config: drop support for deprecated Azure's service principal authentication (#1906)

* invalidate app client id field for azure and provide info * remove TestNewWithDefaultOptions case * fix test * remove appClientID field * remove client secret + rename err * remove from docs * otto feedback * update docs * delete env test in cfg since no envs set anymore * Update dev-docs/workflows/github-actions.md Co-authored-by: Otto Bittner <cobittner@posteo.net> * WARNING to stderr * fix check --------- Co-authored-by: Otto Bittner <cobittner@posteo.net>
2025-08-18 19:47:54 -04:00 · 2023-06-14 17:50:57 +02:00 · 2023-06-14 17:50:57 +02:00 · 07de6482b2
commit 07de6482b2
parent d964c74cbb
19 changed files with 152 additions and 222 deletions
--- a/cli/internal/cmd/init.go
+++ b/cli/internal/cmd/init.go
@ -501,16 +501,10 @@ func (i *initCmd) getMarshaledServiceAccountURI(provider cloudprovider.Provider,
 	case cloudprovider.Azure:
 		i.log.Debugf("Handling case for Azure")

-		// TODO(3u13r): Remove this fallback and enforce assigned managed identity after the v2.8.0 but before the v2.9.0 release.
 		authMethod := azureshared.AuthMethodUserAssignedIdentity
-		if config.Provider.Azure.AppClientID != "" {
-			authMethod = azureshared.AuthMethodServicePrincipal
-		}

 		creds := azureshared.ApplicationCredentials{
 			TenantID:            config.Provider.Azure.TenantID,
-			AppClientID:         config.Provider.Azure.AppClientID,
-			ClientSecretValue:   config.Provider.Azure.ClientSecretValue,
 			Location:            config.Provider.Azure.Location,
 			PreferredAuthMethod: authMethod,
 			UamiResourceID:      config.Provider.Azure.UserAssignedIdentity,
--- a/cli/internal/cmd/init_test.go
+++ b/cli/internal/cmd/init_test.go
@ -602,8 +602,6 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
 		conf.Provider.Azure.Location = "test-location"
 		conf.Provider.Azure.UserAssignedIdentity = "test-identity"
 		conf.Provider.Azure.ResourceGroup = "test-resource-group"
-		conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab"
-		conf.Provider.Azure.ClientSecretValue = "test-client-secret"
 		conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
 		conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
 		conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
--- a/cli/internal/cmd/verify_test.go
+++ b/cli/internal/cmd/verify_test.go
@ -47,7 +47,6 @@ func TestVerify(t *testing.T) {
 		formatter        *stubAttDocFormatter
 		nodeEndpointFlag string
 		configFlag       string
-		ownerIDFlag      string
 		clusterIDFlag    string
 		idFile           *clusterid.File
 		wantEndpoint     string
@ -172,9 +171,6 @@ func TestVerify(t *testing.T) {
 			if tc.configFlag != "" {
 				require.NoError(cmd.Flags().Set("config", tc.configFlag))
 			}
-			if tc.ownerIDFlag != "" {
-				require.NoError(cmd.Flags().Set("owner-id", tc.ownerIDFlag))
-			}
 			if tc.clusterIDFlag != "" {
 				require.NoError(cmd.Flags().Set("cluster-id", tc.clusterIDFlag))
 			}
@ -183,15 +179,14 @@ func TestVerify(t *testing.T) {
 			}
 			fileHandler := file.NewHandler(afero.NewMemMapFs())

-			config := defaultConfigWithExpectedMeasurements(t, config.Default(), tc.provider)
-			require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
+			cfg := defaultConfigWithExpectedMeasurements(t, config.Default(), tc.provider)
+			require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg))
 			if tc.idFile != nil {
 				require.NoError(fileHandler.WriteJSON(constants.ClusterIDsFileName, tc.idFile, file.OptNone))
 			}

 			v := &verifyCmd{log: logger.NewTest(t)}
 			err := v.verify(cmd, fileHandler, tc.protoClient, tc.formatter, stubAttestationFetcher{})
-
 			if tc.wantErr {
 				assert.Error(err)
 			} else {
--- a/cli/internal/helm/loader_test.go
+++ b/cli/internal/helm/loader_test.go
@ -366,8 +366,6 @@ func prepareAzureValues(values map[string]any) error {
 		return errors.New("missing 'autoscaler' key")
 	}
 	autoscalerVals["Azure"] = map[string]any{
-		"clientID":       "AppClientID",
-		"clientSecret":   "ClientSecretValue",
 		"resourceGroup":  "resourceGroup",
 		"subscriptionID": "subscriptionID",
 		"tenantID":       "TenantID",
--- a/cli/internal/terraform/terraform/iam/azure/README.md
+++ b/cli/internal/terraform/terraform/iam/azure/README.md
@ -3,6 +3,7 @@
 This terraform configuration creates the necessary Azure resources that need to be available to host a Constellation cluster.

 You can create the resources with the following commands:
+
 ```sh
 mkdir constellation_azure_iam
 cd constellation_azure_iam
@ -12,25 +13,19 @@ terraform apply
 ```

 The following terraform output values are available (with their corresponding keys in the Constellation configuration file):
+
 - `subscription_id` (subscription)
 - `tenant_id` (tenant)
- `region` (location)
- `base_resource_group_name` (resourceGroup)
- `application_id` (appClientID)
 - `uami_id` (userAssignedIdentity)
- `application_client_secret_value` (clientSecretValue) - **Sensitive Value**

 You can either get the profile names from the Terraform output and manually add them to your Constellation configuration file according to our [Documentation](https://docs.edgeless.systems/constellation/getting-started/first-steps).
 Or you can do this with a `yq` command:
+
 ```sh
 yq -i "
  .provider.azure.subscription = $(terraform output subscription_id) |
  .provider.azure.tenant = $(terraform output tenant_id) |
-  .provider.azure.location = $(terraform output region) |
-  .provider.azure.resourceGroup = $(terraform output base_resource_group_name) |
-  .provider.azure.appClientID = $(terraform output application_id) |
  .provider.azure.userAssignedIdentity = $(terraform output uami_id) |
-  .provider.azure.clientSecretValue = $(terraform output application_client_secret_value)
  " path/to/constellation-conf.yaml
 ```