bootstrapper: make Azure auth method configurable on cluster init (#1346)

* bootstrapper: make Azure auth method configurable on cluster init * azure: convert uami resource ID to clientID Co-authored-by: 3u13r <lc@edgeless.systems>
2025-08-05 21:44:15 -04:00 · 2023-04-03 15:01:25 +02:00 · 2023-04-03 15:01:25 +02:00 · d15968bed7
commit d15968bed7
parent 5cb1899c27
14 changed files with 307 additions and 209 deletions
--- a/internal/cloud/azureshared/appcredentials.go
+++ b/internal/cloud/azureshared/appcredentials.go
@ -9,15 +9,19 @@ package azureshared
 import (
 	"fmt"
 	"net/url"
+	"strings"
 )

-// ApplicationCredentials is a set of Azure AD application credentials.
+// ApplicationCredentials is a set of Azure API credentials.
+// It can contain a client secret and carries the preferred authentication method.
 // It is the equivalent of a service account key in other cloud providers.
 type ApplicationCredentials struct {
-	TenantID          string
-	AppClientID       string
-	ClientSecretValue string
-	Location          string
+	TenantID            string
+	AppClientID         string
+	ClientSecretValue   string
+	Location            string
+	UamiResourceID      string
+	PreferredAuthMethod AuthMethod
 }

 // ApplicationCredentialsFromURI converts a cloudServiceAccountURI into Azure ApplicationCredentials.
@ -33,11 +37,14 @@ func ApplicationCredentialsFromURI(cloudServiceAccountURI string) (ApplicationCr
 		return ApplicationCredentials{}, fmt.Errorf("invalid service account URI: invalid host: %s", uri.Host)
 	}
 	query := uri.Query()
+	preferredAuthMethod := FromString(query.Get("preferred_auth_method"))
 	return ApplicationCredentials{
-		TenantID:          query.Get("tenant_id"),
-		AppClientID:       query.Get("client_id"),
-		ClientSecretValue: query.Get("client_secret"),
-		Location:          query.Get("location"),
+		TenantID:            query.Get("tenant_id"),
+		AppClientID:         query.Get("client_id"),
+		ClientSecretValue:   query.Get("client_secret"),
+		Location:            query.Get("location"),
+		UamiResourceID:      query.Get("uami_resource_id"),
+		PreferredAuthMethod: preferredAuthMethod,
 	}, nil
 }

@ -45,9 +52,19 @@ func ApplicationCredentialsFromURI(cloudServiceAccountURI string) (ApplicationCr
 func (c ApplicationCredentials) ToCloudServiceAccountURI() string {
 	query := url.Values{}
 	query.Add("tenant_id", c.TenantID)
-	query.Add("client_id", c.AppClientID)
-	query.Add("client_secret", c.ClientSecretValue)
 	query.Add("location", c.Location)
+	if c.AppClientID != "" {
+		query.Add("client_id", c.AppClientID)
+	}
+	if c.ClientSecretValue != "" {
+		query.Add("client_secret", c.ClientSecretValue)
+	}
+	if c.UamiResourceID != "" {
+		query.Add("uami_resource_id", c.UamiResourceID)
+	}
+	if c.PreferredAuthMethod != AuthMethodUnknown {
+		query.Add("preferred_auth_method", c.PreferredAuthMethod.String())
+	}
 	uri := url.URL{
 		Scheme:   "serviceaccount",
 		Host:     "azure",
@ -55,3 +72,29 @@ func (c ApplicationCredentials) ToCloudServiceAccountURI() string {
 	}
 	return uri.String()
 }
+
+//go:generate stringer -type=AuthMethod -trimprefix=AuthMethod
+
+// AuthMethod is the authentication method used for the Azure API.
+type AuthMethod uint32
+
+// FromString converts a string into an AuthMethod.
+func FromString(s string) AuthMethod {
+	switch strings.ToLower(s) {
+	case strings.ToLower(AuthMethodServicePrincipal.String()):
+		return AuthMethodServicePrincipal
+	case strings.ToLower(AuthMethodUserAssignedIdentity.String()):
+		return AuthMethodUserAssignedIdentity
+	default:
+		return AuthMethodUnknown
+	}
+}
+
+const (
+	// AuthMethodUnknown is default value for AuthMethod.
+	AuthMethodUnknown AuthMethod = iota
+	// AuthMethodServicePrincipal uses a client ID and secret.
+	AuthMethodServicePrincipal
+	// AuthMethodUserAssignedIdentity uses a user assigned identity.
+	AuthMethodUserAssignedIdentity
+)