Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the ability to auth via certs without storing them in etcd secret #5200

Merged
merged 2 commits into from
Nov 1, 2024
Merged

Add the ability to auth via certs without storing them in etcd secret #5200

merged 2 commits into from
Nov 1, 2024
+162 −27

Conversation

bryan-cox
Copy link
Contributor

@bryan-cox bryan-cox commented Oct 23, 2024
edited
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:
Allows Service Principal with Certificate authentication to work with a path to the certificate rather than reading it from a k8s secret. This allows one to use the Secret Store CSI driver to mount a certificate from Azure Key Vault into a volume and pass that path to AzureClusterIdentity.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #5198

Special notes for your reviewer:

  • cherry-pick candidate

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Allows Service Principal with Certificate authentication to work with a path to the certificate.

Sorry, something went wrong.

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 23, 2024
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 23, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @bryan-cox. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 23, 2024
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 23, 2024
@bryan-cox
Copy link
Contributor Author

/ok-to-test

@k8s-ci-robot
Copy link
Contributor

@bryan-cox: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 23, 2024
@bryan-cox bryan-cox force-pushed the client-cert branch 2 times, most recently from 1096ad3 to 6e42996 Compare October 23, 2024 11:03
@bryan-cox bryan-cox mentioned this pull request Oct 23, 2024
Closed
4 tasks
@enxebre
Copy link
Member

enxebre commented Oct 23, 2024

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 23, 2024
@enxebre
Copy link
Member

enxebre commented Oct 23, 2024

cc @jackfrancis @mboersma

@codecov Codecov
Copy link

codecov bot commented Oct 23, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 52.63158% with 18 lines in your changes missing coverage. Please review.

Project coverage is 53.01%. Comparing base (9ba44ee) to head (a32c54f).
Report is 36 commits behind head on main.

Files with missing lines Patch % Lines
azure/scope/identity.go 35.71% 8 Missing and 1 partial ⚠️
controllers/asosecret_controller.go 62.50% 7 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5200      +/-   ##
==========================================
+ Coverage   52.66%   53.01%   +0.35%     
==========================================
  Files         273      273              
  Lines       29189    29243      +54     
==========================================
+ Hits        15371    15504     +133     
+ Misses      13029    12936      -93     
- Partials      789      803      +14

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@bryan-cox
Copy link
Contributor Author

/retest

@bryan-cox
Copy link
Contributor Author

/test pull-cluster-api-provider-azure-e2e-aks

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 29, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 45564ea329fd0e58a9356f8a213b41be662bb2cb

@mboersma mboersma added kind/feature Categorizes issue or PR as related to a new feature. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 29, 2024
willie-yao
willie-yao reviewed Oct 29, 2024
View reviewed changes
controllers/asosecret_controller.go
if err != nil {
return nil, errors.Wrap(err, "failed to fetch AzureClusterIdentity secret")
}
if identity.Spec.CertPath != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you able to add a test case or two to asosecret_controller_test.go for this case when CertPath is specified?

Copy link
Contributor Author

@bryan-cox bryan-cox Oct 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. I added a test which found a minor error. Service Principal with Certificate was expected to have a client secret here. That's been fixed in this PR. Client Secret isn't needed with using Certificate (see this in the Azure SDK as an example).

@k8s-triage-robot
Copy link

Unknown CLA label state. Rechecking for CLA labels.

Send feedback to sig-contributor-experience at kubernetes/community.

/check-cla
/easycla

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 29, 2024
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 30, 2024
@k8s-ci-robot k8s-ci-robot requested a review from mboersma October 30, 2024 14:35
@enxebre @bryan-cox
Add the ability to auth via certs without storing them in etcd secret
Loading
Loading status checks…
a32c54f 
Signed-off-by: Bryan Cox <brcox@redhat.com>
willie-yao
willie-yao approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@willie-yao willie-yao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @mboersma

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 31, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 2c8b293fc0e4c21722f0057e75c4bd523871760e

mboersma
mboersma approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Thanks @bryan-cox!

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 31, 2024
@k8s-ci-robot
Copy link
Contributor

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-provider-azure-e2e-aks a32c54f link unknown /test pull-cluster-api-provider-azure-e2e-aks

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@bryan-cox
Copy link
Contributor Author

/retest

@k8s-ci-robot k8s-ci-robot merged commit 720509a into kubernetes-sigs:main Nov 1, 2024
21 of 22 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Nov 1, 2024
@enxebre
Copy link
Member

enxebre commented Nov 4, 2024

/cherry-pick release-1.17

@k8s-infra-cherrypick-robot
Copy link

@enxebre: new pull request created: #5234

In response to this:

/cherry-pick release-1.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Nov 4, 2024
Closed
This was referenced Nov 11, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nojnhuh nojnhuh

@mboersma mboersma

@willie-yao willie-yao

@jackfrancis jackfrancis

Assignees

@mboersma mboersma

@willie-yao willie-yao

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
CAPZ Planning
Status: Done
Milestone
v1.18
Development

Successfully merging this pull request may close these issues.

Auth via certs with Azure Key Vault provider for Secrets Store CSI Driver
8 participants
@bryan-cox @k8s-ci-robot @enxebre @k8s-triage-robot @k8s-infra-cherrypick-robot @mboersma @nojnhuh @willie-yao