Support Client Certificate authentication for CAPZ

kubernetes-sigs / cluster-api-provider-azure

Cluster API implementation for Microsoft Azure

https://capz.sigs.k8s.io/

Apache License 2.0

295 stars 425 forks source link

Support Client Certificate authentication for CAPZ #778

Closed snehala27 closed 3 years ago

snehala27 commented 4 years ago

/kind feature

Describe the solution you'd like Currently CAPZ supports authentication only via client secrets: https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/config/default/credentials.yaml The combination of ClientCertificate and CertPassword should also be supported

Anything else you would like to add: Cloud Provider already supports all auth types: https://github.com/kubernetes-sigs/cloud-provider-azure/blob/e39d48d4ea0db59724f7c7a9c4e5fba4027b13a1/docs/cloud-provider-config.md

Environment:

cluster-api-provider-azure version:
Kubernetes version: (use kubectl version):
OS (e.g. from /etc/os-release):

devigned commented 4 years ago

This configuration is not documented currently, but if the certificate password and certificate file were available to the controller, I believe the Azure Golang SDK would use them. Right now, we only use CLIENT_ID and SECRET env vars.

alexeldeib commented 4 years ago

The SDK can handle it, but we need to update our logic a bit to allow alternate sources: https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/387db5a07600fdab823a56da465cbaa355deabeb/cloud/scope/clients.go#L52-L59

GetAuthorizerFromEnvironment() will try all the options IIRC, not sure if it does the correct ordering we want.

devigned commented 4 years ago

Indeed. The SDK will check all options if using GetAuthorizerFromEnvironment. Since a controller only has one identity, the only thing that can currently change is the subscription. It should make it a little easier I think.

This logic will also need to change when we implement #586. With #586, we'll probably move an identity reference to the AzureCluster, which will be used as the AAD Identity to provision that AzureCluster.

alexeldeib commented 4 years ago

Going to assign this to David since he's working on multitenancy which will directly affect the authorizer setup for this

/assign @devigned

devigned commented 4 years ago

/milestone v0.4.10 /assign @nader-ziada

This will be included when using AAD pod identity.

nader-ziada commented 3 years ago

fixed as part of #977 since aad-pod-identity already supports that and its mentioned in the docs https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/docs/book/src/topics/multitenancy.md

/close

k8s-ci-robot commented 3 years ago

@nader-ziada: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/cluster-api-provider-azure/issues/778#issuecomment-753989369): >fixed as part of #977 since aad-pod-identity already supports that and its mentioned in the docs https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/docs/book/src/topics/multitenancy.md > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.