Allow authentication with Azure Workload Identity for ASO

[adriananeci]

What type of PR is this?
/kind feature

/kind feature

What this PR does / why we need it:

AzureClusterIdentity resources specifying type: WorkloadIdentity should configure ASO to use the same Workload Identity parameters for authentication when interacting with resources for clusters associated with that AzureClusterIdentity.

This PR explicitly handles the AzureClusterIdentity of type WorkloadIdentity while generating the ASO secrets.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

Fixes #3732

Special notes for your reviewer:

Workload ID setup might be needed for the CI setup

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

NONE

[k8s-ci-robot]

Hi @adriananeci. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[adriananeci]

/assign @nojnhuh

[nojnhuh]

/ok-to-test

[nojnhuh]

Sorry I may have stepped on your toes a bit with #3846. I put a hold on that PR so we can decide which route to take, but I like this approach a bit better since the WorkloadIdentity type is mentioned and doesn't do the extra API call even if spec.clientSecret is specified anyway (like it is currently in CI).

Let's also be sure to keep tabs on #3770 and add docs about authorizing the azureserviceoperator-default ServiceAccount after that PR lands, either in this PR or as a follow-up.

/test pull-cluster-api-provider-azure-e2e-optional
^ For the WorkloadIdentity test. Everything should already be set up in CI.

[codecov]

Codecov Report

Patch coverage: 80.00% and project coverage change: -0.02% ⚠️

Comparison is base (ae545c2) 55.54% compared to head (b017ee3) 55.53%.
Report is 14 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3851      +/-   ##
==========================================
- Coverage   55.54%   55.53%   -0.02%     
==========================================
  Files         188      189       +1     
  Lines       19441    19353      -88     
==========================================
- Hits        10799    10747      -52     
+ Misses       8040     8012      -28     
+ Partials      602      594       -8     

Files Changed	Coverage Δ
controllers/asosecret_controller.go	64.01% <80.00%> (+1.93%)	⬆️

... and 5 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[CecileRobertMichon]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: a72335c7bc31a7a7861334b4099c1300c1748146

[nojnhuh]

/test pull-cluster-api-provider-azure-e2e-optional

[nojnhuh]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: cadf8ccffb89f7375d10aab514dfa6c075c5b51e

[CecileRobertMichon]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment