Merge pull request #205 from erhancagirici/azure-kubelogin-support

azure AD identity support for AzureAD-enabled AKS clusters

.github/workflows/ci.yml

@@ -10,8 +10,8 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.19.5'
-  GOLANGCI_VERSION: 'v1.50.1'
+  GO_VERSION: '1.20.12'
+  GOLANGCI_VERSION: 'v1.55.2'
   DOCKER_BUILDX_VERSION: 'v0.8.2'
 
   # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run

Makefile

@@ -26,13 +26,14 @@ GO_STATIC_PACKAGES = $(GO_PROJECT)/cmd/provider
 GO_LDFLAGS += -X $(GO_PROJECT)/pkg/version.Version=$(VERSION)
 GO_SUBDIRS += cmd pkg apis
 GO111MODULE = on
+GOLANGCILINT_VERSION = 1.55.2
 
 -include build/makelib/golang.mk
 
 # ====================================================================================
 # Setup Kubernetes tools
 
-UP_VERSION = v0.13.0
+UP_VERSION = v0.21.0
 UP_CHANNEL = stable
 KIND_NODE_IMAGE_TAG ?= v1.24.0
 USE_HELM3 = true

apis/v1beta1/types.go

@@ -50,12 +50,14 @@ type IdentityType string
 // Supported identity types.
 const (
 	IdentityTypeGoogleApplicationCredentials = "GoogleApplicationCredentials"
+
+	IdentityTypeAzureServicePrincipalCredentials = "AzureServicePrincipalCredentials"
 )
 
 // Identity used to authenticate.
 type Identity struct {
 	// Type of identity.
-	// +kubebuilder:validation:Enum=GoogleApplicationCredentials
+	// +kubebuilder:validation:Enum=GoogleApplicationCredentials;AzureServicePrincipalCredentials
 	Type IdentityType `json:"type"`
 
 	ProviderCredentials `json:",inline"`

cmd/provider/main.go

@@ -17,10 +17,13 @@ limitations under the License.
 package main
 
 import (
+	"io"
 	"os"
 	"path/filepath"
 	"time"
 
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+
 	"github.com/crossplane/crossplane-runtime/pkg/controller"
 	"github.com/crossplane/crossplane-runtime/pkg/feature"
 	"github.com/crossplane/crossplane-runtime/pkg/ratelimiter"
@@ -56,6 +59,8 @@ func main() {
 
 	zl := zap.New(zap.UseDevMode(*debug), UseISO8601())
 	log := logging.NewLogrLogger(zl.WithName("provider-helm"))
+	// explicitly  provide a no-op logger by default, otherwise controller-runtime gives a warning
+	ctrl.SetLogger(zap.New(zap.WriteTo(io.Discard)))
 	if *debug {
 		// The controller-runtime runs with a no-op logger by default. It is
 		// *very* verbose even at info level, so we only provide it a real
@@ -67,7 +72,9 @@ func main() {
 	kingpin.FatalIfError(err, "Cannot get API server rest config")
 
 	mgr, err := ctrl.NewManager(ratelimiter.LimitRESTConfig(cfg, *maxReconcileRate), ctrl.Options{
-		SyncPeriod: syncInterval,
+		Cache: cache.Options{
+			SyncPeriod: syncInterval,
+		},
 
 		// controller-runtime uses both ConfigMaps and Leases for leader
 		// election by default. Leases expire after 15 seconds, with a

examples/provider-config/provider-config-with-secret-azure-identity.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.crossplane.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: helm-provider
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      name: cluster-config
+      namespace: crossplane-system
+      key: kubeconfig
+  identity:
+    type: AzureServicePrincipalCredentials
+    source: Secret
+    secretRef:
+      name: azure-credentials
+      namespace: crossplane-system
+      key: credentials.json

examples/provider-config/provider-config-with-secret-google-identity.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.crossplane.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: helm-provider
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      name: cluster-config
+      namespace: crossplane-system
+      key: kubeconfig
+  identity:
+    type: GoogleApplicationCredentials
+    source: Secret
+    secretRef:
+      name: gcp-credentials
+      namespace: crossplane-system
+      key: credentials.json

examples/provider-config/provider-config-with-secret.yaml

@@ -15,4 +15,4 @@ spec:
 #   secretRef:
 #     name: gcp-credentials
 #     namespace: crossplane-system
-#     key: credentials.json
+#     key: credentials.json