Add new auth type: UserAssignedIdentityCredentials

This commit adds a new authentication type,
UserAssignedIdentityCredentials. This allows a 1st party Microsoft
application to authenticate using a managed identity's certificate,
which is accessed through the MSI data plane. More information on this
authentication type can be found here - https://github
.com/Azure/msi-dataplane/blob/63fb37d3a1aaac130120624674df795d2e088083
/pkg/dataplane/reloadCredentials.go#L60.

Signed-off-by: Bryan Cox <[email protected]>

Author: bryan-cox

api/v1beta1/azureclusteridentity_types.go

@@ -44,7 +44,7 @@ type AllowedNamespaces struct {
 // AzureClusterIdentitySpec defines the parameters that are used to create an AzureIdentity.
 type AzureClusterIdentitySpec struct {
 	// Type is the type of Azure Identity used.
-	// ServicePrincipal, ServicePrincipalCertificate, UserAssignedMSI, ManualServicePrincipal or WorkloadIdentity.
+	// ServicePrincipal, ServicePrincipalCertificate, UserAssignedMSI, ManualServicePrincipal, UserAssignedIdentityCredential, or WorkloadIdentity.
 	Type IdentityType `json:"type"`
 	// ResourceID is the Azure resource ID for the User Assigned MSI resource.
 	// Only applicable when type is UserAssignedMSI.
@@ -62,6 +62,16 @@ type AzureClusterIdentitySpec struct {
 	// CertPath is the path where certificates exist. When set, it takes precedence over ClientSecret for types that use certs like ServicePrincipalCertificate.
 	// +optional
 	CertPath string `json:"certPath,omitempty"`
+	// UserAssignedIdentityCredentialsPath is the path where an existing JSON file exists containing the JSON format of
+	// a UserAssignedIdentityCredentials struct.
+	// See the msi-dataplane for more details on UserAssignedIdentityCredentials - https://github.com/Azure/msi-dataplane/blob/main/pkg/dataplane/internal/client/models.go#L125
+	// +optional
+	UserAssignedIdentityCredentialsPath string `json:"userAssignedIdentityCredentialsPath,omitempty"`
+	// UserAssignedIdentityCredentialsCloudType is used with UserAssignedIdentityCredentialsPath to specify the Cloud
+	// type. Can only be one of the following values: public, china, or usgovernment
+	// If a value is not specified, defaults to public
+	// +optional
+	UserAssignedIdentityCredentialsCloudType string `json:"userAssignedIdentityCredentialsCloudType,omitempty"`
 	// TenantID is the service principal primary tenant id.
 	TenantID string `json:"tenantID"`
 	// AllowedNamespaces is used to identify the namespaces the clusters are allowed to use the identity from.

api/v1beta1/azureclusteridentity_validation.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1beta1
 
 import (
+	"fmt"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -27,6 +29,10 @@ func (c *AzureClusterIdentity) validateClusterIdentity() (admission.Warnings, er
 	if c.Spec.Type != UserAssignedMSI && c.Spec.ResourceID != "" {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "resourceID"), c.Spec.ResourceID))
 	}
+	if c.Spec.Type != UserAssignedIdentityCredential && (c.Spec.UserAssignedIdentityCredentialsPath != "" || c.Spec.UserAssignedIdentityCredentialsCloudType != "") {
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "userAssignedIdentityCredentialsPath"), fmt.Sprintf("%s can only be set when AzureClusterIdentity is of type UserAssignedIdentityCredential", c.Spec.UserAssignedIdentityCredentialsPath)))
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "userAssignedIdentityCredentialsCloudType"), fmt.Sprintf("%s can only be set when AzureClusterIdentity is of type UserAssignedIdentityCredential ", c.Spec.UserAssignedIdentityCredentialsCloudType)))
+	}
 	if len(allErrs) == 0 {
 		return nil, nil
 	}

api/v1beta1/types.go

@@ -570,7 +570,7 @@ type UserAssignedIdentity struct {
 }
 
 // IdentityType represents different types of identities.
-// +kubebuilder:validation:Enum=ServicePrincipal;UserAssignedMSI;ManualServicePrincipal;ServicePrincipalCertificate;WorkloadIdentity
+// +kubebuilder:validation:Enum=ServicePrincipal;UserAssignedMSI;ManualServicePrincipal;ServicePrincipalCertificate;WorkloadIdentity;UserAssignedIdentityCredential
 type IdentityType string
 
 const (
@@ -588,6 +588,9 @@ const (
 
 	// WorkloadIdentity represents a WorkloadIdentity.
 	WorkloadIdentity IdentityType = "WorkloadIdentity"
+
+	// UserAssignedIdentityCredential represents a UserAssignedIdentityCredential.
+	UserAssignedIdentityCredential IdentityType = "UserAssignedIdentityCredential"
 )
 
 // OSDisk defines the operating system disk for a VM.

azure/credential_cache.go

@@ -17,10 +17,13 @@ limitations under the License.
 package azure
 
 import (
+	"context"
 	"sync"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/msi-dataplane/pkg/dataplane"
+	"github.com/go-logr/logr"
 )
 
 type credentialCache struct {
@@ -34,6 +37,7 @@ type credentialFactory interface {
 	newClientCertificateCredential(tenantID string, clientID string, clientCertificate []byte, clientCertificatePassword []byte, opts *azidentity.ClientCertificateCredentialOptions) (azcore.TokenCredential, error)
 	newManagedIdentityCredential(opts *azidentity.ManagedIdentityCredentialOptions) (azcore.TokenCredential, error)
 	newWorkloadIdentityCredential(opts *azidentity.WorkloadIdentityCredentialOptions) (azcore.TokenCredential, error)
+	newUserAssignedManagedIdentityCredentials(ctx context.Context, credsPath string, opts azcore.ClientOptions, logger *logr.Logger) (azcore.TokenCredential, error)
 }
 
 // CredentialType represents the auth mechanism in use.
@@ -48,6 +52,8 @@ const (
 	CredentialTypeManagedIdentity
 	// CredentialTypeWorkloadIdentity is for Workload Identity.
 	CredentialTypeWorkloadIdentity
+	// CredentialTypeUserAssignedManagedIdentity is for User Assigned Managed Identity Credentials.
+	CredentialTypeUserAssignedManagedIdentity
 )
 
 type credentialCacheKey struct {
@@ -125,6 +131,18 @@ func (c *credentialCache) GetOrStoreWorkloadIdentity(opts *azidentity.WorkloadId
 	)
 }
 
+func (c *credentialCache) GetOrStoreUserAssignedManagedIdentityCredentials(ctx context.Context, credsPath string, opts azcore.ClientOptions, logger *logr.Logger) (azcore.TokenCredential, error) {
+	return c.getOrStore(
+		credentialCacheKey{
+			authorityHost:  opts.Cloud.ActiveDirectoryAuthorityHost,
+			credentialType: CredentialTypeUserAssignedManagedIdentity,
+		},
+		func() (azcore.TokenCredential, error) {
+			return c.credFactory.newUserAssignedManagedIdentityCredentials(ctx, credsPath, opts, logger)
+		},
+	)
+}
+
 func (c *credentialCache) getOrStore(key credentialCacheKey, newCredFunc func() (azcore.TokenCredential, error)) (azcore.TokenCredential, error) {
 	c.mut.Lock()
 	defer c.mut.Unlock()
@@ -160,3 +178,7 @@ func (azureCredentialFactory) newManagedIdentityCredential(opts *azidentity.Mana
 func (azureCredentialFactory) newWorkloadIdentityCredential(opts *azidentity.WorkloadIdentityCredentialOptions) (azcore.TokenCredential, error) {
 	return azidentity.NewWorkloadIdentityCredential(opts)
 }
+
+func (azureCredentialFactory) newUserAssignedManagedIdentityCredentials(ctx context.Context, credsPath string, opts azcore.ClientOptions, logger *logr.Logger) (azcore.TokenCredential, error) {
+	return dataplane.NewUserAssignedIdentityCredential(ctx, credsPath, dataplane.WithClientOpts(opts), dataplane.WithLogger(logger))
+}

azure/interfaces.go

@@ -23,6 +23,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-service-operator/v2/pkg/genruntime"
+	"github.com/go-logr/logr"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -172,4 +173,5 @@ type CredentialCache interface {
 	GetOrStoreClientCert(tenantID, clientID string, cert, certPassword []byte, opts *azidentity.ClientCertificateCredentialOptions) (azcore.TokenCredential, error)
 	GetOrStoreManagedIdentity(opts *azidentity.ManagedIdentityCredentialOptions) (azcore.TokenCredential, error)
 	GetOrStoreWorkloadIdentity(opts *azidentity.WorkloadIdentityCredentialOptions) (azcore.TokenCredential, error)
+	GetOrStoreUserAssignedManagedIdentityCredentials(ctx context.Context, credsPath string, opts azcore.ClientOptions, logger *logr.Logger) (azcore.TokenCredential, error)
 }

azure/mock_azure/azure_mock.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"os"
 	"reflect"
+	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
@@ -159,6 +160,17 @@ func (p *AzureCredentialsProvider) GetTokenCredential(ctx context.Context, resou
 		}
 		cred, authErr = p.cache.GetOrStoreManagedIdentity(&options)
 
+	case infrav1.UserAssignedIdentityCredential:
+		cloudType := parseCloudType(p.Identity.Spec.UserAssignedIdentityCredentialsCloudType)
+		clientOptions := azcore.ClientOptions{
+			TracingProvider: tracingProvider,
+			Cloud:           cloudType,
+		}
+		// Using context.Background() here as something is cancelling the context prematurely in the ctx passed into the
+		// function. This authentication method is long lived and has built in capabilities to rotate the certificates
+		// when they change.
+		cred, authErr = p.cache.GetOrStoreUserAssignedManagedIdentityCredentials(context.Background(), p.Identity.Spec.UserAssignedIdentityCredentialsPath, clientOptions, &log)
+
 	default:
 		return nil, errors.Errorf("identity type %s not supported", p.Identity.Spec.Type)
 	}
@@ -259,3 +271,17 @@ func IsClusterNamespaceAllowed(ctx context.Context, k8sClient client.Client, all
 
 	return false
 }
+
+func parseCloudType(cloudType string) cloud.Configuration {
+	cloudType = strings.ToUpper(cloudType)
+	switch cloudType {
+	case "PUBLIC":
+		return cloud.AzurePublic
+	case "CHINA":
+		return cloud.AzureChina
+	case "USGOVERNMENT":
+		return cloud.AzureGovernment
+	default:
+		return cloud.AzurePublic
+	}
+}

azure/scope/identity.go

@@ -22,6 +22,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	. "github.com/onsi/gomega"
@@ -419,6 +420,45 @@ func TestGetTokenCredential(t *testing.T) {
 				}))
 			},
 		},
+		{
+			name: "UserAssignedIdentityCredential",
+			cluster: &infrav1.AzureCluster{
+				Spec: infrav1.AzureClusterSpec{
+					AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
+						IdentityRef: &corev1.ObjectReference{
+							Kind: infrav1.AzureClusterIdentityKind,
+						},
+					},
+				},
+			},
+			identity: &infrav1.AzureClusterIdentity{
+				Spec: infrav1.AzureClusterIdentitySpec{
+					Type:                                     infrav1.UserAssignedIdentityCredential,
+					UserAssignedIdentityCredentialsPath:      "../../test/setup/credentials.json",
+					UserAssignedIdentityCredentialsCloudType: "public",
+				},
+			},
+			cacheExpect: func(cache *mock_azure.MockCredentialCache) {
+				ctx := context.Background()
+				credsPath := "../../test/setup/credentials.json" //nolint:gosec
+				clientOptions := azcore.ClientOptions{
+					Cloud: cloud.Configuration{
+						ActiveDirectoryAuthorityHost: "https://login.microsoftonline.com/",
+						Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
+							cloud.ResourceManager: {
+								Audience: "https://management.core.windows.net/",
+								Endpoint: "https://management.azure.com",
+							},
+						},
+					},
+				}
+				cache.EXPECT().GetOrStoreUserAssignedManagedIdentityCredentials(ctx, credsPath, gomock.Cond(func(opts azcore.ClientOptions) bool {
+					return opts.Cloud.ActiveDirectoryAuthorityHost == clientOptions.Cloud.ActiveDirectoryAuthorityHost &&
+						opts.Cloud.Services[cloud.ResourceManager].Audience == clientOptions.Cloud.Services[cloud.ResourceManager].Audience &&
+						opts.Cloud.Services[cloud.ResourceManager].Endpoint == clientOptions.Cloud.Services[cloud.ResourceManager].Endpoint
+				}), gomock.Any())
+			},
+		},
 	}
 
 	scheme := runtime.NewScheme()
@@ -448,3 +488,45 @@ func TestGetTokenCredential(t *testing.T) {
 		})
 	}
 }
+
+func TestParseCloudType(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected cloud.Configuration
+	}{
+		{
+			name:     "when the input is public, expect AzurePublic",
+			input:    "public",
+			expected: cloud.AzurePublic,
+		},
+		{
+			name:     "when the input is China, expect AzureChina",
+			input:    "china",
+			expected: cloud.AzureChina,
+		},
+		{
+			name:     "when the input is usgovernment, expect AzureGovernment",
+			input:    "usgovernment",
+			expected: cloud.AzureGovernment,
+		},
+		{
+			name:     "when the input is empty, expect AzurePublic",
+			input:    "", // Test case for default value
+			expected: cloud.AzurePublic,
+		},
+		{
+			name:     "when the input is PUBLIC, expect AzurePublic",
+			input:    "PUBLIC", // Test case for uppercased input
+			expected: cloud.AzurePublic,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+			g.Expect(parseCloudType(tt.input)).To(Equal(tt.expected))
+		})
+	}
+}

azure/scope/identity_test.go

@@ -159,13 +159,26 @@ spec:
               type:
                 description: |-
                   Type is the type of Azure Identity used.
-                  ServicePrincipal, ServicePrincipalCertificate, UserAssignedMSI, ManualServicePrincipal or WorkloadIdentity.
+                  ServicePrincipal, ServicePrincipalCertificate, UserAssignedMSI, ManualServicePrincipal, UserAssignedIdentityCredential, or WorkloadIdentity.
                 enum:
                 - ServicePrincipal
                 - UserAssignedMSI
                 - ManualServicePrincipal
                 - ServicePrincipalCertificate
                 - WorkloadIdentity
+                - UserAssignedIdentityCredential
+                type: string
+              userAssignedIdentityCredentialsCloudType:
+                description: |-
+                  UserAssignedIdentityCredentialsCloudType is used with UserAssignedIdentityCredentialsPath to specify the Cloud
+                  type. Can only be one of the following values: public, china, or usgovernment
+                  If a value is not specified, defaults to public
+                type: string
+              userAssignedIdentityCredentialsPath:
+                description: |-
+                  UserAssignedIdentityCredentialsPath is the path where an existing JSON file exists containing the JSON format of
+                  a UserAssignedIdentityCredentials struct.
+                  See the msi-dataplane for more details on UserAssignedIdentityCredentials - https://github.com/Azure/msi-dataplane/blob/main/pkg/dataplane/internal/client/models.go#L125
                 type: string
             required:
             - clientID

config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml

@@ -21,6 +21,7 @@ require (
 	github.com/Azure/azure-service-operator/v2 v2.11.0
 	github.com/Azure/go-autorest/autorest v0.11.30
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13
+	github.com/Azure/msi-dataplane v0.4.0
 	github.com/asaskevich/govalidator/v11 v11.0.2-0.20250122183457-e11347878e23
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/go-logr/logr v1.4.2
@@ -71,7 +72,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
@@ -131,7 +132,7 @@ require (
 	github.com/evanphx/json-patch/v5 v5.9.11
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect