From c66b372200a772ebf2b7c7d3b31fe1b1a06206a4 Mon Sep 17 00:00:00 2001 From: Jeremiah Stuever Date: Thu, 6 Apr 2023 12:14:25 -0700 Subject: [PATCH] Add AzureWorkloadIdentity featureGate --- pkg/dns/azure/client/auth.go | 2 +- pkg/dns/azure/client/client.go | 3 +++ pkg/dns/azure/dns.go | 15 ++++++++------- pkg/operator/controller/dns/controller.go | 13 +++++++------ pkg/operator/operator.go | 5 +++-- 5 files changed, 22 insertions(+), 16 deletions(-) diff --git a/pkg/dns/azure/client/auth.go b/pkg/dns/azure/client/auth.go index 710404f65..a4dcf1814 100644 --- a/pkg/dns/azure/client/auth.go +++ b/pkg/dns/azure/client/auth.go @@ -70,7 +70,7 @@ func getAuthorizerForResource(config Config) (autorest.Authorizer, error) { } var cred azcore.TokenCredential - if strings.TrimSpace(config.ClientSecret) == "" { + if config.AzureWorkloadIdentityEnabled && strings.TrimSpace(config.ClientSecret) == "" { options := azidentity.WorkloadIdentityCredentialOptions{ ClientOptions: azcore.ClientOptions{ Cloud: cloudConfig, diff --git a/pkg/dns/azure/client/client.go b/pkg/dns/azure/client/client.go index 7331db674..8d6a19f79 100644 --- a/pkg/dns/azure/client/client.go +++ b/pkg/dns/azure/client/client.go @@ -33,6 +33,9 @@ type Config struct { FederatedTokenFile string // TenantID is the Azure tenant ID. TenantID string + // AzureWorkloadIdentityEnabled indicates whether the + // "AzureWorkloadIdentity" feature gate is enabled. + AzureWorkloadIdentityEnabled bool } // ARecord is a DNS A record. diff --git a/pkg/dns/azure/dns.go b/pkg/dns/azure/dns.go index 3fec8701d..d40839a41 100644 --- a/pkg/dns/azure/dns.go +++ b/pkg/dns/azure/dns.go @@ -62,7 +62,7 @@ type provider struct { // NewProvider creates a new dns.Provider for Azure. It only supports DNSRecords with // type A. -func NewProvider(config Config, operatorReleaseVersion string) (dns.Provider, error) { +func NewProvider(config Config, operatorReleaseVersion string, AzureWorkloadIdentityEnabled bool) (dns.Provider, error) { var env azure.Environment var err error switch config.Environment { @@ -75,12 +75,13 @@ func NewProvider(config Config, operatorReleaseVersion string) (dns.Provider, er return nil, fmt.Errorf("could not determine cloud environment: %w", err) } c, err := client.New(client.Config{ - Environment: env, - SubscriptionID: config.SubscriptionID, - ClientID: config.ClientID, - ClientSecret: config.ClientSecret, - FederatedTokenFile: config.FederatedTokenFile, - TenantID: config.TenantID, + Environment: env, + SubscriptionID: config.SubscriptionID, + ClientID: config.ClientID, + ClientSecret: config.ClientSecret, + FederatedTokenFile: config.FederatedTokenFile, + TenantID: config.TenantID, + AzureWorkloadIdentityEnabled: AzureWorkloadIdentityEnabled, }, userAgent(operatorReleaseVersion)) if err != nil { return nil, err diff --git a/pkg/operator/controller/dns/controller.go b/pkg/operator/controller/dns/controller.go index 6bd5494e9..01177f7b3 100644 --- a/pkg/operator/controller/dns/controller.go +++ b/pkg/operator/controller/dns/controller.go @@ -107,9 +107,10 @@ func New(mgr manager.Manager, config Config) (runtimecontroller.Controller, erro // Config holds all the things necessary for the controller to run. type Config struct { - CredentialsRequestNamespace string - DNSRecordNamespaces []string - OperatorReleaseVersion string + CredentialsRequestNamespace string + DNSRecordNamespaces []string + OperatorReleaseVersion string + AzureWorkloadIdentityEnabled bool } type reconciler struct { @@ -251,7 +252,7 @@ func (r *reconciler) createDNSProviderIfNeeded(dnsConfig *configv1.DNS, record * } if needUpdate { - dnsProvider, err := r.createDNSProvider(dnsConfig, platformStatus, &infraConfig.Status, creds) + dnsProvider, err := r.createDNSProvider(dnsConfig, platformStatus, &infraConfig.Status, creds, r.config.AzureWorkloadIdentityEnabled) if err != nil { return fmt.Errorf("failed to create DNS provider: %v", err) } @@ -578,7 +579,7 @@ func (r *reconciler) ToDNSRecords(o client.Object) []reconcile.Request { // createDNSProvider creates a DNS manager compatible with the given cluster // configuration. -func (r *reconciler) createDNSProvider(dnsConfig *configv1.DNS, platformStatus *configv1.PlatformStatus, infraStatus *configv1.InfrastructureStatus, creds *corev1.Secret) (dns.Provider, error) { +func (r *reconciler) createDNSProvider(dnsConfig *configv1.DNS, platformStatus *configv1.PlatformStatus, infraStatus *configv1.InfrastructureStatus, creds *corev1.Secret, AzureWorkloadIdentityEnabled bool) (dns.Provider, error) { // If no DNS configuration is provided, don't try to set up provider clients. // TODO: the provider configuration can be refactored into the provider // implementations themselves, so this part of the code won't need to @@ -677,7 +678,7 @@ func (r *reconciler) createDNSProvider(dnsConfig *configv1.DNS, platformStatus * ARMEndpoint: platformStatus.Azure.ARMEndpoint, InfraID: infraStatus.InfrastructureName, Tags: azuredns.GetTagList(infraStatus), - }, r.config.OperatorReleaseVersion) + }, r.config.OperatorReleaseVersion, AzureWorkloadIdentityEnabled) if err != nil { return nil, fmt.Errorf("failed to create Azure DNS manager: %v", err) } diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 9a2ad7a71..7e23454e7 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -127,7 +127,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro if err != nil { return nil, err } - // example of future featuregate read and usage to set a variable to pass to a controller + azureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity) gatewayAPIEnabled := featureGates.Enabled(configv1.FeatureGateGatewayAPI) // Set up an operator manager for the operator namespace. @@ -239,7 +239,8 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro config.Namespace, operatorcontroller.DefaultOperandNamespace, }, - OperatorReleaseVersion: config.OperatorReleaseVersion, + OperatorReleaseVersion: config.OperatorReleaseVersion, + AzureWorkloadIdentityEnabled: azureWorkloadIdentityEnabled, }); err != nil { return nil, fmt.Errorf("failed to create dns controller: %v", err) }