diff --git a/apis/v1beta1/types.go b/apis/v1beta1/types.go index 06eba8a7a..9cf29eb35 100644 --- a/apis/v1beta1/types.go +++ b/apis/v1beta1/types.go @@ -53,7 +53,7 @@ type ProviderConfigSpec struct { // ProviderCredentials required to authenticate. type ProviderCredentials struct { // Source of the provider credentials. - // +kubebuilder:validation:Enum=None;Secret;UserAssignedManagedIdentity;SystemAssignedManagedIdentity;OIDCTokenFile + // +kubebuilder:validation:Enum=None;Secret;UserAssignedManagedIdentity;SystemAssignedManagedIdentity;OIDCTokenFile;Upbound Source xpv1.CredentialsSource `json:"source"` xpv1.CommonCredentialSelectors `json:",inline"` diff --git a/examples/provider/upbound.yaml b/examples/provider/upbound.yaml new file mode 100644 index 000000000..2f36fe01d --- /dev/null +++ b/examples/provider/upbound.yaml @@ -0,0 +1,10 @@ +apiVersion: azure.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: default +spec: + clientID: + tenantID: + subscriptionID: + credentials: + source: Upbound diff --git a/internal/clients/azure.go b/internal/clients/azure.go index f0d331cd5..fa822e756 100644 --- a/internal/clients/azure.go +++ b/internal/clients/azure.go @@ -23,9 +23,9 @@ const ( errTrackUsage = "cannot track ProviderConfig usage" errExtractCredentials = "cannot extract credentials" errUnmarshalCredentials = "cannot unmarshal Azure credentials as JSON" - errSubscriptionIDNotSet = "subscription ID must be set in ProviderConfig when credential source is InjectedIdentity" - errTenantIDNotSet = "tenant ID must be set in ProviderConfig when credential source is InjectedIdentity" - errClientIDNotSet = "Client ID must be set in ProviderConfig when credential source is OIDCTokenFile" + errSubscriptionIDNotSet = "subscription ID must be set in ProviderConfig when credential source is InjectedIdentity, OIDCTokenFile or Upbound" + errTenantIDNotSet = "tenant ID must be set in ProviderConfig when credential source is InjectedIdentity, OIDCTokenFile or Upbound" + errClientIDNotSet = "client ID must be set in ProviderConfig when credential source is OIDCTokenFile or Upbound" // Azure service principal credentials file JSON keys keyAzureSubscriptionID = "subscriptionId" keyAzureClientID = "clientId" @@ -51,6 +51,9 @@ var ( credentialsSourceUserAssignedManagedIdentity xpv1.CredentialsSource = "UserAssignedManagedIdentity" credentialsSourceSystemAssignedManagedIdentity xpv1.CredentialsSource = "SystemAssignedManagedIdentity" credentialsSourceOIDCTokenFile xpv1.CredentialsSource = "OIDCTokenFile" + credentialsSourceUpbound xpv1.CredentialsSource = "Upbound" + + upboundProviderIdentityTokenFile = "/var/run/secrets/upbound.io/provider/token" ) // TerraformSetupBuilder returns Terraform setup with provider specific @@ -98,6 +101,8 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string, sche err = msiAuth(pc, &ps) case credentialsSourceOIDCTokenFile: err = oidcAuth(pc, &ps) + case credentialsSourceUpbound: + err = upboundAuth(pc, &ps) default: err = spAuth(ctx, pc, &ps, client) } @@ -179,3 +184,22 @@ func oidcAuth(pc *v1beta1.ProviderConfig, ps *terraform.Setup) error { return nil } + +func upboundAuth(pc *v1beta1.ProviderConfig, ps *terraform.Setup) error { + if pc.Spec.SubscriptionID == nil || len(*pc.Spec.SubscriptionID) == 0 { + return errors.New(errSubscriptionIDNotSet) + } + if pc.Spec.TenantID == nil || len(*pc.Spec.TenantID) == 0 { + return errors.New(errTenantIDNotSet) + } + if pc.Spec.ClientID == nil || len(*pc.Spec.ClientID) == 0 { + return errors.New(errClientIDNotSet) + } + ps.Configuration[keyOidcTokenFilePath] = upboundProviderIdentityTokenFile + ps.Configuration[keySubscriptionID] = *pc.Spec.SubscriptionID + ps.Configuration[keyTenantID] = *pc.Spec.TenantID + ps.Configuration[keyClientID] = *pc.Spec.ClientID + ps.Configuration[keyUseOIDC] = "true" + return nil + +} diff --git a/package/crds/azure.upbound.io_providerconfigs.yaml b/package/crds/azure.upbound.io_providerconfigs.yaml index 12d5f1578..a0f981b61 100644 --- a/package/crds/azure.upbound.io_providerconfigs.yaml +++ b/package/crds/azure.upbound.io_providerconfigs.yaml @@ -102,6 +102,7 @@ spec: - UserAssignedManagedIdentity - SystemAssignedManagedIdentity - OIDCTokenFile + - Upbound type: string required: - source