Skip to content

Commit 4be5ef8

Browse files
bryan-coxbryan-cox
committed
Add new authentication type for managed Azure HCP
This commit adds a new authentication type for managed Azure HCP called UserAssignedIdentityCredentials. This new authentication type replaces the previous authentication method for managed Azure HCP. Signed-off-by: Bryan Cox <[email protected]>
1 parent cf53cc3 commit 4be5ef8

File tree

1 file changed

+13
-2
lines changed

1 file changed

+13
-2
lines changed

pkg/cloudprovider/azure.go

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,15 @@ import (
99
"sync"
1010
"time"
1111

12-
compute "github.com/Azure/azure-sdk-for-go/profiles/2020-09-01/compute/mgmt/compute"
12+
"github.com/Azure/azure-sdk-for-go/profiles/2020-09-01/compute/mgmt/compute"
1313
"github.com/Azure/azure-sdk-for-go/profiles/2020-09-01/network/mgmt/network"
1414
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
1515
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
1616
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
1717
"github.com/Azure/go-autorest/autorest"
1818
"github.com/Azure/go-autorest/autorest/azure"
1919
azureapi "github.com/Azure/go-autorest/autorest/azure"
20+
"github.com/Azure/msi-dataplane/pkg/dataplane"
2021
"github.com/jongio/azidext/go/azidext"
2122
v1 "github.com/openshift/api/cloudnetwork/v1"
2223
configv1 "github.com/openshift/api/config/v1"
@@ -587,9 +588,10 @@ func (a *Azure) getAuthorizer(env azureapi.Environment, cfg *azureCredentialsCon
587588
err error
588589
)
589590

590-
// Managed Identity Override for ARO HCP
591591
managedIdentityClientID := os.Getenv("ARO_HCP_MI_CLIENT_ID")
592+
userAssignedIdentityCredentialsFilePath := os.Getenv("ARO_HCP_CLIENT_CREDENTIALS_PATH")
592593
if managedIdentityClientID != "" {
594+
// Managed Identity Override for ARO HCP
593595
klog.Info("Using client certification Azure authentication for ARO HCP")
594596
options := &azidentity.ClientCertificateCredentialOptions{
595597
ClientOptions: azcore.ClientOptions{
@@ -621,6 +623,15 @@ func (a *Azure) getAuthorizer(env azureapi.Environment, cfg *azureCredentialsCon
621623
if err != nil {
622624
return nil, err
623625
}
626+
} else if userAssignedIdentityCredentialsFilePath != "" {
627+
// UserAssignedIdentityCredentials for managed Azure HCP
628+
clientOptions := azcore.ClientOptions{
629+
Cloud: cloudConfig,
630+
}
631+
cred, err = dataplane.NewUserAssignedIdentityCredential(context.Background(), userAssignedIdentityCredentialsFilePath, dataplane.WithClientOpts(clientOptions))
632+
if err != nil {
633+
return nil, err
634+
}
624635
} else if strings.TrimSpace(cfg.clientSecret) == "" {
625636
if a.azureWorkloadIdentityEnabled && strings.TrimSpace(cfg.tokenFile) != "" {
626637
klog.Infof("Using workload identity authentication")

0 commit comments

Comments
 (0)