Add doc info on certPath for Service Principal with Certificate

bryan-cox · bryan-cox · commit 1eb822998d88 · 2024-10-23T13:54:27.000-04:00
diff --git a/api/v1beta1/azureclusteridentity_types.go b/api/v1beta1/azureclusteridentity_types.go
@@ -59,7 +59,7 @@ type AzureClusterIdentitySpec struct {
 	// ClientSecret is a secret reference which should contain either a Service Principal password or certificate secret.
 	// +optional
 	ClientSecret corev1.SecretReference `json:"clientSecret,omitempty"`
-	// certPath is the path where certicates exist. When set, it takes precedence over ClientSecret for types that uses certs like ServicePrincipalCertificate.
+	// certPath is the path where certificates exist. When set, it takes precedence over ClientSecret for types that uses certs like ServicePrincipalCertificate.
 	// +optional
 	CertPath string `json:"certPath,omitempty"`
 	// TenantID is the service principal primary tenant id.
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml
@@ -124,7 +124,7 @@ spec:
                     x-kubernetes-map-type: atomic
                 type: object
               certPath:
-                description: certPath is the path where certicates exist. When set,
+                description: certPath is the path where certificates exist. When set,
                   it takes precedence over ClientSecret for types that uses certs
                   like ServicePrincipalCertificate.
                 type: string
diff --git a/controllers/asosecret_controller.go b/controllers/asosecret_controller.go
@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"os"
 
 	asoconfig "github.com/Azure/azure-service-operator/v2/pkg/common/config"
 	"github.com/pkg/errors"
@@ -287,23 +288,33 @@ func (asos *ASOSecretReconciler) createSecretFromClusterIdentity(ctx context.Con
 		return newASOSecret, nil
 	}
 
-	// Fetch identity secret, if it exists
-	key = types.NamespacedName{
-		Namespace: identity.Spec.ClientSecret.Namespace,
-		Name:      identity.Spec.ClientSecret.Name,
-	}
-	identitySecret := &corev1.Secret{}
-	err := asos.Get(ctx, key, identitySecret)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to fetch AzureClusterIdentity secret")
-	}
+	if identity.Spec.CertPath != "" {
+		certsContent, err := os.ReadFile(identity.Spec.CertPath)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to read certificate file")
+		}
 
-	switch identity.Spec.Type {
-	case infrav1.ServicePrincipal, infrav1.ManualServicePrincipal:
-		newASOSecret.Data[asoconfig.AzureClientSecret] = identitySecret.Data[scope.AzureSecretKey]
-	case infrav1.ServicePrincipalCertificate:
-		newASOSecret.Data[asoconfig.AzureClientCertificate] = identitySecret.Data["certificate"]
-		newASOSecret.Data[asoconfig.AzureClientCertificatePassword] = identitySecret.Data["password"]
+		newASOSecret.Data[asoconfig.AzureClientCertificate] = []byte(certsContent)
+		newASOSecret.Data[asoconfig.AzureClientCertificatePassword] = []byte{}
+	} else {
+		// Fetch identity secret, if it exists
+		key = types.NamespacedName{
+			Namespace: identity.Spec.ClientSecret.Namespace,
+			Name:      identity.Spec.ClientSecret.Name,
+		}
+		identitySecret := &corev1.Secret{}
+		err := asos.Get(ctx, key, identitySecret)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to fetch AzureClusterIdentity secret")
+		}
+
+		switch identity.Spec.Type {
+		case infrav1.ServicePrincipal, infrav1.ManualServicePrincipal:
+			newASOSecret.Data[asoconfig.AzureClientSecret] = identitySecret.Data[scope.AzureSecretKey]
+		case infrav1.ServicePrincipalCertificate:
+			newASOSecret.Data[asoconfig.AzureClientCertificate] = identitySecret.Data["certificate"]
+			newASOSecret.Data[asoconfig.AzureClientCertificatePassword] = identitySecret.Data["password"]
+		}
 	}
 	return newASOSecret, nil
 }
diff --git a/docs/book/src/topics/identities.md b/docs/book/src/topics/identities.md
@@ -125,6 +125,24 @@ data:
   password: PASSWORD
 ```
 
+Alternatively, the path to a certificate can be specified instead of the k8s secret:
+
+```yaml
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureClusterIdentity
+metadata:
+  name: example-identity
+  namespace: default
+spec:
+  type: ServicePrincipalCertificate
+  tenantID: <azure-tenant-id>
+  clientID: <client-id-of-SP-identity>
+  certPath: <path-to-the-cert>
+  allowedNamespaces:
+    list:
+    - <cluster-namespace>
+```
+
 ## User-Assigned Managed Identity
 
 <aside class="note">
