Merge pull request #1477 from nader-ziada/deprecation-notice

Add deprecation notice to using credentials from environment variables

Author: k8s-ci-robot

controllers/azurecluster_controller.go

@@ -18,6 +18,7 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	"go.opentelemetry.io/otel/attribute"
@@ -171,6 +172,12 @@ func (r *AzureClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request
 				return reconcile.Result{}, err
 			}
 		}
+	} else {
+		warningMessage := ("You're using deprecated functionality: ")
+		warningMessage += ("Using Azure credentials from the manager environment is deprecated and will be removed in future releases. ")
+		warningMessage += ("Please specify an AzureClusterIdentity for the AzureCluster instead, see: https://capz.sigs.k8s.io/topics/multitenancy.html ")
+		log.Info(fmt.Sprintf("WARNING, %s", warningMessage))
+		r.Recorder.Eventf(azureCluster, corev1.EventTypeWarning, "AzureClusterIdentity", warningMessage)
 	}
 
 	// Create the scope.

docs/book/src/topics/getting-started.md

@@ -51,9 +51,24 @@ An Azure Service Principal is needed for deploying Azure resources. The below in
   export AZURE_LOCATION="eastus" # this should be an Azure region that your subscription has quota for.
   ```
 
-:warning: NOTE: If your password contains single quotes (`'`), make sure to escape them. To escape a single quote, close the quoting before it, insert the single quote, and re-open the quoting.
+<aside class="note warning"> 
+
+<h1> Warning </h1>
+
+NOTE: If your password contains single quotes (`'`), make sure to escape them. To escape a single quote, close the quoting before it, insert the single quote, and re-open the quoting.
 For example, if your password is `foo'blah$`, you should do `export AZURE_CLIENT_SECRET='foo'\''blah$'`.
 
+</aside>
+
+<aside class="note warning"> 
+
+<h1> Warning </h1> 
+
+The capability to set credentials using environment variables is now deprecated and will be removed in future releases, the recommended approach is to use `AzureClusterIdentity` as explained [here](multitenancy.md) 
+
+</aside>
+
+
 ### Building your first cluster
 
 Check out the [Cluster API Quick Start](https://cluster-api.sigs.k8s.io/user/quick-start.html) to create your first Kubernetes cluster on Azure using Cluster API. Make sure to select the "Azure" tabs.

docs/book/src/topics/identities-use-cases.md

@@ -2,16 +2,25 @@
 
 ## CAPZ controller: 
 This is the identity used by the management cluster to provision infrastructure in Azure
- - Env config
+ - Multi-tenant config 
+   - [AAD Pod Identity](https://azure.github.io/aad-pod-identity/) using Service Principals and Managed Identities: by default, the identity used by the workload cluster running on Azure is the same Service Principal assigned to the management cluster. If an identity is specified on the Azure Cluster Resource, that identity will be used when creating Azure resources related to that cluster. See [Multi-tenancy](multitenancy.md) page for details.
+
+ - Env config (deprecated)
    - Service Principal: A [service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) is an identity in AAD which is described by a TenantID, ClientID, and ClientSecret. The set of these three values will enable the holder to exchange the values for a JWT token to communicate with Azure. The values are normally stored in a file or environment variables.
    - Configuration:
       - Scope: Subscription
       - Role: `Contributor` since the controller is responsible for creating resource groups and cluster resources within the group. To create a resource group within a subscription, one must have subscription contributor rights. Note, this role's scope can be reduced to Resource Group Contributor if all resource groups are created prior to cluster creation.
       - If the workload clusters are going to use system-assigned managed identities, then the role here should be `Owner` to be able to create role assignments for system-assigned managed identity.
 More details in [Azure built-in roles documentation](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
 
- - Multi-tenant config
-   - [AAD Pod Identity](https://azure.github.io/aad-pod-identity/) using Service Principals and Managed Identities: by default, the identity used by the workload cluster running on Azure is the same Service Principal assigned to the management cluster. If an identity is specified on the Azure Cluster Resource, that identity will be used when creating Azure resources related to that cluster. See [Multi-tenancy](multitenancy.md) page for details.
+<aside class="note warning"> 
+
+<h1> Warning </h1> 
+
+The capability to set credentials using environment variables is now deprecated and will be removed in future releases, the recommended approach is to use `AzureClusterIdentity` as explained [here](multitenancy.md) 
+
+</aside>
+
 
 ## Azure Host Identity:
 The identity assigned to the Azure host which in the control plane provides the identity to Azure Cloud Provider, and can be used on all nodes to provide access to Azure services during cloud-init, etc.

exp/controllers/azuremanagedcontrolplane_controller.go

@@ -18,8 +18,10 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/cluster-api/util/patch"
 
 	"github.com/go-logr/logr"
@@ -213,6 +215,12 @@ func (r *AzureManagedControlPlaneReconciler) Reconcile(ctx context.Context, req
 				return reconcile.Result{}, err
 			}
 		}
+	} else {
+		warningMessage := ("You're using deprecated functionality: ")
+		warningMessage += ("Using Azure credentials from the manager environment is deprecated and will be removed in future releases. ")
+		warningMessage += ("Please specify an AzureClusterIdentity for the AzureManagedControlPlane instead, see: https://capz.sigs.k8s.io/topics/multitenancy.html ")
+		log.Info(fmt.Sprintf("WARNING, %s", warningMessage))
+		r.Recorder.Eventf(azureControlPlane, corev1.EventTypeWarning, "AzureClusterIdentity", warningMessage)
 	}
 
 	// Create the scope.