diff --git a/pkg/dns/azure/client/auth.go b/pkg/dns/azure/client/auth.go index 1ca95006a..ff9939f53 100644 --- a/pkg/dns/azure/client/auth.go +++ b/pkg/dns/azure/client/auth.go @@ -73,7 +73,7 @@ func getAuthorizerForResource(config Config) (autorest.Authorizer, error) { cred azcore.TokenCredential err error ) - if strings.TrimSpace(config.ClientSecret) == "" { + if config.AzureWorkloadIdentityEnabled && strings.TrimSpace(config.ClientSecret) == "" { options := azidentity.WorkloadIdentityCredentialOptions{ ClientOptions: azcore.ClientOptions{ Cloud: cloudConfig, diff --git a/pkg/dns/azure/client/client.go b/pkg/dns/azure/client/client.go index 71f343000..087979bd7 100644 --- a/pkg/dns/azure/client/client.go +++ b/pkg/dns/azure/client/client.go @@ -15,12 +15,13 @@ type DNSClient interface { } type Config struct { - Environment azure.Environment - SubscriptionID string - ClientID string - ClientSecret string - FederatedTokenFile string - TenantID string + Environment azure.Environment + SubscriptionID string + ClientID string + ClientSecret string + FederatedTokenFile string + TenantID string + AzureWorkloadIdentityEnabled bool } // ARecord is a DNS A record. diff --git a/pkg/dns/azure/dns.go b/pkg/dns/azure/dns.go index 3fec8701d..d40839a41 100644 --- a/pkg/dns/azure/dns.go +++ b/pkg/dns/azure/dns.go @@ -62,7 +62,7 @@ type provider struct { // NewProvider creates a new dns.Provider for Azure. It only supports DNSRecords with // type A. -func NewProvider(config Config, operatorReleaseVersion string) (dns.Provider, error) { +func NewProvider(config Config, operatorReleaseVersion string, AzureWorkloadIdentityEnabled bool) (dns.Provider, error) { var env azure.Environment var err error switch config.Environment { @@ -75,12 +75,13 @@ func NewProvider(config Config, operatorReleaseVersion string) (dns.Provider, er return nil, fmt.Errorf("could not determine cloud environment: %w", err) } c, err := client.New(client.Config{ - Environment: env, - SubscriptionID: config.SubscriptionID, - ClientID: config.ClientID, - ClientSecret: config.ClientSecret, - FederatedTokenFile: config.FederatedTokenFile, - TenantID: config.TenantID, + Environment: env, + SubscriptionID: config.SubscriptionID, + ClientID: config.ClientID, + ClientSecret: config.ClientSecret, + FederatedTokenFile: config.FederatedTokenFile, + TenantID: config.TenantID, + AzureWorkloadIdentityEnabled: AzureWorkloadIdentityEnabled, }, userAgent(operatorReleaseVersion)) if err != nil { return nil, err diff --git a/pkg/operator/controller/dns/controller.go b/pkg/operator/controller/dns/controller.go index 6bd5494e9..01177f7b3 100644 --- a/pkg/operator/controller/dns/controller.go +++ b/pkg/operator/controller/dns/controller.go @@ -107,9 +107,10 @@ func New(mgr manager.Manager, config Config) (runtimecontroller.Controller, erro // Config holds all the things necessary for the controller to run. type Config struct { - CredentialsRequestNamespace string - DNSRecordNamespaces []string - OperatorReleaseVersion string + CredentialsRequestNamespace string + DNSRecordNamespaces []string + OperatorReleaseVersion string + AzureWorkloadIdentityEnabled bool } type reconciler struct { @@ -251,7 +252,7 @@ func (r *reconciler) createDNSProviderIfNeeded(dnsConfig *configv1.DNS, record * } if needUpdate { - dnsProvider, err := r.createDNSProvider(dnsConfig, platformStatus, &infraConfig.Status, creds) + dnsProvider, err := r.createDNSProvider(dnsConfig, platformStatus, &infraConfig.Status, creds, r.config.AzureWorkloadIdentityEnabled) if err != nil { return fmt.Errorf("failed to create DNS provider: %v", err) } @@ -578,7 +579,7 @@ func (r *reconciler) ToDNSRecords(o client.Object) []reconcile.Request { // createDNSProvider creates a DNS manager compatible with the given cluster // configuration. -func (r *reconciler) createDNSProvider(dnsConfig *configv1.DNS, platformStatus *configv1.PlatformStatus, infraStatus *configv1.InfrastructureStatus, creds *corev1.Secret) (dns.Provider, error) { +func (r *reconciler) createDNSProvider(dnsConfig *configv1.DNS, platformStatus *configv1.PlatformStatus, infraStatus *configv1.InfrastructureStatus, creds *corev1.Secret, AzureWorkloadIdentityEnabled bool) (dns.Provider, error) { // If no DNS configuration is provided, don't try to set up provider clients. // TODO: the provider configuration can be refactored into the provider // implementations themselves, so this part of the code won't need to @@ -677,7 +678,7 @@ func (r *reconciler) createDNSProvider(dnsConfig *configv1.DNS, platformStatus * ARMEndpoint: platformStatus.Azure.ARMEndpoint, InfraID: infraStatus.InfrastructureName, Tags: azuredns.GetTagList(infraStatus), - }, r.config.OperatorReleaseVersion) + }, r.config.OperatorReleaseVersion, AzureWorkloadIdentityEnabled) if err != nil { return nil, fmt.Errorf("failed to create Azure DNS manager: %v", err) } diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 9a2ad7a71..b973011f3 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -128,6 +128,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro return nil, err } // example of future featuregate read and usage to set a variable to pass to a controller + AzureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity) gatewayAPIEnabled := featureGates.Enabled(configv1.FeatureGateGatewayAPI) // Set up an operator manager for the operator namespace. @@ -239,7 +240,8 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro config.Namespace, operatorcontroller.DefaultOperandNamespace, }, - OperatorReleaseVersion: config.OperatorReleaseVersion, + OperatorReleaseVersion: config.OperatorReleaseVersion, + AzureWorkloadIdentityEnabled: AzureWorkloadIdentityEnabled, }); err != nil { return nil, fmt.Errorf("failed to create dns controller: %v", err) }