Add new authentication type for managed Azure HCP

This commit adds a new authentication type for managed Azure HCP called UserAssignedIdentityCredentials. This new authentication type replaces the previous authentication method for managed Azure HCP. Signed-off-by: Bryan Cox <[email protected]>
openshift · Feb 17, 2025 · c6ed87f · c6ed87f
1 parent d6c6f6c
commit c6ed87f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/pkg/storage/azure/azure.go b/pkg/storage/azure/azure.go
@@ -22,6 +22,7 @@ import (
 	"github.com/Azure/go-autorest/autorest"
 	autorestazure "github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
+	"github.com/Azure/msi-dataplane/pkg/dataplane"
 	"github.com/jongio/azidext/go/azidext"
 
 	corev1 "k8s.io/api/core/v1"
@@ -371,9 +372,19 @@ func (d *driver) storageAccountsClient(cfg *Azure, environment autorestazure.Env
 		cred azcore.TokenCredential
 		err  error
 	)
-	// Managed Identity Override for ARO HCP
 	managedIdentityClientID := os.Getenv("ARO_HCP_MI_CLIENT_ID")
-	if managedIdentityClientID != "" {
+	userAssignedIdentityCredentialsFilePath := os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH")
+	if userAssignedIdentityCredentialsFilePath != "" {
+		// UserAssignedIdentityCredentials for managed Azure HCP
+		clientOptions := azcore.ClientOptions{
+			Cloud: cloudConfig,
+		}
+		cred, err = dataplane.NewUserAssignedIdentityCredential(context.Background(), userAssignedIdentityCredentialsFilePath, dataplane.WithClientOpts(clientOptions))
+		if err != nil {
+			return storage.AccountsClient{}, err
+		}
+	} else if managedIdentityClientID != "" {
+		// Managed Identity Override for ARO HCP
 		klog.V(2).Info("Using client certification Azure authentication for ARO HCP")
 		options := &azidentity.ClientCertificateCredentialOptions{
 			ClientOptions: azcore.ClientOptions{

diff --git a/pkg/storage/azure/azureclient/azureclient.go b/pkg/storage/azure/azureclient/azureclient.go
@@ -21,6 +21,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
 	autorestazure "github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
+	"github.com/Azure/msi-dataplane/pkg/dataplane"
 	"github.com/openshift/cluster-image-registry-operator/pkg/filewatcher"
 	"k8s.io/klog/v2"
 )
@@ -103,10 +104,19 @@ func (c *Client) getCreds(ctx context.Context) (azcore.TokenCredential, error) {
 		err   error
 		creds azcore.TokenCredential
 	)
-
-	// Managed Identity Override for ARO HCP
 	managedIdentityClientID := os.Getenv("ARO_HCP_MI_CLIENT_ID")
-	if managedIdentityClientID != "" {
+	userAssignedIdentityCredentialsFilePath := os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH")
+	if userAssignedIdentityCredentialsFilePath != "" {
+		// UserAssignedIdentityCredentials for managed Azure HCP
+		clientOptions := azcore.ClientOptions{
+			Cloud: c.clientOpts.Cloud,
+		}
+		creds, err = dataplane.NewUserAssignedIdentityCredential(ctx, userAssignedIdentityCredentialsFilePath, dataplane.WithClientOpts(clientOptions))
+		if err != nil {
+			return nil, err
+		}
+	} else if managedIdentityClientID != "" {
+		// Managed Identity Override for ARO HCP
 		klog.V(2).Info("Using client certification Azure authentication for ARO HCP")
 		options := &azidentity.ClientCertificateCredentialOptions{
 			ClientOptions: azcore.ClientOptions{