AKS Installer: Support Azure Managed Identity instead of using AD Service Principal

[MitchellGerdisch]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Some users do not have permission to create AD service principals and instead the organization uses Azure managed identity. The AKS installation should support Azure managed identity as an option.

Affected area/feature

AKS Self-Hosted Installer

[techgeek03]

At the moment the self-hosted installers for AKS use Azure AD service principal as identity. Service principals have several known limitations:

• They need to be manually provisioned; and as such require permissions in Azure AD
• The service principal passwords expires and as such it need to be renewed which posses operational challenge. Instead the AKS cluster can be provisioned with managed identity. https://docs.microsoft.com/en-us/azure/aks/use-managed-identity

[phillipedwards]

@MitchellGerdisch this seems like a good idea, however, is it clear how the Pulumi Service would assume/obtain the managed credentials needed to interact w/ Azure services? Currently, those values are being passed to the API deployment.

My concern is the managed credentials need to be refreshed periodically and the API would need to be aware of that.