Merge pull request #10019 from patrickdillon/OCPBUGS-36360-azure-cert

OCPBUGS-36360: Support certificate authentication with CAPZ

Author: openshift-merge-bot[bot]

pkg/asset/manifests/azure/cluster.go

@@ -275,41 +275,47 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 		File:   asset.File{Filename: "02_azure-cluster.yaml"},
 	})
 
-	azureClientSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      clusterID.InfraID + "-azure-client-secret",
-			Namespace: capiutils.Namespace,
-		},
-		StringData: map[string]string{
-			"clientSecret": session.Credentials.ClientSecret,
-		},
-	}
-	azureClientSecret.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret"))
-	manifests = append(manifests, &asset.RuntimeFile{
-		Object: azureClientSecret,
-		File:   asset.File{Filename: "01_azure-client-secret.yaml"},
-	})
-
 	id := &capz.AzureClusterIdentity{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      clusterID.InfraID,
 			Namespace: capiutils.Namespace,
 		},
 		Spec: capz.AzureClusterIdentitySpec{
-			Type:              capz.ServicePrincipal,
 			AllowedNamespaces: &capz.AllowedNamespaces{}, // Allow all namespaces.
 			ClientID:          session.Credentials.ClientID,
-			ClientSecret: corev1.SecretReference{
-				Name:      azureClientSecret.Name,
-				Namespace: azureClientSecret.Namespace,
-			},
-			TenantID: session.Credentials.TenantID,
+			TenantID:          session.Credentials.TenantID,
 		},
 	}
-	if session.AuthType == azic.ManagedIdentityAuth {
+
+	switch session.AuthType {
+	case azic.ManagedIdentityAuth:
 		id.Spec.Type = capz.UserAssignedMSI
-		id.Spec.ClientSecret = corev1.SecretReference{}
+	case azic.ClientSecretAuth:
+		id.Spec.Type = capz.ServicePrincipal
+		azureClientSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      clusterID.InfraID + "-azure-client-secret",
+				Namespace: capiutils.Namespace,
+			},
+			StringData: map[string]string{
+				"clientSecret": session.Credentials.ClientSecret,
+			},
+		}
+		azureClientSecret.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret"))
+		manifests = append(manifests, &asset.RuntimeFile{
+			Object: azureClientSecret,
+			File:   asset.File{Filename: "01_azure-client-secret.yaml"},
+		})
+
+		id.Spec.ClientSecret = corev1.SecretReference{
+			Name:      azureClientSecret.Name,
+			Namespace: azureClientSecret.Namespace,
+		}
+	case azic.ClientCertificateAuth:
+		id.Spec.Type = capz.ServicePrincipalCertificate
+		id.Spec.CertPath = session.Credentials.ClientCertificatePath
 	}
+
 	id.SetGroupVersionKind(capz.GroupVersion.WithKind("AzureClusterIdentity"))
 	manifests = append(manifests, &asset.RuntimeFile{
 		Object: id,

pkg/clusterapi/system.go

@@ -3,7 +3,9 @@ package clusterapi
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"net"
@@ -15,6 +17,7 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -231,6 +234,28 @@ func (c *system) Run(ctx context.Context) error { //nolint:gocyclo
 			}
 		}
 
+		// ASO expects the contents of the cert--not the path--in the env var.
+		// Since .pfx is a binary format, we need to parse it and convert to PEM format.
+		var certPEM string
+		if session.AuthType == azic.ClientCertificateAuth {
+			certPath := session.Credentials.ClientCertificatePath
+			certData, err := os.ReadFile(certPath)
+			if err != nil {
+				return fmt.Errorf("unable to read client certificate contents from %s: %w", certPath, err)
+			}
+
+			// Parse the .pfx file to get certificates and private key
+			certs, key, err := azidentity.ParseCertificates(certData, []byte(session.Credentials.ClientCertificatePassword))
+			if err != nil {
+				return fmt.Errorf("failed to parse client certificate: %w", err)
+			}
+
+			// Convert certificates and key to PEM format
+			certPEM, err = certificatesToPEM(certs, key)
+			if err != nil {
+				return fmt.Errorf("failed to convert certificate to PEM: %w", err)
+			}
+		}
 		controllers = append(controllers,
 			c.getInfrastructureController(
 				&azProvider,
@@ -259,7 +284,7 @@ func (c *system) Run(ctx context.Context) error { //nolint:gocyclo
 					"POD_NAMESPACE":                     "capz-system",
 					"AZURE_CLIENT_ID":                   session.Credentials.ClientID,
 					"AZURE_CLIENT_SECRET":               session.Credentials.ClientSecret,
-					"AZURE_CLIENT_CERTIFICATE":          session.Credentials.ClientCertificatePath,
+					"AZURE_CLIENT_CERTIFICATE":          certPEM,
 					"AZURE_CLIENT_CERTIFICATE_PASSWORD": session.Credentials.ClientCertificatePassword,
 					"AZURE_TENANT_ID":                   session.Credentials.TenantID,
 					"AZURE_SUBSCRIPTION_ID":             session.Credentials.SubscriptionID,
@@ -685,3 +710,34 @@ func (c *system) runController(ctx context.Context, ct *controller) error {
 	ct.state = pr
 	return nil
 }
+
+// certificatesToPEM converts x509 certificates and a private key to PEM format.
+// The output is a concatenated string of PEM-encoded certificates followed by the PEM-encoded private key.
+func certificatesToPEM(certs []*x509.Certificate, key any) (string, error) {
+	var pemData strings.Builder
+
+	// Encode each certificate
+	for _, cert := range certs {
+		if err := pem.Encode(&pemData, &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: cert.Raw,
+		}); err != nil {
+			return "", fmt.Errorf("failed to encode certificate: %w", err)
+		}
+	}
+
+	// Encode the private key
+	keyBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal private key: %w", err)
+	}
+
+	if err := pem.Encode(&pemData, &pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: keyBytes,
+	}); err != nil {
+		return "", fmt.Errorf("failed to encode private key: %w", err)
+	}
+
+	return pemData.String(), nil
+}