Support Client Certificate authentication for CAPZ

[snehala27]

/kind feature

Describe the solution you'd like
Currently CAPZ supports authentication only via client secrets: https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/config/default/credentials.yaml
The combination of ClientCertificate and CertPassword should also be supported

Anything else you would like to add:
Cloud Provider already supports all auth types: https://github.com/kubernetes-sigs/cloud-provider-azure/blob/e39d48d4ea0db59724f7c7a9c4e5fba4027b13a1/docs/cloud-provider-config.md

Environment:

• cluster-api-provider-azure version:
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

[devigned]

This configuration is not documented currently, but if the certificate password and certificate file were available to the controller, I believe the Azure Golang SDK would use them. Right now, we only use CLIENT_ID and SECRET env vars.

[alexeldeib]

The SDK can handle it, but we need to update our logic a bit to allow alternate sources:

cluster-api-provider-azure/cloud/scope/clients.go

Lines 52 to 59 in 387db5a

	settings, err := auth.GetSettingsFromEnvironment()
	if err != nil {
	return err
	}
	c.ResourceManagerEndpoint = settings.Environment.ResourceManagerEndpoint
	c.ResourceManagerVMDNSSuffix = GetAzureDNSZoneForEnvironment(settings.Environment.Name)
	settings.Values[auth.SubscriptionID] = subscriptionID
	c.Authorizer, err = settings.GetAuthorizer()

GetAuthorizerFromEnvironment() will try all the options IIRC, not sure if it does the correct ordering we want.

[devigned]

Indeed. The SDK will check all options if using GetAuthorizerFromEnvironment. Since a controller only has one identity, the only thing that can currently change is the subscription. It should make it a little easier I think.

This logic will also need to change when we implement #586. With #586, we'll probably move an identity reference to the AzureCluster, which will be used as the AAD Identity to provision that AzureCluster.

[alexeldeib]

Going to assign this to David since he's working on multitenancy which will directly affect the authorizer setup for this

/assign @devigned

[devigned]

/milestone v0.4.10
/assign @nader-ziada

This will be included when using AAD pod identity.

[nader-ziada]

fixed as part of #977 since aad-pod-identity already supports that and its mentioned in the docs https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/docs/book/src/topics/multitenancy.md

/close

[k8s-ci-robot]

@nader-ziada: Closing this issue.

In response to this:

fixed as part of #977 since aad-pod-identity already supports that and its mentioned in the docs https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/docs/book/src/topics/multitenancy.md

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.