Update ARO operator Azure auth scheme to use a DefaultAzureCredential

[kimorris27]

Which issue this PR addresses:

• https://issues.redhat.com/browse/ARO-3992
• https://issues.redhat.com/browse/ARO-3987
• https://issues.redhat.com/browse/ARO-3988

What this PR does / why we need it:

This PR updates the ARO operator to authenticate to Azure using a DefaultAzureCredential, which will work with both a CSP and WI.

To get it working with a CSP, I had to make a few other changes:

• Have the ARO operator get the Azure authentication details from Secret values that are put into the Pod via environment variables
• Add a CredentialsRequest to the ARO operator deployment, which tells the CCO (cloud credential operator) to create an Azure creds Secret in the ARO operator's namespace
• Restart the ARO operator (master only) when customers rotate their CSP credentials (to ensure the new Secret value is read in). The az aro update process will also now verify that the CredentialsRequest mentioned in the bullet above has been reconciled (and thus the Secret has been updated) before doing this restart.

Note that to get the ARO operator working on an ARO WI cluster later on, we'll need a follow-up PR to have the operator Pod 1) use AZURE_FEDERATED_TOKEN_FILE instead of AZURE_CLIENT_SECRET and 2) mount a bound service account token (more info in testing steps below because I had to do it manually; the testing steps could also be a useful reference for the engineer who makes the follow-up PR).

Test plan for issue:

There were a few different things to test:

• The new authentication scheme works with a CSP cluster
  • Tested by provisioning a dev cluster and observing the operator successfully doing stuff to Azure resources in response to changes I was making on the cluster
  • Will also be covered in E2E
• The operator still authenticates to Azure successfully and continues to work after rotating the CSP's client secret via an az aro update --refresh-credentials
  1. I ran an az aro update --refresh-credentials against my dev cluster and observed the ARO operator master Pod get replaced during the Deployment rollout.
  2. I then used the Portal to remove the Microsoft.Storage service endpoint from both cluster subnets.
  3. Then I scaled down one of the worker MachineSets to trigger the subnets controller. The subnets controller added the service endpoint back successfully.
  • I observed some 401 Azure authentication errors immediately after the new operator master Pod started up. It seems like there is short lag before the correct Secret value makes it into the Pod, but it eventually worked with no intervention (per my test results). Just mentioning here because it was interesting to me.
• The new authentication scheme works with a WI (tested on a vanilla OCP WI cluster)
  1. I provisioned a WI cluster using the instructions at [1], but before running ccoctl azure create-all, I copied the ARO operator's CredentialsRequest manifest into the --credentials-request-dir so that ccoctl would create a WI and a Secret manifest for the ARO operator. I also removed this Secret manifest from the install manifest directory before installing the cluster and saved the manifest so I could apply it myself later.
  2. After the cluster finished installing, I added the ARO Cluster CRD to the cluster and created a minimal Cluster CR with just the attributes needed to make the subnets controller work. I included these attributes:
     • azEnvironment
     • clusterResourceGroupId
     • location
     • operatorFlags (disabled everything except the subnets controller and service endpoint reconciliation)
     • resourceId (just put any resource ID that has the right subscription; the subnet controller only reads this to get the subscription ID)
     • serviceSubnets:
     • storageSuffix
     • vnetId
  3. I then set up the ARO operator (master only, since only the master Pod makes Azure API calls) on the cluster using the manifests in pkg/operator/deploy and the Secret manifest that I had saved during step 1. I did make a few changes to the Deployment manifest: 1) replaced AZURE_CLIENT_SECRET with AZURE_FEDERATED_TOKEN_FILE and 2) mounted a bound service account token (see [2] for the things to add).

[1] https://github.com/openshift/cloud-credential-operator/blob/master/docs/azure_workload_identity.md

[2] Two things to add in the ARO operator Deployment spec to mount the bound service account token:

1. Add this to the Pod spec:

volumes:
- name: bound-sa-token
  projected:
  defaultMode: 420
  sources:
  - serviceAccountToken:
      audience: openshift
      expirationSeconds: 3600
      path: token

2. Add this to the container spec:

volumeMounts:
- mountPath: /var/run/secrets/openshift/serviceaccount
  name: bound-sa-token
  readOnly: true

Is there any documentation that needs to be updated for this PR?

No

[cadenmarchese]

First pass, looks great! I just have a question about the continued use of an old function.

[bennerv]

Great work - just a quick first pass on this

[bennerv]

nit - no new line

[bennerv]

should we patch this? We've been having issues with running updates instead of patches.

[s-amann]

+1 to making this a patch call, especially considering we just want to ensure an annotation is added.

[kimorris27]

I became aware while changing this over to a patch call that there are multiple ways to patch. After looking at the different options, I went with server-side apply. Let me know if we should do it a different way though.

[bennerv]

do we need to wait for the reconciliation of the credentialsRequest before we restart it?

[kimorris27]

That's a good point. I think we want to, but I'll have to think about how to check that the reconciliation is done.

[kimorris27]

I did somewhat of a deep dive while figuring out how to go about this. The CredentialsRequest's status has a lastSyncCloudCredsSecretResourceVersion that we could check, but it feels hacky because we would have to save the old version prior to updating the secret so that we can see what it used to be. I'm thinking we can just use the lastSyncTimestamp instead by checking to see if it's something within the past 5 minutes. Your thoughts?

It's also tricky because CredentialsRequests haven't made their way into openshift/client-go. Based on my reading, I'll have to use https://pkg.go.dev/k8s.io/client-go/dynamic#DynamicClient to work with the CredentialsRequest from within pkg/cluster, but let me know if there's a better way.

[kimorris27]

I pushed a solution that uses the lastSyncTimestamp, and I feel like this should be fine.

[bennerv]

what's the purpose of this as a struct? So that the controller can fetch a new token credential every time it needs to run the checker, rather than once on startup?

[bennerv]

I'm also wondering if this is "legacy". The newer azure-sdk-for-go no longer requires us to refresh the token iirc.

[kimorris27]

what's the purpose of this as a struct? So that the controller can fetch a new token credential every time it needs to run the checker, rather than once on startup?

I'm not 100% sure, but it seems that way to me.

I'm also wondering if this is "legacy". The newer azure-sdk-for-go no longer requires us to refresh the token iirc.

I wasn't aware of this. I'll have to look into it a bit, and then maybe we can remove unneeded stuff from the struct.

[kimorris27]

After some digging, I found that you're right - as long as we're using azidentity, our tokens will get auto-refreshed before they expire. So I'll see about refactoring this struct a bit.

For context, #2667 switched us over to azidentity, which uses MSAL under the hood, and https://learn.microsoft.com/en-us/entra/identity-platform/msal-overview states that MSAL refreshes tokens automatically.

[kimorris27]

Well, after looking at this code in more detail and considering how we might refactor it, I think we might as well leave it how it is.

It looks like for all of the checkers under pkg/operator/controllers/checkers, there's a pattern of defining a SomethingChecker interface and then creating a struct type that implements the interface. So it logically makes sense to have that struct type encapsulate anything related to the Check that the controller in question does. I think getTokenCredential and newSPValidator are included in the struct more because its logical than because of a goal of getting a new token each time the controller reconciles (which is what I was originally thinking).

Additionally, if you look at the storage accounts controller for example (specifically

ARO-RP/pkg/operator/controllers/storageaccounts/storageaccount_controller.go

Line 95 in ac7cf2f

authorizer, err := azRefreshAuthorizer.NewRefreshableAuthorizerToken(ctx)

), it also "manually" creates a new token credential each time it Reconciles. So if we wanted to refactor to only create a token credential on controller startup, we'd probably want to do that to all of the controllers that leverage Azure clients and not just the service principal checker.

Let me know what you think!

[s-amann]

first pass lgtm, some comments below. If you haven't already done so, please rebase.

[s-amann]

+1 to making this a patch call, especially considering we just want to ensure an annotation is added.

[s-fairchild]

LGTM, other than some additional test coverage if possible. If that's too much for this PR then maybe in a follow up PR.
Thanks for the neat commit structure.

[s-fairchild]

Thanks for adding test coverage, lgtm.

[s-amann]

if possible I'd rather see the code that is in the if changed block extracted to its own helper function and used along with a return when we need to set changed=true. this avoids the use of a tracking boolean and reduces complexity.

[kimorris27]

Yeah, I see what you mean. I've pushed a commit that I believe implements this the way you have in mind.

[kimorris27]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[s-fairchild]

LGTM

[cadenmarchese]

I've tested both a new install and PUCM with these changes to confirm behavior looks correct - lgtm, thanks for addressing all of the changes!