azure: Add client certification to terraform #6250

rna-afk · 2022-08-22T16:10:40Z

Adding the option for the users to authenticate using client
certificates instead of client secrets if they want. The certs
field is already in the osServicePrincipal.json and has to be set
for Azure SDK authentication. Terraform expects two extra fields
to be set for authentication and is added here.

rna-afk · 2022-08-22T20:44:16Z

/test unit
/test e2e-azure
/test e2e-azure-resourcegroup
/test gofmt
/test golint
/test govet

patrickdillon · 2022-08-23T01:03:52Z

This looks great. A couple of questions/notes:

How is the cert passed in ~/.azure/osServicePrincipal.json: is it just the path or are the cert contents in the file?
We need to figure out the story for the cluster secret. The CCO does not support a cluster secret with a cert. So perhaps the best we can do is skip creating the cluster secret when authenticating with a certificate.

@2uasimojo @akhil-rane @abutcher @jharrington22 @wking have all been discussing how to handle setting the cluster secret and it will require some fiddling with manifests.

I have been trying to think of a way that the installer could authenticate with certs and still write the client secret without it being too hacky:

Perhaps we allow environment-variable based authentication for authenticating the installer/terraform with a cert and then continue to pass the cluster secret in ~/.azure/osServicePrincipal.json. What do you think of that idea?

rna-afk · 2022-08-24T13:28:59Z

/test golint
/test govet
/test unit
/test e2e-azure

rna-afk · 2022-08-24T20:08:38Z

/test golint
/test gofmt
/test unit
/test images
/test shellcheck
/test e2e-azure
/test tf-fmt
/test verify-vendor
/test verify-codegen

rna-afk · 2022-08-25T14:46:39Z

/test e2e-azure

s-amann

please see comment regarding duplicate code, and my one open question.

pkg/asset/installconfig/azure/session.go

jharrington22

@rna-afk thanks for this, I had some folks review this that are closer to the authorizer work in the ARO RP and they have a few comments that we should address before merging cc/ @patrickdillon

patrickdillon · 2022-08-26T15:34:26Z

@2uasimojo @akhil-rane @jharrington22

Because we can't create a cluster secret from a cert, we have added validation to enforce that this can only be run with manual mode:
352697f#diff-13678451d1af92fb770a62f31468daf0ca9e946ac5c707692c131a059c6ee767R95-R97

My understanding here is that this will only prevent the installer from laying down a cluster secret, users should still be able to edit manifests to provide a secret and set the CCO to the desired mode (i.e. I do not think this validatoin enforces the CCO to run in manual mode).

This seems like the simplest approach. I am still open to the idea of allowing both sets of creds to be supplied directly to the installer, but this seems like the simplest solution ATM.

rna-afk · 2022-08-26T18:59:13Z

/retest-required

rna-afk · 2022-08-26T19:10:16Z

/retest-required

rna-afk · 2022-08-29T15:41:45Z

/retest

rna-afk · 2022-09-12T18:53:48Z

/test e2e-azure

openshift-ci · 2022-09-12T18:53:52Z

@rna-afk: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test aro-unit
/test e2e-aws-ovn
/test e2e-aws-ovn-upi
/test e2e-azure-ovn
/test e2e-azure-ovn-upi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upi
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-upi
/test gofmt
/test golint
/test govet
/test images
/test okd-images
/test okd-unit
/test okd-verify-codegen
/test openstack-manifests
/test shellcheck
/test tf-lint
/test unit
/test verify-codegen
/test verify-vendor
/test yaml-lint

The following commands are available to trigger optional jobs:

/test e2e-alibaba
/test e2e-aws-disruptive
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-imdsv2
/test e2e-aws-ovn-proxy
/test e2e-aws-ovn-shared-vpc
/test e2e-aws-ovn-single-node
/test e2e-aws-upgrade
/test e2e-aws-upi-proxy
/test e2e-aws-workers-rhel8
/test e2e-azure-ovn-resourcegroup
/test e2e-azure-ovn-shared-vpc
/test e2e-azurestack
/test e2e-azurestack-upi
/test e2e-crc
/test e2e-gcp-ovn-shared-vpc
/test e2e-gcp-upgrade
/test e2e-gcp-upi-xpn
/test e2e-ibmcloud-ovn
/test e2e-libvirt
/test e2e-metal-assisted
/test e2e-metal-ipi
/test e2e-metal-ipi-ovn-dualstack
/test e2e-metal-ipi-swapped-hosts
/test e2e-metal-ipi-virtualmedia
/test e2e-metal-single-node-live-iso
/test e2e-nutanix
/test e2e-openstack
/test e2e-openstack-kuryr
/test e2e-openstack-parallel
/test e2e-openstack-proxy
/test e2e-openstack-upi
/test e2e-ovirt
/test e2e-vsphere-zones
/test okd-e2e-aws-ovn
/test okd-e2e-aws-upgrade
/test okd-e2e-gcp
/test okd-e2e-gcp-ovn-upgrade
/test okd-e2e-vsphere
/test tf-fmt

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-installer-master-aro-unit
pull-ci-openshift-installer-master-e2e-aws-ovn
pull-ci-openshift-installer-master-e2e-azure-ovn
pull-ci-openshift-installer-master-e2e-azure-ovn-resourcegroup
pull-ci-openshift-installer-master-e2e-azure-ovn-shared-vpc
pull-ci-openshift-installer-master-e2e-azurestack
pull-ci-openshift-installer-master-e2e-gcp-ovn
pull-ci-openshift-installer-master-e2e-ibmcloud-ovn
pull-ci-openshift-installer-master-e2e-libvirt
pull-ci-openshift-installer-master-e2e-metal-assisted
pull-ci-openshift-installer-master-e2e-metal-ipi
pull-ci-openshift-installer-master-e2e-openstack
pull-ci-openshift-installer-master-e2e-ovirt
pull-ci-openshift-installer-master-e2e-vsphere-ovn
pull-ci-openshift-installer-master-gofmt
pull-ci-openshift-installer-master-golint
pull-ci-openshift-installer-master-govet
pull-ci-openshift-installer-master-images
pull-ci-openshift-installer-master-okd-e2e-aws-ovn
pull-ci-openshift-installer-master-okd-e2e-gcp-ovn-upgrade
pull-ci-openshift-installer-master-okd-images
pull-ci-openshift-installer-master-okd-unit
pull-ci-openshift-installer-master-okd-verify-codegen
pull-ci-openshift-installer-master-shellcheck
pull-ci-openshift-installer-master-tf-fmt
pull-ci-openshift-installer-master-tf-lint
pull-ci-openshift-installer-master-unit
pull-ci-openshift-installer-master-verify-codegen
pull-ci-openshift-installer-master-verify-vendor
pull-ci-openshift-installer-master-yaml-lint

Details

In response to this:

/test e2e-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

rna-afk · 2022-09-12T21:32:31Z

/test e2e-azure-ovn
/test e2e-azure-ovn-resourcegroup
/test e2e-azure-ovn-shared-vpc
/test images

rna-afk · 2022-09-13T13:55:50Z

/test images
/test e2e-azure-ovn
/test e2e-azure-ovn-resourcegroup
/test e2e-azure-ovn-shared-vpc

Adding the option for the users to authenticate using client certificates instead of client secrets if they want. The certs field is already in the osServicePrincipal.json and has to be set for Azure SDK authentication. Terraform expects two extra fields to be set for authentication and is added here.

There was a bug in the certs authorizer that was fixed in the Azure/auth v0.5.1. Updating the library version.

patrickdillon · 2022-09-14T01:25:35Z

/lgtm
/approve
/skip

openshift-ci · 2022-09-14T01:26:56Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

patrickdillon · 2022-09-14T01:28:03Z

/retest

openshift-ci-robot · 2022-09-14T02:50:28Z

/retest-required

Remaining retests: 0 against base HEAD 503e900 and 2 for PR HEAD ca66e04 in total

openshift-ci-robot · 2022-09-14T04:50:18Z

/retest-required

Remaining retests: 0 against base HEAD e2ec1e2 and 1 for PR HEAD ca66e04 in total

openshift-ci · 2022-09-14T08:05:51Z

@rna-afk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-vsphere	`26a6917`	link	true	`/test e2e-vsphere`
ci/prow/e2e-aws	`26a6917`	link	true	`/test e2e-aws`
ci/prow/e2e-azure-shared-vpc	`26a6917`	link	false	`/test e2e-azure-shared-vpc`
ci/prow/e2e-ibmcloud	`26a6917`	link	false	`/test e2e-ibmcloud`
ci/prow/e2e-azure-ovn-resourcegroup	`ca66e04`	link	false	`/test e2e-azure-ovn-resourcegroup`
ci/prow/e2e-libvirt	`ca66e04`	link	false	`/test e2e-libvirt`
ci/prow/okd-e2e-gcp-ovn-upgrade	`ca66e04`	link	false	`/test okd-e2e-gcp-ovn-upgrade`
ci/prow/e2e-ibmcloud-ovn	`ca66e04`	link	false	`/test e2e-ibmcloud-ovn`
ci/prow/e2e-metal-assisted	`ca66e04`	link	false	`/test e2e-metal-assisted`
ci/prow/okd-e2e-aws-ovn	`ca66e04`	link	false	`/test okd-e2e-aws-ovn`
ci/prow/e2e-azurestack	`ca66e04`	link	false	`/test e2e-azurestack`
ci/prow/e2e-azure-ovn-shared-vpc	`ca66e04`	link	false	`/test e2e-azure-ovn-shared-vpc`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci bot requested review from jhixson74 and m1kola August 22, 2022 16:13

rna-afk force-pushed the azure-client-certs-auth branch 2 times, most recently from 4f7465d to d20a37a Compare August 23, 2022 18:21

rna-afk force-pushed the azure-client-certs-auth branch 2 times, most recently from dadbbf8 to bfc2c3f Compare August 24, 2022 16:33

rna-afk force-pushed the azure-client-certs-auth branch 2 times, most recently from f24e2b4 to 880bca6 Compare August 25, 2022 13:27

rna-afk force-pushed the azure-client-certs-auth branch 3 times, most recently from d46834f to cd12187 Compare August 25, 2022 19:12

s-amann suggested changes Aug 26, 2022

View reviewed changes

pkg/asset/installconfig/azure/session.go Outdated Show resolved Hide resolved

pkg/asset/installconfig/azure/session.go Outdated Show resolved Hide resolved

rna-afk force-pushed the azure-client-certs-auth branch 2 times, most recently from 67769b6 to 5c9a27a Compare August 26, 2022 14:10

bennerv suggested changes Aug 26, 2022

View reviewed changes

pkg/asset/installconfig/azure/session.go Outdated Show resolved Hide resolved

jharrington22 reviewed Aug 26, 2022

View reviewed changes

rna-afk force-pushed the azure-client-certs-auth branch 2 times, most recently from bac4441 to 1626f9d Compare August 26, 2022 15:09

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 8, 2022

rna-afk force-pushed the azure-client-certs-auth branch from 1626f9d to 26a6917 Compare September 8, 2022 13:56

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 8, 2022

rna-afk force-pushed the azure-client-certs-auth branch from 26a6917 to 449c561 Compare September 12, 2022 15:15

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 13, 2022

rna-afk force-pushed the azure-client-certs-auth branch from dde171f to 2363e67 Compare September 13, 2022 14:00

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 13, 2022

rna-afk force-pushed the azure-client-certs-auth branch from 2363e67 to fdd8b67 Compare September 13, 2022 15:58

vendor: go mod tidy and go mod vendor

ca66e04

There was a bug in the certs authorizer that was fixed in the Azure/auth v0.5.1. Updating the library version.

rna-afk force-pushed the azure-client-certs-auth branch from fdd8b67 to ca66e04 Compare September 13, 2022 16:24

openshift-ci bot assigned patrickdillon Sep 14, 2022

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 14, 2022

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 14, 2022

openshift-merge-robot merged commit e005af1 into openshift:master Sep 14, 2022

r4f4 mentioned this pull request Feb 27, 2023

OCPBUGS-7860: azure: session: fix unclear auth error messages #6901

Merged

azure: Add client certification to terraform #6250

azure: Add client certification to terraform #6250

Uh oh!

Conversation

rna-afk commented Aug 22, 2022

Uh oh!

rna-afk commented Aug 22, 2022

Uh oh!

patrickdillon commented Aug 23, 2022

Uh oh!

rna-afk commented Aug 24, 2022

Uh oh!

rna-afk commented Aug 24, 2022

Uh oh!

rna-afk commented Aug 25, 2022

Uh oh!

s-amann left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jharrington22 left a comment

Choose a reason for hiding this comment

Uh oh!

patrickdillon commented Aug 26, 2022

Uh oh!

rna-afk commented Aug 26, 2022

Uh oh!

rna-afk commented Aug 26, 2022

Uh oh!

rna-afk commented Aug 29, 2022

Uh oh!

rna-afk commented Sep 12, 2022

Uh oh!

openshift-ci bot commented Sep 12, 2022

Uh oh!

rna-afk commented Sep 12, 2022

Uh oh!

rna-afk commented Sep 13, 2022

Uh oh!

patrickdillon commented Sep 14, 2022

Uh oh!

openshift-ci bot commented Sep 14, 2022

Uh oh!

patrickdillon commented Sep 14, 2022

Uh oh!

openshift-ci-robot commented Sep 14, 2022

Uh oh!

openshift-ci-robot commented Sep 14, 2022

Uh oh!

openshift-ci bot commented Sep 14, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants