cluster-api-provider-azure icon indicating copy to clipboard operation
cluster-api-provider-azure copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Add the ability to auth via certs without storing them in etcd secret

Open bryan-cox opened this issue 1 year ago • 9 comments

What type of PR is this? /kind feature

What this PR does / why we need it: Allows Service Principal with Certificate authentication to work with a path to the certificate rather than reading it from a k8s secret. This allows one to use the Secret Store CSI driver to mount a certificate from Azure Key Vault into a volume and pass that path to AzureClusterIdentity.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged): Fixes #5198

Special notes for your reviewer:

  • [ ] cherry-pick candidate

TODOs:

  • [ ] squashed commits
  • [x] includes documentation
  • [ ] adds unit tests

Release note:

Allows Service Principal with Certificate authentication to work with a path to the certificate.

bryan-cox avatar Oct 23 '24 10:10 bryan-cox

Hi @bryan-cox. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Oct 23 '24 10:10 k8s-ci-robot

/ok-to-test

bryan-cox avatar Oct 23 '24 10:10 bryan-cox

@bryan-cox: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Oct 23 '24 10:10 k8s-ci-robot

/ok-to-test

enxebre avatar Oct 23 '24 12:10 enxebre

cc @jackfrancis @mboersma

enxebre avatar Oct 23 '24 13:10 enxebre

Codecov Report

Attention: Patch coverage is 52.63158% with 18 lines in your changes missing coverage. Please review.

Project coverage is 53.01%. Comparing base (9ba44ee) to head (a32c54f). Report is 36 commits behind head on main.

Files with missing lines Patch % Lines
azure/scope/identity.go 35.71% 8 Missing and 1 partial :warning:
controllers/asosecret_controller.go 62.50% 7 Missing and 2 partials :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5200      +/-   ##
==========================================
+ Coverage   52.66%   53.01%   +0.35%     
==========================================
  Files         273      273              
  Lines       29189    29243      +54     
==========================================
+ Hits        15371    15504     +133     
+ Misses      13029    12936      -93     
- Partials      789      803      +14

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Oct 23 '24 18:10 codecov[bot]

/retest

bryan-cox avatar Oct 23 '24 23:10 bryan-cox

/test pull-cluster-api-provider-azure-e2e-aks

bryan-cox avatar Oct 24 '24 11:10 bryan-cox

LGTM label has been added.

Git tree hash: 45564ea329fd0e58a9356f8a213b41be662bb2cb

k8s-ci-robot avatar Oct 29 '24 20:10 k8s-ci-robot

Unknown CLA label state. Rechecking for CLA labels.

Send feedback to sig-contributor-experience at kubernetes/community.

/check-cla /easycla

k8s-triage-robot avatar Oct 29 '24 23:10 k8s-triage-robot

LGTM label has been added.

Git tree hash: 2c8b293fc0e4c21722f0057e75c4bd523871760e

k8s-ci-robot avatar Oct 31 '24 16:10 k8s-ci-robot

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Oct 31 '24 21:10 k8s-ci-robot

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-provider-azure-e2e-aks a32c54f19311ece5c110dc712d2ed2f16e1a7080 link unknown /test pull-cluster-api-provider-azure-e2e-aks

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

k8s-ci-robot avatar Nov 01 '24 00:11 k8s-ci-robot

/retest

bryan-cox avatar Nov 01 '24 00:11 bryan-cox

/cherry-pick release-1.17

enxebre avatar Nov 04 '24 08:11 enxebre

@enxebre: new pull request created: #5234

In response to this:

/cherry-pick release-1.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-infra-cherrypick-robot avatar Nov 04 '24 08:11 k8s-infra-cherrypick-robot