Merge pull request #1186 from bryan-cox/CNTRLPLANE-112

CNTRLPLANE-112: Remove ARO HCP MIv2 Authentication

Author: openshift-merge-bot[bot]

go.mod

@@ -23,7 +23,6 @@ require (
 	github.com/IBM/platform-services-go-sdk v0.55.0
 	github.com/aws/aws-sdk-go v1.50.35
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
-	github.com/fsnotify/fsnotify v1.8.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/go-cmp v0.6.0
@@ -82,6 +81,7 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/felixge/fgprof v0.9.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect

pkg/filewatcher/filewatcher.go

@@ -39,7 +39,6 @@ import (
 	regopclient "github.com/openshift/cluster-image-registry-operator/pkg/client"
 	"github.com/openshift/cluster-image-registry-operator/pkg/defaults"
 	"github.com/openshift/cluster-image-registry-operator/pkg/envvar"
-	"github.com/openshift/cluster-image-registry-operator/pkg/filewatcher"
 	"github.com/openshift/cluster-image-registry-operator/pkg/storage/azure/azureclient"
 	"github.com/openshift/cluster-image-registry-operator/pkg/storage/util"
 )
@@ -372,7 +371,6 @@ func (d *driver) storageAccountsClient(cfg *Azure, environment autorestazure.Env
 		cred azcore.TokenCredential
 		err  error
 	)
-	managedIdentityClientID := os.Getenv("ARO_HCP_MI_CLIENT_ID")
 	userAssignedIdentityCredentialsFilePath := os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH")
 	if userAssignedIdentityCredentialsFilePath != "" {
 		// UserAssignedIdentityCredentials for managed Azure HCP
@@ -384,39 +382,6 @@ func (d *driver) storageAccountsClient(cfg *Azure, environment autorestazure.Env
 		if err != nil {
 			return storage.AccountsClient{}, err
 		}
-	} else if managedIdentityClientID != "" {
-		// Managed Identity Override for ARO HCP
-		klog.V(2).Info("Using client certification Azure authentication for ARO HCP")
-		options := &azidentity.ClientCertificateCredentialOptions{
-			ClientOptions: azcore.ClientOptions{
-				Cloud: cloudConfig,
-			},
-			SendCertificateChain: true,
-		}
-
-		tenantID := os.Getenv("ARO_HCP_TENANT_ID")
-		certPath := os.Getenv("ARO_HCP_CLIENT_CERTIFICATE_PATH")
-
-		certData, err := os.ReadFile(certPath)
-		if err != nil {
-			return storage.AccountsClient{}, fmt.Errorf(`failed to read certificate file "%s": %v`, certPath, err)
-		}
-
-		certs, key, err := azidentity.ParseCertificates(certData, []byte{})
-		if err != nil {
-			return storage.AccountsClient{}, fmt.Errorf(`failed to parse certificate data "%s": %v`, certPath, err)
-		}
-
-		// Watch the certificate for changes; if the certificate changes, the pod will be restarted
-		err = filewatcher.WatchFileForChanges(certPath)
-		if err != nil {
-			return storage.AccountsClient{}, err
-		}
-
-		cred, err = azidentity.NewClientCertificateCredential(tenantID, managedIdentityClientID, certs, key, options)
-		if err != nil {
-			return storage.AccountsClient{}, err
-		}
 	} else if strings.TrimSpace(cfg.ClientSecret) == "" {
 		options := azidentity.WorkloadIdentityCredentialOptions{
 			ClientOptions: azcore.ClientOptions{

pkg/storage/azure/azure.go

@@ -22,7 +22,6 @@ import (
 	autorestazure "github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
 	"github.com/Azure/msi-dataplane/pkg/dataplane"
-	"github.com/openshift/cluster-image-registry-operator/pkg/filewatcher"
 	"k8s.io/klog/v2"
 )
 
@@ -104,7 +103,6 @@ func (c *Client) getCreds(ctx context.Context) (azcore.TokenCredential, error) {
 		err   error
 		creds azcore.TokenCredential
 	)
-	managedIdentityClientID := os.Getenv("ARO_HCP_MI_CLIENT_ID")
 	userAssignedIdentityCredentialsFilePath := os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH")
 	if userAssignedIdentityCredentialsFilePath != "" {
 		// UserAssignedIdentityCredentials for managed Azure HCP
@@ -116,39 +114,6 @@ func (c *Client) getCreds(ctx context.Context) (azcore.TokenCredential, error) {
 		if err != nil {
 			return nil, err
 		}
-	} else if managedIdentityClientID != "" {
-		// Managed Identity Override for ARO HCP
-		klog.V(2).Info("Using client certification Azure authentication for ARO HCP")
-		options := &azidentity.ClientCertificateCredentialOptions{
-			ClientOptions: azcore.ClientOptions{
-				Cloud: c.clientOpts.Cloud,
-			},
-			SendCertificateChain: true,
-		}
-
-		tenantID := os.Getenv("ARO_HCP_TENANT_ID")
-		certPath := os.Getenv("ARO_HCP_CLIENT_CERTIFICATE_PATH")
-
-		certData, err := os.ReadFile(certPath)
-		if err != nil {
-			return nil, fmt.Errorf(`failed to read certificate file "%s": %v`, certPath, err)
-		}
-
-		certs, key, err := azidentity.ParseCertificates(certData, []byte{})
-		if err != nil {
-			return nil, fmt.Errorf(`failed to parse certificate data "%s": %v`, certPath, err)
-		}
-
-		// Watch the certificate for changes; if the certificate changes, the pod will be restarted
-		err = filewatcher.WatchFileForChanges(certPath)
-		if err != nil {
-			return nil, err
-		}
-
-		creds, err = azidentity.NewClientCertificateCredential(tenantID, managedIdentityClientID, certs, key, options)
-		if err != nil {
-			return nil, err
-		}
 	} else if strings.TrimSpace(c.opts.ClientSecret) == "" {
 		options := azidentity.WorkloadIdentityCredentialOptions{
 			ClientOptions: *c.clientOpts,