Azure · comtalyst · Sep 27, 2024 · May 22, 2024 · May 22, 2024 · May 22, 2024
diff --git a/go.mod b/go.mod
@@ -13,7 +13,6 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0
 	github.com/Azure/go-autorest/autorest v0.11.29
-	github.com/Azure/go-autorest/autorest/adal v0.9.24
 	github.com/Azure/go-autorest/autorest/to v0.4.0
 	github.com/Azure/skewer v0.0.19
 	github.com/Pallinder/go-randomdata v1.2.0
@@ -33,7 +32,6 @@ require (
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/multierr v1.11.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.27.0
 	k8s.io/api v0.29.3
 	k8s.io/apiextensions-apiserver v0.29.3
 	k8s.io/apimachinery v0.29.3
@@ -60,6 +58,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/mocks v0.4.2 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
@@ -128,13 +127,14 @@ require (
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.uber.org/automaxprocs v1.5.3 // indirect
 	go.uber.org/mock v0.4.0 // indirect
+	golang.org/x/crypto v0.26.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.28.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
-	golang.org/x/term v0.24.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/term v0.23.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect

diff --git a/go.sum b/go.sum
@@ -475,8 +475,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -624,15 +624,15 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
-golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
-golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
+golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
+golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -643,8 +643,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

diff --git a/karpenter-values-template.yaml b/karpenter-values-template.yaml
@@ -34,12 +34,7 @@ controller:
       value: ${AZURE_SUBSCRIPTION_ID}
     - name: LOCATION
       value: ${AZURE_LOCATION}
-    # settings for managed workload identity
-    - name: ARM_USE_CREDENTIAL_FROM_ENVIRONMENT
-      value: "true"
-    - name: ARM_USE_MANAGED_IDENTITY_EXTENSION
-      value: "false"
-    - name: ARM_USER_ASSIGNED_IDENTITY_ID
+    - name: KUBELET_IDENTITY_CLIENT_ID
       value: ""
     - name: AZURE_NODE_RESOURCE_GROUP
       value: ${AZURE_RESOURCE_GROUP_MC}

diff --git a/pkg/auth/autorest_auth.go b/pkg/auth/autorest_auth.go
diff --git a/pkg/auth/config.go b/pkg/auth/config.go
@@ -19,24 +19,12 @@ package auth
 import (
 	"fmt"
 	"os"
-	"strconv"
 	"strings"
 
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/azure"
 )
 
-const (
-	// auth methods
-	authMethodPrincipal = "principal"
-	authMethodCLI       = "cli"
-)
-
-const (
-	// from azure_manager
-	vmTypeVMSS = "vmss"
-)
-
 type cfgField struct {
 	val  string
 	name string
@@ -59,99 +47,29 @@ type Config struct {
 	TenantID       string `json:"tenantId" yaml:"tenantId"`
 	SubscriptionID string `json:"subscriptionId" yaml:"subscriptionId"`
 	ResourceGroup  string `json:"resourceGroup" yaml:"resourceGroup"`
-	VMType         string `json:"vmType" yaml:"vmType"`
-
-	// AuthMethod determines how to authorize requests for the Azure
-	// cloud. Valid options are "principal" (= the traditional
-	// service principle approach) and "cli" (= load az command line
-	// config file). The default is "principal".
-	AuthMethod string `json:"authMethod" yaml:"authMethod"`
-
-	// Settings for a service principal.
-	AADClientID                  string `json:"aadClientId" yaml:"aadClientId"`
-	AADClientSecret              string `json:"aadClientSecret" yaml:"aadClientSecret"`
-	AADClientCertPath            string `json:"aadClientCertPath" yaml:"aadClientCertPath"`
-	AADClientCertPassword        string `json:"aadClientCertPassword" yaml:"aadClientCertPassword"`
-	UseCredentialFromEnvironment bool   `json:"useCredentialFromEnvironment" yaml:"useCredentialFromEnvironment"`
-	UseManagedIdentityExtension  bool   `json:"useManagedIdentityExtension" yaml:"useManagedIdentityExtension"`
-	UserAssignedIdentityID       string `json:"userAssignedIdentityID" yaml:"userAssignedIdentityID"`
-
-	//Configs only for AKS
-	ClusterName string `json:"clusterName" yaml:"clusterName"`
-	//Config only for AKS
-	NodeResourceGroup string `json:"nodeResourceGroup" yaml:"nodeResourceGroup"`
-}
-
-func (cfg *Config) PrepareConfig() error {
-	cfg.BaseVars()
-	err := cfg.prepareID()
-	if err != nil {
-		return err
-	}
-	return nil
-}
 
-func (cfg *Config) BaseVars() {
-	cfg.Cloud = os.Getenv("ARM_CLOUD")
-	cfg.Location = os.Getenv("LOCATION")
-	cfg.ResourceGroup = os.Getenv("ARM_RESOURCE_GROUP")
-	cfg.TenantID = os.Getenv("ARM_TENANT_ID")
-	cfg.SubscriptionID = os.Getenv("ARM_SUBSCRIPTION_ID")
-	cfg.AADClientID = os.Getenv("ARM_CLIENT_ID")
-	cfg.AADClientSecret = os.Getenv("ARM_CLIENT_SECRET")
-	cfg.VMType = strings.ToLower(os.Getenv("ARM_VM_TYPE"))
-	cfg.AADClientCertPath = os.Getenv("ARM_CLIENT_CERT_PATH")
-	cfg.AADClientCertPassword = os.Getenv("ARM_CLIENT_CERT_PASSWORD")
-	cfg.ClusterName = os.Getenv("AZURE_CLUSTER_NAME")
-	cfg.NodeResourceGroup = os.Getenv("AZURE_NODE_RESOURCE_GROUP")
-}
+	// Managed identity for Kubelet (not to be confused with Azure cloud authorization)
+	KubeletIdentityClientID string `json:"kubeletIdentityClientID" yaml:"kubeletIdentityClientID"`
 
-func (cfg *Config) prepareID() error {
-	useCredentialFromEnvironmentFromEnv := os.Getenv("ARM_USE_CREDENTIAL_FROM_ENVIRONMENT")
-	if len(useCredentialFromEnvironmentFromEnv) > 0 {
-		shouldUse, err := strconv.ParseBool(useCredentialFromEnvironmentFromEnv)
-		if err != nil {
-			return err
-		}
-		cfg.UseCredentialFromEnvironment = shouldUse
-	}
-	useManagedIdentityExtensionFromEnv := os.Getenv("ARM_USE_MANAGED_IDENTITY_EXTENSION")
-	if len(useManagedIdentityExtensionFromEnv) > 0 {
-		shouldUse, err := strconv.ParseBool(useManagedIdentityExtensionFromEnv)
-		if err != nil {
-			return err
-		}
-		cfg.UseManagedIdentityExtension = shouldUse
-	}
-	userAssignedIdentityIDFromEnv := os.Getenv("ARM_USER_ASSIGNED_IDENTITY_ID")
-	if userAssignedIdentityIDFromEnv != "" {
-		cfg.UserAssignedIdentityID = userAssignedIdentityIDFromEnv
-	}
-	return nil
+	// Configs only for AKS
+	NodeResourceGroup string `json:"nodeResourceGroup" yaml:"nodeResourceGroup"`
 }
 
 // BuildAzureConfig returns a Config object for the Azure clients
 func BuildAzureConfig() (*Config, error) {
-	var err error
 	cfg := &Config{}
-	err = cfg.PrepareConfig()
-	if err != nil {
+
+	if err := cfg.Build(); err != nil {
 		return nil, err
 	}
-	cfg.TrimSpace()
-	setVMType(cfg)
-
-	if err := cfg.validate(); err != nil {
+	if err := cfg.Default(); err != nil {
 		return nil, err
 	}
-	return cfg, nil
-}
-
-func setVMType(cfg *Config) {
-	// Defaulting vmType to vmss.
-	if cfg.VMType == "" {
-		cfg.VMType = vmTypeVMSS
+	if err := cfg.Validate(); err != nil {
+		return nil, err
 	}
+
+	return cfg, nil
 }
 
 func (cfg *Config) GetAzureClientConfig(authorizer autorest.Authorizer, env *azure.Environment) *ClientConfig {
@@ -165,27 +83,29 @@ func (cfg *Config) GetAzureClientConfig(authorizer autorest.Authorizer, env *azu
 	return azClientConfig
 }
 
-// TrimSpace removes all leading and trailing white spaces.
-func (cfg *Config) TrimSpace() {
-	cfg.Cloud = strings.TrimSpace(cfg.Cloud)
-	cfg.TenantID = strings.TrimSpace(cfg.TenantID)
-	cfg.SubscriptionID = strings.TrimSpace(cfg.SubscriptionID)
-	cfg.ResourceGroup = strings.TrimSpace(cfg.ResourceGroup)
-	cfg.VMType = strings.TrimSpace(cfg.VMType)
-	cfg.AADClientID = strings.TrimSpace(cfg.AADClientID)
-	cfg.AADClientSecret = strings.TrimSpace(cfg.AADClientSecret)
-	cfg.AADClientCertPath = strings.TrimSpace(cfg.AADClientCertPath)
-	cfg.AADClientCertPassword = strings.TrimSpace(cfg.AADClientCertPassword)
-	cfg.ClusterName = strings.TrimSpace(cfg.ClusterName)
-	cfg.NodeResourceGroup = strings.TrimSpace(cfg.NodeResourceGroup)
+func (cfg *Config) Build() error {
+	// May require more than this behind the scenes: https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/README.md#defaultazurecredential
+	cfg.Cloud = strings.TrimSpace(os.Getenv("ARM_CLOUD"))
+	cfg.Location = strings.TrimSpace(os.Getenv("LOCATION"))
+	cfg.ResourceGroup = strings.TrimSpace(os.Getenv("ARM_RESOURCE_GROUP"))
+	cfg.TenantID = strings.TrimSpace(os.Getenv("ARM_TENANT_ID"))
+	cfg.SubscriptionID = strings.TrimSpace(os.Getenv("ARM_SUBSCRIPTION_ID"))
+	cfg.NodeResourceGroup = strings.TrimSpace(os.Getenv("AZURE_NODE_RESOURCE_GROUP"))
+	cfg.KubeletIdentityClientID = strings.TrimSpace(os.Getenv("KUBELET_IDENTITY_CLIENT_ID"))
+
+	return nil
+}
+
+func (cfg *Config) Default() error {
+	// Nothing to default, for now.
+	return nil
 }
 
-func (cfg *Config) validate() error {
+func (cfg *Config) Validate() error {
 	// Setup fields and validate all of them are not empty
 	fields := []cfgField{
 		{cfg.SubscriptionID, "subscription ID"},
 		{cfg.NodeResourceGroup, "node resource group"},
-		{cfg.VMType, "VM type"},
 		// Even though the config doesnt use some of these,
 		// its good to validate they were set in the environment
 	}
@@ -196,13 +116,5 @@ func (cfg *Config) validate() error {
 		}
 	}
 
-	if cfg.UseManagedIdentityExtension {
-		return nil
-	}
-
-	if cfg.AuthMethod != "" && cfg.AuthMethod != authMethodPrincipal && cfg.AuthMethod != authMethodCLI {
-		return fmt.Errorf("unsupported authorization method: %s", cfg.AuthMethod)
-	}
-
 	return nil
 }