 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3698      +/-   ##
==========================================
+ Coverage   54.74%   54.83%   +0.09%     
==========================================
  Files         187      188       +1     
  Lines       19051    19331     +280     
==========================================
+ Hits        10429    10600     +171     
- Misses       8057     8150      +93     
- Partials      565      581      +16     

Files Changed	Coverage Δ
azure/scope/identity.go	37.20% <0.00%> (ø)
controllers/helpers.go	54.24% <23.07%> (-0.46%)	⬇️
controllers/asosecret_controller.go	62.66% <62.66%> (ø)
azure/services/aso/aso.go	88.60% <100.00%> (-4.18%)	⬇️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[nojnhuh]

Adding WIP while we're not ready to merge this yet:
/retitle [WIP] Add support for Azure authentication in ASO

[nojnhuh]

Overall approach looks good to me.

For the other ASO PRs, I've been splitting up those into non-functional changes (w.r.t. the current behavior) that get merged and functional changes (to be included in a PR resolving #3527) that I've been managing in my fork. The new controller and creation of ASO secrets here don't seem like they would break current behavior though so we may not need to split anything out here.

@CecileRobertMichon Do we have existing e2e coverage for all these different ways of authenticating to Azure?

[nojnhuh]

(reminder to squash once we get lgtms)

/hold

And @adriananeci feel free to remove the [WIP] from the title once you're finished and let me know so I can give this another look.

[adriananeci]

/retest

[adriananeci]

@nojnhuh I think this is ready for another round reviews now

[nojnhuh]

I think it seems fair to say this is controlling the secret?

Suggested change

	UID: asoSecretOwner.GetUID(),
	UID: asoSecretOwner.GetUID(),
	Controller: pointer.Bool(true),

@CecileRobertMichon Is there a reason the AzureJSON controllers don't set this? It seems like that's necessary for Owns() to work:

cluster-api-provider-azure/controllers/azurejson_machine_controller.go

Line 75 in 30c9a8b

Owns(&corev1.Secret{}).

// Owns defines types of Objects being generated by the ControllerManagedBy, and configures the ControllerManagedBy to respond to
// create / delete / update events by reconciling the owner object. This is the equivalent of calling
// Watches(&source.Kind{Type: }, &handler.EnqueueRequestForOwner{OwnerType: apiType, IsController: true}).

[CecileRobertMichon]

Don't set which part?

[nojnhuh]

The controller: true in the ownerRef on the generated Secret.

[nojnhuh]

I could've sworn I posted these comments the other day, but I see that GitHub still shows (most of) them as "pending." I think I've seen some other weird things with review comments lately too so maybe I'm not as crazy as I think...

[nojnhuh]

The controller: true in the ownerRef on the generated Secret.

[nojnhuh]

/lgtm
/assign @CecileRobertMichon

[nojnhuh]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 80f6232c5213b9662b6cd5f9a37373628b2f499e

[adriananeci]

/assign @CecileRobertMichon

[CecileRobertMichon]

/lgtm
/approve

Great work @adriananeci 🎉

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment