Merge branch 'main' into aamgayle/managedBySPCLabels

Azure · Oct 16, 2023 · 8a75055 · 8a75055
2 parents 30c1162 + 2767966
commit 8a75055
Show file tree

Hide file tree

Showing 20 changed files with 286 additions and 72 deletions.
diff --git a/.env.example b/.env.example
@@ -2,4 +2,5 @@
 
 TENANT_ID=<azure_tenant_id>
 SUBSCRIPTION_ID=<azure_subscription id>
-INFRA_NAMES="basic cluster"
+INFRA_NAMES="basic cluster"
+SERVICE_PRINCIPAL_APP_OBJ_ID=<azure_app_registration_object_id>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,11 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.0.5] - 2023-10-13
+
+### Added
+
+- Improved logging across entire operator - [#110](https://github.com/Azure/aks-app-routing-operator/pull/110)
+
+### Changed
+
+- Upgrade NGINX Ingress Controller to v1.8.4 - [#113](https://github.com/Azure/aks-app-routing-operator/pull/113)
+
+
 ## [0.0.4] - 2023-10-05
 
 ### Added
 
 - Improved error logging - [#97](https://github.com/Azure/aks-app-routing-operator/pull/97)
+- Improved E2E testing framework that tests upgrade story and all operator configurations - [#79](https://github.com/Azure/aks-app-routing-operator/pull/79), [#90](https://github.com/Azure/aks-app-routing-operator/pull/90), [#95](https://github.com/Azure/aks-app-routing-operator/pull/95), [#98](https://github.com/Azure/aks-app-routing-operator/pull/98), [#100](https://github.com/Azure/aks-app-routing-operator/pull/100), [#104](https://github.com/Azure/aks-app-routing-operator/pull/104)
 
 ### Changed
 

diff --git a/docs/e2e.md b/docs/e2e.md
@@ -49,6 +49,17 @@ Infrastructures are defined in [/testing/e2e/infra/infras.go](../testing/e2e/inf
 
 Tests are defined in [/testing/e2e/suites/](../testing/e2e/suites/). Add any new tests here. [This](../testing/e2e/suites/basic.go) is a good reference for defining a test. Be sure to add any new suites to the [all function](../testing/e2e/suites/all.go) so that they are run.
 
+### Environment Variables
+The `SERVICE_PRINCIPAL_APP_OBJ_ID` environment variable is used for the Service Principal Cluster Infrastructure.
+
+In order to avoid waiting for the lengthy (>30min) Service Principal propagation process, this value is passed to re-use an existing App Registration and its associated Service Principal.
+
+As App Registrations are a tenant-level resource, it shouldn't be necessary to create a new App Registration except when running e2e in a new tenant.
+
+An `aks-approuting-e2e` App Registration should already exist, and can be searched by name in the portal for public cloud testing.
+
+New App Registrations can be made in the portal, and then the Object ID can be found in the App Registration's Overview page. Note that this is not the same as the Object ID of the associated Service Principal.
+
 ## GitHub Runner
 
 We use GitHub workflows to run and require passing E2E tests on every PR. 

diff --git a/go.mod b/go.mod
@@ -20,7 +20,6 @@ require (
 	k8s.io/client-go v0.28.1
 	k8s.io/klog/v2 v2.100.1
 	sigs.k8s.io/controller-runtime v0.16.0
-	sigs.k8s.io/e2e-framework v0.3.0
 	sigs.k8s.io/secrets-store-csi-driver v1.3.4
 )
 
@@ -54,7 +53,6 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect

diff --git a/go.sum b/go.sum
@@ -20,7 +20,6 @@ github.com/Azure/secrets-store-csi-driver-provider-azure v1.4.1 h1:24/mZ06Uzu8Ek
 github.com/Azure/secrets-store-csi-driver-provider-azure v1.4.1/go.mod h1:xUXKV8vOut59vIrFhyEY+4PgiK2LXkP10BtI+2y8VXM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
@@ -85,7 +84,6 @@ github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
 github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 h1:BZHcxBETFHIdVyhyEfOvn/RdU/QGdLI4y34qQGjGWO0=
@@ -115,8 +113,6 @@ github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=
-github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -159,7 +155,6 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/vladimirvivien/gexe v0.2.0 h1:nbdAQ6vbZ+ZNsolCgSVb9Fno60kzSuvtzVh6Ytqi/xY=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@@ -310,8 +305,6 @@ k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 h1:trsWhjU5jZrx6UvFu4WzQDrN7Pga4a7Qg+zcfcj64PA=
 sigs.k8s.io/controller-runtime v0.16.0 h1:5koYaaRVBHDr0LZAJjO5dWzUjMsh6cwa7q1Mmusrdvk=
 sigs.k8s.io/controller-runtime v0.16.0/go.mod h1:77DnuwA8+J7AO0njzv3wbNlMOnGuLrwFr8JPNwx3J7g=
-sigs.k8s.io/e2e-framework v0.3.0 h1:eqQALBtPCth8+ulTs6lcPK7ytV5rZSSHJzQHZph4O7U=
-sigs.k8s.io/e2e-framework v0.3.0/go.mod h1:C+ef37/D90Dc7Xq1jQnNbJYscrUGpxrWog9bx2KIa+c=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/secrets-store-csi-driver v1.3.4 h1:rCMOb2I4lJaN6sw0CjT6YHA8ts2yscWAOBGu0EaCIWk=

diff --git a/pkg/manifests/fixtures/nginx/full.json b/pkg/manifests/fixtures/nginx/full.json
@@ -509,7 +509,7 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=webapprouting.kubernetes.azure.com",

diff --git a/pkg/manifests/fixtures/nginx/internal.json b/pkg/manifests/fixtures/nginx/internal.json
@@ -509,7 +509,7 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=nginx-private",

diff --git a/pkg/manifests/fixtures/nginx/kube-system.json b/pkg/manifests/fixtures/nginx/kube-system.json
@@ -431,7 +431,7 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=webapprouting.kubernetes.azure.com",

diff --git a/pkg/manifests/fixtures/nginx/no-ownership.json b/pkg/manifests/fixtures/nginx/no-ownership.json
@@ -445,7 +445,7 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=webapprouting.kubernetes.azure.com",

diff --git a/pkg/manifests/fixtures/nginx/optional-features-disabled.json b/pkg/manifests/fixtures/nginx/optional-features-disabled.json
@@ -444,7 +444,7 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=webapprouting.kubernetes.azure.com",

diff --git a/pkg/manifests/nginx.go b/pkg/manifests/nginx.go
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	controllerImageTag = "v1.8.1"
+	controllerImageTag = "v1.8.4"
 	prom               = "prometheus"
 )
 

diff --git a/testing/e2e/clients/aks.go b/testing/e2e/clients/aks.go
@@ -9,15 +9,16 @@ import (
 	"fmt"
 	"os"
 
+	"golang.org/x/exp/slices"
+	"golang.org/x/sync/errgroup"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	"github.com/Azure/aks-app-routing-operator/testing/e2e/logger"
 	"github.com/Azure/aks-app-routing-operator/testing/e2e/manifests"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v2"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork"
 	"github.com/Azure/go-autorest/autorest/azure"
-	"golang.org/x/exp/slices"
-	"golang.org/x/sync/errgroup"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 var (
@@ -38,6 +39,21 @@ type aks struct {
 	options                             map[string]struct{}
 }
 
+// ServicePrincipal represents all the information needed to use a service principal including
+// a fresh set of credentials and the associated application and service principal object ids.
+// This representation is intended as read-only as in most cases only one ID is needed to retrieve
+// the rest of the information for testing purposes.
+type ServicePrincipal struct {
+	// ApplicationObjectID is Object ID of the application associated with the service principal
+	ApplicationObjectID          string 
+	// ApplicationClientID is the Client ID of the application and service principal (also called AppID of the service principal)
+	ApplicationClientID          string 
+	// ServicePrincipalObjectID is Object ID of the service principal
+	ServicePrincipalObjectID     string 
+	// ServicePrincipalCredPassword is a generated password credential for the application associated with the service principal
+	ServicePrincipalCredPassword string 
+}
+
 // McOpt specifies what kind of managed cluster to create
 type McOpt struct {
 	Name string
@@ -90,7 +106,9 @@ func LoadAks(id azure.Resource, dnsServiceIp, location, principalId, clientId st
 	}
 }
 
-func NewAks(ctx context.Context, subscriptionId, resourceGroup, name, location string, mcOpts ...McOpt) (*aks, error) {
+// NewAks creates a new AKS cluster
+// spOpts is optional, if nil then the cluster will use MSI
+func NewAks(ctx context.Context, subscriptionId, resourceGroup, name, location string, spOpts *ServicePrincipal, mcOpts ...McOpt) (*aks, error) {
 	lgr := logger.FromContext(ctx).With("name", name, "resourceGroup", resourceGroup, "location", location)
 	ctx = logger.WithContext(ctx, lgr)
 	lgr.Info("starting to create aks")
@@ -108,9 +126,6 @@ func NewAks(ctx context.Context, subscriptionId, resourceGroup, name, location s
 
 	mc := armcontainerservice.ManagedCluster{
 		Location: to.Ptr(location),
-		Identity: &armcontainerservice.ManagedClusterIdentity{
-			Type: to.Ptr(armcontainerservice.ResourceIdentityTypeSystemAssigned),
-		},
 		Properties: &armcontainerservice.ManagedClusterProperties{
 			DNSPrefix:         to.Ptr("approutinge2e"),
 			NodeResourceGroup: to.Ptr(truncate("MC_"+name, 80)),
@@ -133,6 +148,18 @@ func NewAks(ctx context.Context, subscriptionId, resourceGroup, name, location s
 		},
 	}
 
+	// apply service principal
+	if spOpts != nil {
+		mc.Properties.ServicePrincipalProfile = &armcontainerservice.ManagedClusterServicePrincipalProfile{
+			ClientID: to.Ptr(spOpts.ApplicationClientID),
+			Secret:   to.Ptr(spOpts.ServicePrincipalCredPassword),
+		}
+	}else{
+		mc.Identity= &armcontainerservice.ManagedClusterIdentity{
+			Type: to.Ptr(armcontainerservice.ResourceIdentityTypeSystemAssigned),
+		}
+	}
+
 	options := make(map[string]struct{})
 	for _, opt := range mcOpts {
 		if err := opt.fn(&mc); err != nil {
@@ -141,6 +168,9 @@ func NewAks(ctx context.Context, subscriptionId, resourceGroup, name, location s
 
 		options[opt.Name] = struct{}{}
 	}
+	if mc.Properties.IdentityProfile != nil && mc.Properties.ServicePrincipalProfile != nil {
+		return nil, fmt.Errorf("cluster has both identity profile and service principal profile, must only have one identity type")
+	}
 
 	poll, err := factory.NewManagedClustersClient().BeginCreateOrUpdate(ctx, resourceGroup, name, mc, nil)
 	if err != nil {
@@ -157,8 +187,9 @@ func NewAks(ctx context.Context, subscriptionId, resourceGroup, name, location s
 	if result.ManagedCluster.Properties == nil {
 		return nil, fmt.Errorf("managed cluster properties is nil")
 	}
-	if result.ManagedCluster.Properties.IdentityProfile == nil {
-		return nil, fmt.Errorf("managed cluster identity profile is nil")
+	// cluster must use either MSI or Service Principal
+	if result.ManagedCluster.Properties.IdentityProfile == nil && result.ManagedCluster.Properties.ServicePrincipalProfile == nil {
+		return nil, fmt.Errorf("cluster has no identity type since identity profile and service principal profile are nil")
 	}
 	if result.ManagedCluster.Name == nil {
 		return nil, fmt.Errorf("managed cluster name is nil")
@@ -167,29 +198,45 @@ func NewAks(ctx context.Context, subscriptionId, resourceGroup, name, location s
 		return nil, fmt.Errorf("dns service ip is nil")
 	}
 
-	identity, ok := result.Properties.IdentityProfile["kubeletidentity"]
-	if !ok {
-		return nil, fmt.Errorf("kubelet identity not found")
+	// validate MSI when not using Service Principal
+	var identity *armcontainerservice.UserAssignedIdentity
+	var principalID, clientID string
+	isMSICluster := spOpts == nil
+	if isMSICluster {
+		ok := false // avoid shadowing
+		identity, ok = result.Properties.IdentityProfile["kubeletidentity"]
+		if !ok {
+			return nil, fmt.Errorf("kubelet identity not found")
+		}
+		if identity.ObjectID == nil {
+			return nil, fmt.Errorf("kubelet identity object id is nil")
+		}
+		if identity.ClientID == nil {
+			return nil, fmt.Errorf("kubelet identity client id is nil")
+		}
+		principalID = *identity.ObjectID
+		clientID = *identity.ClientID
+	} else {
+		principalID = spOpts.ServicePrincipalObjectID
 	}
 
-	if identity.ObjectID == nil {
-		return nil, fmt.Errorf("kubelet identity object id is nil")
-	}
-	if identity.ClientID == nil {
-		return nil, fmt.Errorf("kubelet identity client id is nil")
+	// final principal id validation to be safe
+	if principalID == "" {
+		return nil, fmt.Errorf("principal id is empty")
 	}
 
-	return &aks{
+	cluster := &aks{
 		name:           *result.ManagedCluster.Name,
 		subscriptionId: subscriptionId,
 		resourceGroup:  resourceGroup,
 		id:             *result.ManagedCluster.ID,
 		dnsServiceIp:   *result.Properties.NetworkProfile.DNSServiceIP,
 		location:       location,
-		principalId:    *identity.ObjectID,
-		clientId:       *identity.ClientID,
+		principalId:    principalID,
+		clientId:       clientID,
 		options:        options,
-	}, nil
+	}
+	return cluster, nil
 }
 
 func (a *aks) Deploy(ctx context.Context, objs []client.Object) error {

diff --git a/testing/e2e/clients/application.go b/testing/e2e/clients/application.go
@@ -0,0 +1,58 @@
+package clients
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/Azure/aks-app-routing-operator/pkg/util"
+	"github.com/Azure/aks-app-routing-operator/testing/e2e/logger"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
+	msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
+	graphapplications "github.com/microsoftgraph/msgraph-sdk-go/applications"
+	graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
+)
+
+// GetServicePrincipalOptions populates a new ServicePrincipalOptions struct with fresh credentials and application/client/servicePrincipal object ids
+func GetServicePrincipalOptions(ctx context.Context, applicationObjectID string, credName string) (*ServicePrincipal, error) {
+	lgr := logger.FromContext(ctx)
+	lgr.Info(fmt.Sprintf("getting application with object id %s", applicationObjectID))
+
+	cred, err := getAzCred()
+	scopes := []string{"https://graph.microsoft.com/.default"}
+	graphClient, err := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
+	if err != nil {
+		return nil, fmt.Errorf("creating graph client: %w", err)
+	}
+
+	getAppResponse, err := graphClient.Applications().ByApplicationId(applicationObjectID).Get(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("getting application with object id %s: %w", applicationObjectID, err)
+	}
+
+	// add new password credential
+	addPasswordReq := graphapplications.NewItemAddPasswordPostRequestBody()
+	newCreds := graphmodels.NewPasswordCredential()
+	newCreds.SetDisplayName(util.StringPtr(credName))
+	newCreds.SetEndDateTime(to.Ptr(time.Now().Add(2 * time.Hour)))
+	addPasswordReq.SetPasswordCredential(newCreds)
+	addPasswordCredResp, err := graphClient.Applications().ByApplicationId(applicationObjectID).AddPassword().Post(ctx, addPasswordReq, nil)
+	if err != nil {
+		return nil, fmt.Errorf("adding password to application: %w", err)
+	}
+	lgr.Info(fmt.Sprintf("added password with display name %s: ", *addPasswordCredResp.GetDisplayName()))
+
+	// get service principal object id
+	sp, err := graphClient.ServicePrincipalsWithAppId(getAppResponse.GetAppId()).Get(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("getting service principal: %w", err)
+	}
+
+	spOpt := &ServicePrincipal{
+		ApplicationObjectID:          *getAppResponse.GetId(),
+		ApplicationClientID:          *getAppResponse.GetAppId(),
+		ServicePrincipalObjectID:     *sp.GetId(),
+		ServicePrincipalCredPassword: *addPasswordCredResp.GetSecretText(),
+	}
+	return spOpt, nil
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -23,7 +23,7 @@ import ( @@
     )
     const (
-    	controllerImageTag = "v1.8.1"
+    	controllerImageTag = "v1.8.4"
     	prom               = "prometheus"
     )
@@ Expand Down @@