Add support for user-assigned managed identities in AzureMachine

- new allowed value for VMIdentity
- new field in AzureMachine
- validation to ensure list of identities is not empty if type is user assigned
- user assgined identity template flavor

Author: nader-ziada

api/v1alpha2/azuremachine_conversion.go

@@ -39,6 +39,9 @@ func (src *AzureMachine) ConvertTo(dstRaw conversion.Hub) error { // nolint
 	if restored.Spec.Identity != "" {
 		dst.Spec.Identity = restored.Spec.Identity
 	}
+	if len(restored.Spec.UserAssignedIdentities) > 0 {
+		dst.Spec.UserAssignedIdentities = restored.Spec.UserAssignedIdentities
+	}
 
 	dst.Spec.FailureDomain = restored.Spec.FailureDomain
 

api/v1alpha2/azuremachinetemplate_conversion.go

@@ -37,7 +37,9 @@ func (src *AzureMachineTemplate) ConvertTo(dstRaw conversion.Hub) error { // nol
 	if restored.Spec.Template.Spec.Identity != "" {
 		dst.Spec.Template.Spec.Identity = restored.Spec.Template.Spec.Identity
 	}
-
+	if len(restored.Spec.Template.Spec.UserAssignedIdentities) > 0 {
+		dst.Spec.Template.Spec.UserAssignedIdentities = restored.Spec.Template.Spec.UserAssignedIdentities
+	}
 	dst.Spec.Template.Spec.FailureDomain = restored.Spec.Template.Spec.FailureDomain
 
 	return nil

api/v1alpha2/zz_generated.conversion.go

@@ -58,3 +58,22 @@ func createMachineWithSSHPublicKey(t *testing.T, sshPublicKey string) *AzureMach
 		},
 	}
 }
+
+func createMachineWithUserAssignedIdentities(t *testing.T, identitiesList []UserAssignedIdentity) *AzureMachine {
+	return &AzureMachine{
+		Spec: AzureMachineSpec{
+			SSHPublicKey: generateSSHPublicKey(),
+			Image: &Image{
+				SharedGallery: &AzureSharedGalleryImage{
+					SubscriptionID: "SUB123",
+					ResourceGroup:  "RG123",
+					Name:           "NAME123",
+					Gallery:        "GALLERY1",
+					Version:        "1.0.0",
+				},
+			},
+			Identity:               VMIdentityUserAssigned,
+			UserAssignedIdentities: identitiesList,
+		},
+	}
+}

api/v1alpha3/azuremachine_default_test.go

@@ -51,12 +51,20 @@ type AzureMachineSpec struct {
 	Image *Image `json:"image,omitempty"`
 
 	// Identity is the type of identity used for the virtual machine.
-	// The type 'SystemAssigned' is an implicitly created identity
-	// The generated identity will be assigned a Subscription contributor role
+	// The type 'SystemAssigned' is an implicitly created identity.
+	// The generated identity will be assigned a Subscription contributor role.
+	// The type 'UserAssigned' is a standalone Azure resource provided by the user
+	// and assigned to the VM
 	// +kubebuilder:default=None
 	// +optional
 	Identity VMIdentity `json:"identity,omitempty"`
 
+	// UserAssignedIdentities is a list of standalone Azure identities provided by the user
+	// The lifecycle of a user-assigned identity is managed separately from the lifecycle of
+	// the AzureMachine.
+	// +optional
+	UserAssignedIdentities []UserAssignedIdentity `json:"userAssignedIdentities,omitempty"`
+
 	OSDisk OSDisk `json:"osDisk"`
 
 	Location string `json:"location"`

api/v1alpha3/azuremachine_types.go

@@ -40,3 +40,14 @@ func ValidateSSHKey(sshKey string, fldPath *field.Path) field.ErrorList {
 
 	return allErrs
 }
+
+// ValidateUserAssignedIdentity validates the user-assigned identities list
+func ValidateUserAssignedIdentity(identityType VMIdentity, userAssignedIdenteties []UserAssignedIdentity, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if identityType == VMIdentityUserAssigned && len(userAssignedIdenteties) == 0 {
+		allErrs = append(allErrs, field.Required(fldPath, "must be specified for the 'UserAssigned' identity type"))
+	}
+
+	return allErrs
+}

api/v1alpha3/azuremachine_validation.go

@@ -42,33 +42,43 @@ var _ webhook.Validator = &AzureMachine{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (m *AzureMachine) ValidateCreate() error {
 	machinelog.Info("validate create", "name", m.Name)
+	var allErrs field.ErrorList
 
 	if errs := ValidateImage(m.Spec.Image, field.NewPath("image")); len(errs) > 0 {
-		return apierrors.NewInvalid(
-			GroupVersion.WithKind("AzureMachine").GroupKind(),
-			m.Name, errs)
+		allErrs = append(allErrs, errs...)
 	}
 
 	if errs := ValidateSSHKey(m.Spec.SSHPublicKey, field.NewPath("sshPublicKey")); len(errs) > 0 {
-		return apierrors.NewInvalid(
-			GroupVersion.WithKind("AzureMachine").GroupKind(),
-			m.Name, errs)
+		allErrs = append(allErrs, errs...)
 	}
 
-	return nil
+	if errs := ValidateUserAssignedIdentity(m.Spec.Identity, m.Spec.UserAssignedIdentities, field.NewPath("userAssignedIdentities")); len(errs) > 0 {
+		allErrs = append(allErrs, errs...)
+	}
+
+	if len(allErrs) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(GroupVersion.WithKind("AzureMachine").GroupKind(), m.Name, allErrs)
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (m *AzureMachine) ValidateUpdate(old runtime.Object) error {
 	machinelog.Info("validate update", "name", m.Name)
+	var allErrs field.ErrorList
 
 	if errs := ValidateSSHKey(m.Spec.SSHPublicKey, field.NewPath("sshPublicKey")); len(errs) > 0 {
-		return apierrors.NewInvalid(
-			GroupVersion.WithKind("AzureMachine").GroupKind(),
-			m.Name, errs)
+		allErrs = append(allErrs, errs...)
 	}
 
-	return nil
+	if errs := ValidateUserAssignedIdentity(m.Spec.Identity, m.Spec.UserAssignedIdentities, field.NewPath("userAssignedIdentities")); len(errs) > 0 {
+		allErrs = append(allErrs, errs...)
+	}
+
+	if len(allErrs) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(GroupVersion.WithKind("AzureMachine").GroupKind(), m.Name, allErrs)
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type

api/v1alpha3/azuremachine_webhook.go

@@ -77,6 +77,16 @@ func TestAzureMachine_ValidateCreate(t *testing.T) {
 			machine: createMachineWithSSHPublicKey(t, "invalid ssh key"),
 			wantErr: true,
 		},
+		{
+			name:    "azuremachine with list of user-assigned identities",
+			machine: createMachineWithUserAssignedIdentities(t, []UserAssignedIdentity{{ProviderID: "azure:////123"}, {ProviderID: "azure:////456"}}),
+			wantErr: false,
+		},
+		{
+			name:    "azuremachine with empty list of user-assigned identities",
+			machine: createMachineWithUserAssignedIdentities(t, []UserAssignedIdentity{}),
+			wantErr: true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
@@ -117,6 +127,18 @@ func TestAzureMachine_ValidateUpdate(t *testing.T) {
 			machine:    createMachineWithSSHPublicKey(t, "invalid ssh key"),
 			wantErr:    true,
 		},
+		{
+			name:       "azuremachine with user assigned identities",
+			oldMachine: createMachineWithUserAssignedIdentities(t, []UserAssignedIdentity{{ProviderID: "azure:////123"}}),
+			machine:    createMachineWithUserAssignedIdentities(t, []UserAssignedIdentity{{ProviderID: "azure:////123"}, {ProviderID: "azure:////456"}}),
+			wantErr:    false,
+		},
+		{
+			name:       "azuremachine with empty user assigned identities",
+			oldMachine: createMachineWithUserAssignedIdentities(t, []UserAssignedIdentity{{ProviderID: "azure:////123"}}),
+			machine:    createMachineWithUserAssignedIdentities(t, []UserAssignedIdentity{}),
+			wantErr:    true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {

api/v1alpha3/azuremachine_webhook_test.go

@@ -278,16 +278,26 @@ type AvailabilityZone struct {
 }
 
 // VMIdentity defines the identity of the virtual machine, if configured.
-// +kubebuilder:validation:Enum=None;SystemAssigned
+// +kubebuilder:validation:Enum=None;SystemAssigned;UserAssigned
 type VMIdentity string
 
 const (
 	// VMIdentityNone ...
 	VMIdentityNone VMIdentity = "None"
 	// VMIdentitySystemAssigned ...
 	VMIdentitySystemAssigned VMIdentity = "SystemAssigned"
+	// VMIdentityUserAssigned ...
+	VMIdentityUserAssigned VMIdentity = "UserAssigned"
 )
 
+// UserAssignedIdentity defines the user-assigned identities provided
+// by the user to be assigned to Azure resources.
+type UserAssignedIdentity struct {
+	// ProviderID is the identification ID of the user-assigned Identity, the format of an identity is:
+	// 'azure:////subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'
+	ProviderID string `json:"providerID"`
+}
+
 // OSDisk defines the operating system disk for a VM.
 type OSDisk struct {
 	OSType      string      `json:"osType"`