Update Azure SDK and remove deprecated autorest dependency

[phillebaba]

Pull Request Motivation

This change will update the Azure implementation by updating the SDK to the new version and replacing deprecated go-autorest with azidentity. This is required to keep cert manager working next year as autorest will no longer be supported after March 2023. Additionally there are other changes coming to Azure AD and workload identies that need to be supported.

Kind

cleanup

Release Note

Update the Azure SDK and remove deprecated `autorest` dependency

[jetstack-bot]

Hi @phillebaba. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[phillebaba]

There are still things that need to be done before this can be merged. The major thing is verifying this with different Azure cloud types. The method that the cloud environment is configured has changed and I am doubtful my changes will work first try. Additionally it seems like some of the cloud types are missing from the new SDK.

[phillebaba]

German cloud missing from this list.

[wallrj]

It looks like German cloud was closed in October 2021

Additionally, on Sept 30th, 2020, we announced that the Microsoft Cloud Germany would be closing on October 29th, 2021

https://learn.microsoft.com/en-us/previous-versions/azure/germany/germany-welcome

So perhaps we need to trim this list of supported Azure cloud environments:

cert-manager/pkg/apis/acme/v1/types_issuer.go

Lines 550 to 558 in 8deaca7

	// +kubebuilder:validation:Enum=AzurePublicCloud;AzureChinaCloud;AzureGermanCloud;AzureUSGovernmentCloud
	type AzureDNSEnvironment string
	const (
	AzurePublicCloud AzureDNSEnvironment = "AzurePublicCloud"
	AzureChinaCloud AzureDNSEnvironment = "AzureChinaCloud"
	AzureGermanCloud AzureDNSEnvironment = "AzureGermanCloud"
	AzureUSGovernmentCloud AzureDNSEnvironment = "AzureUSGovernmentCloud"
	)

[phillebaba]

I am unsure if resource ID should even be set at all? The client will deal with this now so there should be no need to configure it.

[munnerz]

You'll need to resolve conflicts here - thanks for doing this work 😄 I'm not sure if anyone on the core development team has tonnes of experience with Azure, so any advice you and/or peers in this space can provide would be greatly appreciated 🙌

/ok-to-test

[phillebaba]

@munnerz no problem. I have realized over the years that there is not a massive overlap of Kubernetes - Go - Azure experience. I have done this migration for other projects already so have some experience with the common issues. I have sadly been busy with other pressing matters but will get to this when I have some more time again. Aiming to get everything tested and ready before the end of Q4.

I have a PR going in kubernetes-sigs/external-dns/pull/3040 which is very similar to this.

[phillebaba]

This change is blocked until Azure/azure-sdk-for-go#15615 unless we want to implement the workaround suggested in the issue.

[wallrj]

This change is blocked until Azure/azure-sdk-for-go#15615 unless we want to implement the workaround suggested in the issue.

I see that there's a beta release containing the workload identity credential

• https://github.com/Azure/azure-sdk-for-go/releases/tag/sdk%2Fazidentity%2Fv1.3.0-beta.1

We're releasing cert-manager 1.11 in mid January 2023 so there still might be time to get this into that release.

• https://cert-manager.io/docs/installation/supported-releases/#upcoming-releases

Might also be worth coordinating with @weisdd who is working on the workload identity federation feature

• Failing Azure Workload Identity Request does not back off #5652

[weisdd]

@wallrj we actually had a brief discussion with @phillebaba in another project regarding the Microsoft's plan to release this functionality in beta version of azidentity closer to the end of the year, which already happened like you mentioned.
So, if you agree to rely on 1.3.0-beta.1 (there's no guarantee when exactly it'll graduate to GA), we can certainly move in that direction.

As a side note, I've recently had to prepare a workload identity-enabled setup of external-secrets operator (https://external-secrets.io/v0.7.0/provider/azure-key-vault/), and they have an interesting concept of using serviceAccountRef in SecretStore and ClusterSecretStore, which brings a lot of flexibility to multi-tenant setups. Basically, you don't have to delegate access to all key vaults to the same k8s service account. Instead, you could have plenty of MSIs with access delegated to different service accounts. With that setup, you could have a ClusterSecretStore managed by a platform team with restrictions on from which namespace it can be referred to (search for "conditions" here) and a self-managed SecretStore (namespaced resource) per team. So, the teams can create their MSIs and delegate access their service accounts in their namespaces (of course, it all can maintained by platform team).
In essence, a cert-manager might potentially have something similar with ClusterIssuers being managed by platform team and Issuers by teams. Not sure if there's any demand for that, but it's certainly an interesting idea to consider in future.

[wallrj]

@inteon Will you rebase this? Sorry for all the recent changes to the .golangci-lint.yaml file.

[wallrj]

I've finally been able to test this on my Azure account and it seems to work.
Let's merge this and create another Alpha release so that others can test it too:

/lgtm
/approve

Here's some evidence

Upgraded from v1.13.3

Where I'd previously verified the AKS + LetsEncrypt tutorial

• Verify the AKS + LetsEncrypt tutorial website#1385

export KO_REGISTRY=ttl.sh/$(uuidgen)/cert-manager-5452
make ko-deploy-certmanager KO_HELM_VALUES_FILES=values.yaml

...
/home/richard/projects/cert-manager/cert-manager/_bin/tools/helm upgrade cert-manager _bin/cert-manager.tgz \
        --install \
        --create-namespace \
        --wait \
        --namespace cert-manager \
        --values values.yaml \
        --set image.repository="ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-controller" \
        --set image.digest="sha256:6456ec28d55a7fd2f562124079ddedb2c3697c8d8fe91479ff307842e9b0032d" \
        --set cainjector.image.repository="ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-cainjector" \
        --set cainjector.image.digest="sha256:2419dfeaa5f8ceb0e03691490d9f24400c69a6092174eef5d59a1b8ddb5a6b74" \
        --set webhook.image.repository="ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-webhook" \
        --set webhook.image.digest="sha256:010e4c3ec428500750b3d1084241d78347b3e2848ed5ea7e4e0e1ec44369ca36" \
        --set startupapicheck.image.repository="ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-ctl" \
        --set startupapicheck.image.digest="sha256:8be51255ab5e59e673a274d8e11f633fe62f75aa8da3c3081c9d33c5c99dd466" \
        --set installCRDs=true \
        --set "extraArgs={--acme-http01-solver-image=ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-acmesolver@sha256:25a2c496185a7e7d1892b68db0c7b85ae7a00109dfee273cf7f17d90fe428e6e}"
Release "cert-manager" has been upgraded. Happy Helming!
NAME: cert-manager
LAST DEPLOYED: Fri Jan 12 12:01:09 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 3
TEST SUITE: None
NOTES:
cert-manager v1.14.0-alpha.0-72-g67f8a03cae35ee has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/

cmctl renew certificate

$ cmctl status certificate www
Name: www
Namespace: default
Created at: 2024-01-12T09:45:09Z
Conditions:
  Ready: True, Reason: Ready, Message: Certificate is up to date and has not expired
DNS Names:
- www.azure-tutorial.richard-gcp.jetstacker.net
Events:
  Type    Reason     Age                   From                                       Message
  ----    ------     ----                  ----                                       -------
  Normal  Issuing    52m                   cert-manager-certificates-trigger          Issuing certificate as Secret was previously issued by "ClusterIssuer.cert-manager.io/selfsigned"
  Normal  Generated  52m                   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "www-szrgp"
  Normal  Requested  52m                   cert-manager-certificates-request-manager  Created new CertificateRequest resource "www-2"
  Normal  Issuing    38m                   cert-manager-certificates-trigger          Issuing certificate as Secret was previously issued by "ClusterIssuer.cert-manager.io/letsencrypt-staging"
  Normal  Generated  38m                   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "www-8p7b8"
  Normal  Requested  38m                   cert-manager-certificates-request-manager  Created new CertificateRequest resource "www-3"
  Normal  Issuing    36m (x2 over 51m)     cert-manager-certificates-issuing          The certificate has been successfully issued
  Normal  Generated  15m                   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "www-tmbbd"
  Normal  Requested  15m                   cert-manager-certificates-request-manager  Created new CertificateRequest resource "www-4"
  Normal  Generated  13m                   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "www-bs9zl"
  Normal  Requested  13m                   cert-manager-certificates-request-manager  Created new CertificateRequest resource "www-5"
  Normal  Issuing    12m                   cert-manager-certificates-trigger          Issuing certificate as Secret was previously issued by "ClusterIssuer.cert-manager.io/letsencrypt-production"
  Normal  Generated  12m                   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "www-bq2f4"
  Normal  Requested  12m                   cert-manager-certificates-request-manager  Created new CertificateRequest resource "www-6"
  Normal  Issuing    12m (x3 over 15m)     cert-manager-certificates-issuing          The certificate has been successfully issued
  Normal  Generated  9m22s                 cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "www-bghw6"
  Normal  Requested  9m22s                 cert-manager-certificates-request-manager  Created new CertificateRequest resource "www-7"
  Normal  Generated  7m41s                 cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "www-zn9hz"
  Normal  Requested  7m41s                 cert-manager-certificates-request-manager  Created new CertificateRequest resource "www-8"
  Normal  Issuing    6m3s (x2 over 9m18s)  cert-manager-certificates-issuing          The certificate has been successfully issued
Issuer:
  Name: letsencrypt-staging
  Kind: ClusterIssuer
  Conditions:
    Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
  Events:  <none>
Secret:
  Name: www-tls
  Issuer Country: US
  Issuer Organisation: (STAGING) Let's Encrypt
  Issuer Common Name: (STAGING) Artificial Apricot R3
  Key Usage: Digital Signature, Key Encipherment
  Extended Key Usages: Server Authentication, Client Authentication
  Public Key Algorithm: RSA
  Signature Algorithm: SHA256-RSA
  Subject Key ID: 47a41791a5935aa42a89f9e60f8a38dd3cfa5a42
  Authority Key ID: de727a48df31c3a650df9f8523df57374b5d2e65
  Serial Number: 2b46b18b91e7cccb1cdaed99d865f4305e6c
  Events:  <none>
Not Before: 2024-01-12T11:13:33Z
Not After: 2024-04-11T12:13:32+01:00
Renewal Time: 2024-03-12T11:13:32Z
No CertificateRequest found for this Certificate

Logs

I0112 12:11:59.215658       1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-key-manager" key="default/www" error="Operation cannot be fulfilled on certificates.cert-manager.io \"www\": the object has been modified; please apply your changes to the latest version and try again"
I0112 12:11:59.269922       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "www-8" condition "Approved" to 2024-01-12 12:11:59.2699091 +0000 UTC m=+143.869409803
I0112 12:11:59.295401       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "www-8" condition "Ready" to 2024-01-12 12:11:59.295392141 +0000 UTC m=+143.894892744
I0112 12:11:59.308885       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "www-8" condition "Ready" to 2024-01-12 12:11:59.308876422 +0000 UTC m=+143.908377025
I0112 12:11:59.316128       1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificaterequests-issuer-acme" key="default/www-8" error="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"www-8\": the object has been modified; please apply your changes to the latest version and try again"
E0112 12:12:02.864226       1 sync.go:190] "propagation check failed" err="DNS record for \"www.azure-tutorial.richard-gcp.jetstacker.net\" not yet propagated" logger="cert-manager.challenges" resource_name="www-8-3709051279-993529634" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.azure-tutorial.richard-gcp.jetstacker.net" type="DNS-01"
E0112 12:12:02.966005       1 sync.go:190] "propagation check failed" err="DNS record for \"www.azure-tutorial.richard-gcp.jetstacker.net\" not yet propagated" logger="cert-manager.challenges" resource_name="www-8-3709051279-993529634" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.azure-tutorial.richard-gcp.jetstacker.net" type="DNS-01"






I0112 12:13:37.355816       1 conditions.go:252] Found status change for CertificateRequest "www-8" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2024-01-12 12:13:37.355806327 +0000 UTC m=+241.955307030
I0112 12:13:37.387727       1 conditions.go:192] Found status change for Certificate "www" condition "Ready": "True" -> "False"; setting lastTransitionTime to 2024-01-12 12:13:37.387719353 +0000 UTC m=+241.987220056
I0112 12:13:37.400168       1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-readiness" key="default/www" error="Operation cannot be fulfilled on certificates.cert-manager.io \"www\": the object has been modified; please apply your changes to the latest version and try again"
I0112 12:13:37.409398       1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-issuing" key="default/www" error="Operation cannot be fulfilled on certificates.cert-manager.io \"www\": the object has been modified; please apply your changes to the latest version and try again"
I0112 12:13:37.417687       1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-key-manager" key="default/www" error="Operation cannot be fulfilled on certificates.cert-manager.io \"www\": the object has been modified; please apply your changes to the latest version and try again"
E0112 12:13:37.630843       1 sync.go:73] "failed to update status" logger="cert-manager.orders" resource_name="www-8-3709051279" resource_namespace="default" resource_kind="Order" resource_version="v1"
I0112 12:13:37.630881       1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.orders" key="default/www-8-3709051279" error="Operation cannot be fulfilled on orders.acme.cert-manager.io \"www-8-3709051279\": the object has been modified; please apply your changes to the latest version and try again"
E0112 12:13:37.655328       1 controller.go:208] "challenge in work queue no longer exists" err="challenge.acme.cert-manager.io \"www-8-3709051279-993529634\" not found" logger="cert-manager.challenges"

Events

0s          Normal   Generated            certificate/www                         Stored new private key in temporary Secret resource "www-zn9hz"
0s          Normal   Requested            certificate/www                         Created new CertificateRequest resource "www-8"
0s          Normal   WaitingForApproval   certificaterequest/www-8                Not signing CertificateRequest until it is Approved
0s          Normal   WaitingForApproval   certificaterequest/www-8                Not signing CertificateRequest until it is Approved
0s          Normal   WaitingForApproval   certificaterequest/www-8                Not signing CertificateRequest until it is Approved
0s          Normal   WaitingForApproval   certificaterequest/www-8                Not signing CertificateRequest until it is Approved
0s          Normal   WaitingForApproval   certificaterequest/www-8                Not signing CertificateRequest until it is Approved
0s          Normal   cert-manager.io      certificaterequest/www-8                Certificate request has been approved by cert-manager.io
0s          Normal   OrderCreated         certificaterequest/www-8                Created Order resource default/www-8-3709051279
0s          Normal   OrderPending         certificaterequest/www-8                Waiting on certificate issuance from order default/www-8-3709051279: ""
0s          Normal   Created              order/www-8-3709051279                  Created Challenge resource "www-8-3709051279-993529634" for domain "www.azure-tutorial.richard-gcp.jetstacker.net"
0s          Normal   Started              challenge/www-8-3709051279-993529634    Challenge scheduled for processing
0s          Normal   Presented            challenge/www-8-3709051279-993529634    Presented challenge using DNS-01 challenge mechanism

0s          Normal   DomainVerified       challenge/www-8-3709051279-993529634    Domain "www.azure-tutorial.richard-gcp.jetstacker.net" verified with "DNS-01" validation
0s          Normal   Complete             order/www-8-3709051279                  Order completed successfully
0s          Normal   CertificateIssued    certificaterequest/www-8                Certificate fetched from issuer successfully
0s          Normal   Issuing              certificate/www                         The certificate has been successfully issued
0s          Normal   Complete             order/www-8-3709051279                  Order completed successfully

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj]

/kind cleanup

[wallrj]

@pinkfloydx33 I've published https://github.com/cert-manager/cert-manager/releases/tag/v1.14.0-alpha.1

Please test the Azure features if you have time.

[pinkfloydx33]

@pinkfloydx33 I've published https://github.com/cert-manager/cert-manager/releases/tag/v1.14.0-alpha.1

Please test the Azure features if you have time.

I'm not sure if I'll get to it today, but I can definitely get it done before Friday.

[pinkfloydx33]

@wallrj sorry I didn't get to this. I've been out sick the last few days. If I can bring myself to sit down at my desk I'll try and do it today or tomorrow if you still need me to.

[wallrj]

@wallrj sorry I didn't get to this. I've been out sick the last few days. If I can bring myself to sit down at my desk I'll try and do it today or tomorrow if you still need me to.

No worries. Do please test the latest pre-release if you have time:

• https://github.com/cert-manager/cert-manager/releases/tag/v1.14.0-beta.0

So that we can iron out any bugs before the 1.14 release on Jan 31.

[weisdd]

@wallrj sorry for this huge delay, I was on my first vacation in about 4 years :)

Two things that I can say right away:

1. Earlier, you asked whether "DisableInstanceDiscovery" should be set to true or false. - I think it's better to not use DisableInstanceDiscovery: true (like in the code now), better to stick to defaults. I haven't seen it being disabled in other projects.

2. What's more important, the new implementation suffers from the same thing that what was fixed in fix(AzureDNS): prevent early reconciliations for misconfigured Workload Identity #5663. - Some of the Azure API error responses contain timestamps and trace IDs, those end up in .status.reason field of Challenge resources leading to early reconciliations (=> excessive load on k8s API and a ton of logs). Examples of error cases: when federated identity credential does not exist; when non-existent client ID is passed through ClusterIssuer.

    reason: |-
      WorkloadIdentityCredential authentication failed
      POST https://login.microsoftonline.com/bb9ebc7f-b105-4532-95ca-abf3431ff466/oauth2/v2.0/token
      --------------------------------------------------------------------------------
      RESPONSE 401 Unauthorized
      --------------------------------------------------------------------------------
      {
        "error": "invalid_client",
        "error_description": "AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://westeurope.oic.prod-aks.azure.com/bb9ebc7f-b105-4532-95ca-abf3431ff466/c216c7d6-ab39-4c03-9132-d24bdc087a2b/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: 33e79a89-4774-49de-afb1-3cf2993d9200 Correlation ID: 3d932552-f952-4087-92c5-db36ba10389f Timestamp: 2024-01-29 13:58:19Z",
        "error_codes": [
          700211
        ],
        "timestamp": "2024-01-29 13:58:19Z",
        "trace_id": "33e79a89-4774-49de-afb1-3cf2993d9200",
        "correlation_id": "3d932552-f952-4087-92c5-db36ba10389f"
      }
      --------------------------------

So, for ease of implementation, I would suggest following the same strategy as before. - The original error should be printed as is in logs while the function should return something less specific (e.g. "Failed to obtain a token. Please, check logs for more details").

[wallrj]

• Earlier, you asked whether "DisableInstanceDiscovery" should be set to true or false. - I think it's better to not use DisableInstanceDiscovery: true (like in the code now), better to stick to defaults. I haven't seen it being disabled in other projects.

I addressed that point in:

• Remove unnecessary Azure workload identity setting: DisableInstanceDiscovery: true #6679

[weisdd]

@inteon @wallrj I tried to build a controller image from master and deploy the controller without federated identity credential (azurerm_federated_identity_credential in terraform), and I see that the raw error still gets into the Challenge resource. I guess the error doesn't qualify as azcore.ResponseError in stabilizeError, thus the original error is returned as is.
When I replaced return err with return fmt.Errorf("something went wrong"), it all stabilized.

status:
  presented: false
  processing: true
  reason: |-
    WorkloadIdentityCredential authentication failed
    POST https://login.microsoftonline.com/bb9ebc7f-b105-4532-95ca-abf3431ff466/oauth2/v2.0/token
    --------------------------------------------------------------------------------
    RESPONSE 401 Unauthorized
    --------------------------------------------------------------------------------
    {
      "error": "invalid_client",
      "error_description": "AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://westeurope.oic.prod-aks.azure.com/bb9ebc7f-b105-4532-95ca-abf3431ff466/d6adbd0b-b258-40e2-9d82-f8001990e9bb/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: af6f9023-3cae-44f0-bbd4-ed23185c0000 Correlation ID: bfc356f6-1cfa-41c0-86da-d851e152ebe9 Timestamp: 2024-01-30 20:08:05Z",
      "error_codes": [
        700211
      ],
      "timestamp": "2024-01-30 20:08:05Z",
      "trace_id": "af6f9023-3cae-44f0-bbd4-ed23185c0000",
      "correlation_id": "bfc356f6-1cfa-41c0-86da-d851e152ebe9"
    }
    --------------------------------------------------------------------------------
    To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#workload
  state: pending

[weisdd]

@inteon The returned error in this case is azidentity.AuthenticationFailedError (https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.5.1/sdk/azidentity/errors.go#L40). Like azcore.ResponseError, it offers access to a raw response, but ErrorCode property is unavailable.