refactor: abandon ARM_AUTH_METHOD in favor of DefaultAzureCredentials

go.mod

@@ -13,7 +13,6 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0
 	github.com/Azure/go-autorest/autorest v0.11.29
-	github.com/Azure/go-autorest/autorest/adal v0.9.24
 	github.com/Azure/go-autorest/autorest/to v0.4.0
 	github.com/Azure/skewer v0.0.19
 	github.com/Pallinder/go-randomdata v1.2.0
@@ -59,6 +58,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/mocks v0.4.2 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect

karpenter-values-template.yaml

@@ -38,8 +38,6 @@ controller:
       value: ""
     - name: AZURE_NODE_RESOURCE_GROUP
       value: ${AZURE_RESOURCE_GROUP_MC}
-    - name: ARM_AUTH_METHOD
-      value: "workload-identity"
 serviceAccount:
   name: ${KARPENTER_SERVICE_ACCOUNT_NAME}
   annotations:

pkg/auth/config.go

@@ -25,12 +25,6 @@ import (
 	"github.com/Azure/go-autorest/autorest/azure"
 )
 
-const (
-	// auth methods
-	authMethodSysMSI           = "system-assigned-msi"
-	authMethodWorkloadIdentity = "workload-identity"
-)
-
 const (
 	// from azure_manager
 	vmTypeVMSS = "vmss"
@@ -60,11 +54,6 @@ type Config struct {
 	ResourceGroup  string `json:"resourceGroup" yaml:"resourceGroup"`
 	VMType         string `json:"vmType" yaml:"vmType"`
 
-	// ArmAuthMethod determines how to authorize requests for the Azure cloud.
-	// Valid options are "system-assigned-msi" and "workload-identity"
-	// The default is "workload-identity".
-	ArmAuthMethod string `json:"armAuthMethod" yaml:"armAuthMethod"`
-
 	// Managed identity for Kubelet (not to be confused with Azure cloud authorization)
 	KubeletIdentityClientID string `json:"kubeletIdentityClientID" yaml:"kubeletIdentityClientID"`
 
@@ -102,6 +91,7 @@ func (cfg *Config) GetAzureClientConfig(authorizer autorest.Authorizer, env *azu
 }
 
 func (cfg *Config) Build() error {
+	// May require more than this behind the scenes: https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/README.md#defaultazurecredential
 	cfg.Cloud = strings.TrimSpace(os.Getenv("ARM_CLOUD"))
 	cfg.Location = strings.TrimSpace(os.Getenv("LOCATION"))
 	cfg.ResourceGroup = strings.TrimSpace(os.Getenv("ARM_RESOURCE_GROUP"))
@@ -110,7 +100,6 @@ func (cfg *Config) Build() error {
 	cfg.VMType = strings.ToLower(os.Getenv("ARM_VM_TYPE"))
 	cfg.ClusterName = strings.TrimSpace(os.Getenv("AZURE_CLUSTER_NAME"))
 	cfg.NodeResourceGroup = strings.TrimSpace(os.Getenv("AZURE_NODE_RESOURCE_GROUP"))
-	cfg.ArmAuthMethod = strings.TrimSpace(os.Getenv("ARM_AUTH_METHOD"))
 	cfg.KubeletIdentityClientID = strings.TrimSpace(os.Getenv("ARM_KUBELET_IDENTITY_CLIENT_ID"))
 
 	return nil
@@ -121,11 +110,6 @@ func (cfg *Config) Default() error {
 	if cfg.VMType == "" {
 		cfg.VMType = vmTypeVMSS
 	}
-
-	if cfg.ArmAuthMethod == "" {
-		cfg.ArmAuthMethod = authMethodWorkloadIdentity
-	}
-
 	return nil
 }
 
@@ -145,9 +129,5 @@ func (cfg *Config) Validate() error {
 		}
 	}
 
-	if cfg.ArmAuthMethod != authMethodSysMSI && cfg.ArmAuthMethod != authMethodWorkloadIdentity {
-		return fmt.Errorf("unsupported authorization method: %s", cfg.ArmAuthMethod)
-	}
-
 	return nil
 }

pkg/auth/config_test.go

@@ -41,7 +41,6 @@ func TestBuildAzureConfig(t *testing.T) {
 				ResourceGroup:     "my-rg",
 				NodeResourceGroup: "my-node-rg",
 				VMType:            "vmss",
-				ArmAuthMethod:     "workload-identity",
 			},
 			wantErr: false,
 			env: map[string]string{
@@ -60,7 +59,6 @@ func TestBuildAzureConfig(t *testing.T) {
 				ResourceGroup:     "my-rg",
 				NodeResourceGroup: "my-node-rg",
 				VMType:            "vm",
-				ArmAuthMethod:     "workload-identity",
 			},
 			wantErr: false,
 			env: map[string]string{
@@ -73,68 +71,13 @@ func TestBuildAzureConfig(t *testing.T) {
 				"ARM_VM_TYPE":               "vm",
 			},
 		},
-		{
-			name:     "bogus ARM_AUTH_METHOD",
-			expected: nil,
-			wantErr:  true,
-			env: map[string]string{
-				"ARM_RESOURCE_GROUP":        "my-rg",
-				"ARM_SUBSCRIPTION_ID":       "12345",
-				"AZURE_NODE_RESOURCE_GROUP": "my-node-rg",
-				"AZURE_SUBNET_ID":           "12345",
-				"AZURE_SUBNET_NAME":         "my-subnet",
-				"AZURE_VNET_NAME":           "my-vnet",
-				"ARM_AUTH_METHOD":           "foo", // this is not a supported value
-			},
-		},
-		{
-			name: "auth method msi",
-			expected: &Config{
-				SubscriptionID:    "12345",
-				ResourceGroup:     "my-rg",
-				NodeResourceGroup: "my-node-rg",
-				VMType:            "vmss",
-				ArmAuthMethod:     "system-assigned-msi",
-			},
-			wantErr: false,
-			env: map[string]string{
-				"ARM_RESOURCE_GROUP":        "my-rg",
-				"ARM_SUBSCRIPTION_ID":       "12345",
-				"AZURE_NODE_RESOURCE_GROUP": "my-node-rg",
-				"AZURE_SUBNET_ID":           "12345",
-				"AZURE_SUBNET_NAME":         "my-subnet",
-				"AZURE_VNET_NAME":           "my-vnet",
-				"ARM_AUTH_METHOD":           "system-assigned-msi",
-			},
-		},
-		{
-			name: "auth method workload identity",
-			expected: &Config{
-				SubscriptionID:    "12345",
-				ResourceGroup:     "my-rg",
-				NodeResourceGroup: "my-node-rg",
-				VMType:            "vmss",
-				ArmAuthMethod:     "workload-identity",
-			},
-			wantErr: false,
-			env: map[string]string{
-				"ARM_RESOURCE_GROUP":        "my-rg",
-				"ARM_SUBSCRIPTION_ID":       "12345",
-				"AZURE_NODE_RESOURCE_GROUP": "my-node-rg",
-				"AZURE_SUBNET_ID":           "12345",
-				"AZURE_SUBNET_NAME":         "my-subnet",
-				"AZURE_VNET_NAME":           "my-vnet",
-				"ARM_AUTH_METHOD":           "workload-identity",
-			},
-		},
 		{
 			name: "valid kubelet identity",
 			expected: &Config{
 				SubscriptionID:          "12345",
 				ResourceGroup:           "my-rg",
 				NodeResourceGroup:       "my-node-rg",
 				VMType:                  "vmss",
-				ArmAuthMethod:           "system-assigned-msi",
 				KubeletIdentityClientID: "11111111-2222-3333-4444-555555555555",
 			},
 			wantErr: false,
@@ -145,7 +88,6 @@ func TestBuildAzureConfig(t *testing.T) {
 				"AZURE_SUBNET_ID":                "12345",
 				"AZURE_SUBNET_NAME":              "my-subnet",
 				"AZURE_VNET_NAME":                "my-vnet",
-				"ARM_AUTH_METHOD":                "system-assigned-msi",
 				"ARM_KUBELET_IDENTITY_CLIENT_ID": "11111111-2222-3333-4444-555555555555",
 			},
 		},

pkg/auth/cred.go

@@ -18,13 +18,10 @@ package auth
 
 import (
 	"context"
-	"fmt"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	"k8s.io/klog/v2"
 	"knative.dev/pkg/logging"
 )
 
@@ -60,26 +57,3 @@ func (w *expireEarlyTokenCredential) GetToken(ctx context.Context, options polic
 	token.ExpiresOn = twoHoursFromNow
 	return token, nil
 }
-
-// NewCredential provides a token credential for msi and service principal auth
-func NewCredential(cfg *Config) (azcore.TokenCredential, error) {
-	if cfg == nil {
-		return nil, fmt.Errorf("failed to create credential, nil config provided")
-	}
-
-	if cfg.ArmAuthMethod == authMethodWorkloadIdentity {
-		klog.V(2).Infoln("cred: using workload identity for new credential")
-		return azidentity.NewDefaultAzureCredential(nil)
-	}
-
-	if cfg.ArmAuthMethod == authMethodSysMSI {
-		klog.V(2).Infoln("cred: using system assigned MSI for new credential")
-		msiCred, err := azidentity.NewManagedIdentityCredential(nil)
-		if err != nil {
-			return nil, err
-		}
-		return msiCred, nil
-	}
-
-	return nil, fmt.Errorf("cred: unsupported auth method: %s", cfg.ArmAuthMethod)
-}

pkg/operator/operator.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/karpenter-provider-azure/pkg/apis"
 	"github.com/Azure/karpenter-provider-azure/pkg/auth"
 	azurecache "github.com/Azure/karpenter-provider-azure/pkg/cache"
@@ -169,7 +170,7 @@ func getCABundle(restConfig *rest.Config) (*string, error) {
 }
 
 func getVnetGUID(cfg *auth.Config, subnetID string) (string, error) {
-	creds, err := auth.NewCredential(cfg)
+	creds, err := azidentity.NewDefaultAzureCredential(nil)
 	if err != nil {
 		return "", err
 	}