Add support for Service Principal with Certificate auth using AAD pod identity #2258
Conversation
k8s-ci-robot
added
release-note
CecileRobertMichon
force-pushed
the
fix-certificate-auth
branch
2 times, most recently
from
23c553f to
ba1be3d
Compare
|
/retest |
1 similar comment
|
/retest |
CecileRobertMichon
force-pushed
the
fix-certificate-auth
branch
from
ba1be3d to
22e97ba
Compare
|
lgtm |
|
|
||
| // IdentityType represents different types of identities. | ||
| // +kubebuilder:validation:Enum=ServicePrincipal;ManualServicePrincipal;UserAssignedMSI | ||
| // +kubebuilder:validation:Enum=ServicePrincipal;ManualServicePrincipal;ServicePrincipalCertificate |
There was a problem hiding this comment.
this looks like a breaking change, is that intended/allowed?
There was a problem hiding this comment.
It technically breaking but in practice, no one should be broken by the change. Right now if you set it to UserAssignedMSI it won't work and just throw a validation error in the controller. It has never been supported and there is an issue to add support for it (planning on working on that next). I could leave it as-is but IMO this is an improvement as it's better to fail the user right away if they try to use an unsupported value than to let them create the resource and later fail in the controller.
CecileRobertMichon
force-pushed
the
fix-certificate-auth
branch
from
22e97ba to
42c829a
Compare
|
/assign @mboersma |
| // AzureClusterIdentitySpec defines the parameters that are used to create an AzureIdentity. | ||
| type AzureClusterIdentitySpec struct { | ||
| // UserAssignedMSI or Service Principal | ||
| // Type is the type of Azure Identity used. |
There was a problem hiding this comment.
| // Type is the type of Azure Identity used. | |
| // IdentityType is the type of Azure Identity used. |
Although since this field is just type in its JSON representation, making this a proper Go comment here will create a naming discrepancy in the generated CRD description. I still think that would be more correct, but I am not invested in this change. 😄
There was a problem hiding this comment.
Type is the name of the field too... IdentityType is the type of the field (this is confusing!) :D
So I think Type is more correct
There was a problem hiding this comment.
You're right--so hard to read when things "stutter" like that.
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mboersma The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
5 participants
What type of PR is this?
/kind feature
What this PR does / why we need it: This fixes Certificate auth for AAD pod identity. It was already supported according to docs but never worked properly https://capz.sigs.k8s.io/topics/multitenancy.html#service-principal-identity.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #2250
Special notes for your reviewer:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
TODOs:
Release note: