feat: Add new authentication type UserAssignedIdentityCredential #8230
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bryan-cox The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
bryan-cox
changed the title
|
/test all |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Moved PR to ready for Review. I was able to successfully test this out locally. |
|
/retest |
This commit adds a new authentication type, UserAssignedIdentityCredentials. This allows a 1st party Microsoft application to authenticate using a managed identity's certificate, which is accessed through the MSI data plane. More information on this authentication type can be found here - https://github.com/Azure/msi-dataplane/blob/63fb37d3a1aaac130120624674df795d2e088083/pkg/dataplane/reloadCredentials.go#L60.
bryan-cox
force-pushed
the
CNTRLPLANE-106
branch
from
6ecbc6e to
47b7089
Compare
|
Thanks for the pr! |
Hey @MartinForReal - It's kind of like Managed Identity combined with Client Certificate. With UserAssignedIdentityCredential, you use a Managed Identity, but you can use your Microsoft 1st party status to retrieve the backing certificate from the msi data plane. With UserAssignedIdentityCredential, you can authenticate with a managed identity and its backing certificate from Microsoft. |
|
Thank you for clarifying the difference! I'm not sure where it is used. Could you please provide more information? Thanks! |
| // Used with AADMSIDataPlaneIdentityPath to specify the Cloud type. | ||
| // Can only be one of the following values: AzurePublicCloud, AzureUSGovernmentCloud, or AzureChinaCloud | ||
| // If a value is not specified, defaults to AzurePublicCloud | ||
| MSIDataPlaneIdentityCloudType dataplane.AzureCloud `json:"msIDataPlaneIdentityCloudType,omitempty" yaml:"msIDataPlaneIdentityCloudType,omitempty"` |
There was a problem hiding this comment.
could we infer it from config Cloud? values should be same here
| @@ -46,6 +48,13 @@ type AzureAuthConfig struct { | |||
| // Auxiliary token provider for accessing resources from network tenant | |||
| // Require MSI to be enabled and have permission to access the KeyVault | |||
| AuxiliaryTokenProvider *AzureAuthAuxiliaryTokenProvider `json:"auxiliaryTokenProvider,omitempty" yaml:"auxiliaryTokenProvider,omitempty"` | |||
| // The path where a JSON file exists containing the JSON format of a UserAssignedIdentityCredentials struct | |||
| // See the msi-dataplane for more details on UserAssignedIdentityCredentials - https://github.com/Azure/msi-dataplane/blob/63fb37d3a1aaac130120624674df795d2e088083/pkg/dataplane/internal/generated_client.go#L156C6-L156C37 | |||
| AADMSIDataPlaneIdentityPath string `json:"aadMSIDataPlaneIdentityPath,omitempty" yaml:"aadMSIDataPlaneIdentityPath,omitempty"` | |||
There was a problem hiding this comment.
seems this is an internal data struct, are we going to consume it or also need to config the contents here?
And if need to config it, could we generate the contents based on our AzureAuthConfig and so we don't need to duplicate the same contents in two different files?
What type of PR is this?
/kind feature
What this PR does / why we need it:
This pull request adds the capability to authenticate with Azure using a new authentication type available only to 1st party Microsoft applications, UserAssignedIdentityCredential. More information on this new authentication type can be found here - https://github.com/Azure/msi-dataplane/blob/main/pkg/dataplane/reloadCredentials.go#L60.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: