CM-937: Automate e2e tests for Azure DNS01 AAD Workload Identity auth

test/e2e/issuer_acme_dns01_test.go

@@ -5,6 +5,7 @@ package e2e
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"log"
 	"os"
@@ -13,10 +14,16 @@ import (
 	"strings"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/google/uuid"
 	gcpcrm "google.golang.org/api/cloudresourcemanager/v1"
 	gcpiam "google.golang.org/api/iam/v1"
 
@@ -1386,6 +1393,202 @@ var _ = Describe("ACME Issuer DNS01 solver", Ordered, func() {
 		})
 	})
 
+	Context("with Azure DNS in Workload Identity environment", Label("Platform:Azure", "CredentialsMode:Manual"), Label("TechPreview"), func() {
+		var identityClientID string
+		var subscriptionID, dnsResourceGroupName, hostedZoneName string
+
+		BeforeAll(func() {
+			By("verifying cluster is STS-enabled")
+			isSTS, err := isSTSCluster(ctx, oseOperatorClient, configClient)
+			Expect(err).NotTo(HaveOccurred())
+			if !isSTS {
+				Skip("Test requires Azure Workload Identity enabled")
+			}
+
+			By("setting up Azure authentication environment variable from credentials file")
+			if os.Getenv("OPENSHIFT_CI") == "true" {
+				clusterProfileDir := os.Getenv("CLUSTER_PROFILE_DIR")
+				Expect(clusterProfileDir).NotTo(BeEmpty(), "CLUSTER_PROFILE_DIR should exist when running in OpenShift CI")
+				os.Setenv("AZURE_AUTH_LOCATION", filepath.Join(clusterProfileDir, "osServicePrincipal.json"))
+			} else {
+				Expect(os.Getenv("AZURE_AUTH_LOCATION")).NotTo(BeEmpty(), "AZURE_AUTH_LOCATION must be set when running locally")
+			}
+			azureAuthLocation := os.Getenv("AZURE_AUTH_LOCATION")
+			data, err := os.ReadFile(azureAuthLocation)
+			Expect(err).NotTo(HaveOccurred(), "failed to read Azure credentials file")
+			var sp struct {
+				ClientID     string `json:"clientId"`
+				ClientSecret string `json:"clientSecret"`
+				TenantID     string `json:"tenantId"`
+			}
+			Expect(json.Unmarshal(data, &sp)).To(Succeed(), "failed to parse Azure credentials file")
+			os.Setenv("AZURE_CLIENT_ID", sp.ClientID)
+			os.Setenv("AZURE_CLIENT_SECRET", sp.ClientSecret)
+			os.Setenv("AZURE_TENANT_ID", sp.TenantID)
+
+			By("creating Azure SDK credential")
+			cred, err := azidentity.NewDefaultAzureCredential(nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to create Azure SDK credential")
+
+			// Get DNS zone info (subscriptionID comes from the cluster DNS config)
+			subscriptionID, dnsResourceGroupName, hostedZoneName = getAzureDNSZoneInfo(ctx)
+
+			By("getting cluster resource group from Infrastructure object")
+			infra, err := configClient.Infrastructures().Get(ctx, "cluster", metav1.GetOptions{})
+			Expect(err).NotTo(HaveOccurred(), "failed to get Infrastructure object")
+			clusterResourceGroup := infra.Status.PlatformStatus.Azure.ResourceGroupName
+			Expect(clusterResourceGroup).NotTo(BeEmpty(), "Azure resource group should not be empty")
+
+			By("getting cluster resource group location")
+			rgClient, err := armresources.NewResourceGroupsClient(subscriptionID, cred, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to create resource groups client")
+			rg, err := rgClient.Get(ctx, clusterResourceGroup, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to get resource group")
+			location := *rg.Location
+
+			By("getting OIDC issuer from Authentication object")
+			authConfig, err := configClient.Authentications().Get(ctx, "cluster", metav1.GetOptions{})
+			Expect(err).NotTo(HaveOccurred(), "failed to get Authentication object")
+			oidcIssuer := authConfig.Spec.ServiceAccountIssuer
+			Expect(oidcIssuer).NotTo(BeEmpty(), "OIDC issuer not found in Authentication object")
+
+			By("creating Azure Managed Identity")
+			randomSuffix := randomStr(4)
+			identityName := "e2e-cert-manager-dns01-" + randomSuffix
+			msiClient, err := armmsi.NewUserAssignedIdentitiesClient(subscriptionID, cred, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to create MSI client")
+
+			identity, err := msiClient.CreateOrUpdate(ctx, clusterResourceGroup, identityName, armmsi.Identity{
+				Location: &location,
+			}, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to create Managed Identity")
+			identityClientID = *identity.Properties.ClientID
+			identityPrincipalID := *identity.Properties.PrincipalID
+
+			DeferCleanup(func(ctx context.Context) {
+				By("Cleaning up Azure Managed Identity")
+				_, err := msiClient.Delete(ctx, clusterResourceGroup, identityName, nil)
+				if err != nil {
+					fmt.Fprintf(GinkgoWriter, "failed to delete Managed Identity during cleanup: %v\n", err)
+				}
+			})
+
+			By("granting DNS Zone Contributor role to Managed Identity on the DNS zone")
+			dnsZoneScope := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/dnszones/%s",
+				subscriptionID, dnsResourceGroupName, hostedZoneName)
+
+			roleDefClient, err := armauthorization.NewRoleDefinitionsClient(cred, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to create role definitions client")
+			roleName := "DNS Zone Contributor"
+			filter := fmt.Sprintf("roleName eq '%s'", roleName)
+			pager := roleDefClient.NewListPager(dnsZoneScope, &armauthorization.RoleDefinitionsClientListOptions{Filter: &filter})
+			Expect(pager.More()).To(BeTrue(), "no role definitions found for %q", roleName)
+			page, err := pager.NextPage(ctx)
+			Expect(err).NotTo(HaveOccurred(), "failed to list role definitions")
+			Expect(page.Value).NotTo(BeEmpty(), "role definition %q not found", roleName)
+			dnsZoneContributorRoleID := *page.Value[0].ID
+
+			authClient, err := armauthorization.NewRoleAssignmentsClient(subscriptionID, cred, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to create authorization client")
+			roleAssignmentName := uuid.New().String()
+
+			err = wait.PollUntilContextTimeout(ctx, fastPollInterval, lowTimeout, true, func(context.Context) (bool, error) {
+				_, assignErr := authClient.Create(ctx, dnsZoneScope, roleAssignmentName, armauthorization.RoleAssignmentCreateParameters{
+					Properties: &armauthorization.RoleAssignmentProperties{
+						RoleDefinitionID: &dnsZoneContributorRoleID,
+						PrincipalID:      &identityPrincipalID,
+						PrincipalType:    to.Ptr(armauthorization.PrincipalTypeServicePrincipal),
+					},
+				}, nil)
+				if assignErr != nil {
+					fmt.Fprintf(GinkgoWriter, "role assignment attempt failed (retrying): %v\n", assignErr)
+					return false, nil
+				}
+				return true, nil
+			})
+			Expect(err).NotTo(HaveOccurred(), "failed to create role assignment")
+
+			DeferCleanup(func(ctx context.Context) {
+				By("Cleaning up role assignment")
+				_, err := authClient.Delete(ctx, dnsZoneScope, roleAssignmentName, nil)
+				if err != nil {
+					fmt.Fprintf(GinkgoWriter, "failed to delete role assignment during cleanup: %v\n", err)
+				}
+			})
+
+			By("creating Federated Identity Credential for cert-manager ServiceAccount")
+			ficClient, err := armmsi.NewFederatedIdentityCredentialsClient(subscriptionID, cred, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to create Federated Identity Credentials client")
+
+			_, err = ficClient.CreateOrUpdate(ctx, clusterResourceGroup, identityName, "cert-manager", armmsi.FederatedIdentityCredential{
+				Properties: &armmsi.FederatedIdentityCredentialProperties{
+					Issuer:    &oidcIssuer,
+					Subject:   to.Ptr("system:serviceaccount:cert-manager:cert-manager"),
+					Audiences: []*string{to.Ptr("api://AzureADTokenExchange")},
+				},
+			}, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to create Federated Identity Credential")
+
+			DeferCleanup(func(ctx context.Context) {
+				By("Cleaning up Federated Identity Credential")
+				_, err := ficClient.Delete(ctx, clusterResourceGroup, identityName, "cert-manager", nil)
+				if err != nil {
+					fmt.Fprintf(GinkgoWriter, "failed to delete Federated Identity Credential during cleanup: %v\n", err)
+				}
+			})
+		})
+
+		It("should obtain a valid certificate using ambient credentials through AAD Workload Identity", func() {
+
+			By("adding 'azure.workload.identity/use' label to cert-manager controller pods")
+			err := addOverrideLabels(certmanageroperatorclient, certmanagerControllerDeployment, map[string]string{
+				"azure.workload.identity/use": "true",
+			})
+			Expect(err).NotTo(HaveOccurred(), "failed to add workload identity label to cert-manager controller")
+
+			DeferCleanup(func(ctx context.Context) {
+				By("Removing workload identity label from cert-manager controller pods")
+				if err := addOverrideLabels(certmanageroperatorclient, certmanagerControllerDeployment, nil); err != nil {
+					fmt.Fprintf(GinkgoWriter, "failed to remove workload identity label during cleanup: %v\n", err)
+				}
+			})
+
+			By("waiting for cert-manager deployment to rollout with workload identity label")
+			err = waitForDeploymentPodLabelAndRollout(ctx, "cert-manager", "cert-manager", "azure.workload.identity/use", "true", 2*time.Minute)
+			Expect(err).NotTo(HaveOccurred(), "timeout waiting for cert-manager deployment rollout with workload identity label")
+
+			By("creating ACME ClusterIssuer with AzureDNS DNS-01 solver using managed identity")
+			clusterIssuerName := "letsencrypt-dns01-azuredns-wi"
+			solver := acmev1.ACMEChallengeSolver{
+				DNS01: &acmev1.ACMEChallengeSolverDNS01{
+					AzureDNS: &acmev1.ACMEIssuerDNS01ProviderAzureDNS{
+						SubscriptionID:    subscriptionID,
+						ResourceGroupName: dnsResourceGroupName,
+						HostedZoneName:    hostedZoneName,
+						ManagedIdentity: &acmev1.AzureManagedIdentity{
+							ClientID: identityClientID,
+						},
+					},
+				},
+			}
+			clusterIssuer := createACMEClusterIssuer(clusterIssuerName, solver)
+			_, err = certmanagerClient.CertmanagerV1().ClusterIssuers().Create(ctx, clusterIssuer, metav1.CreateOptions{})
+			Expect(err).NotTo(HaveOccurred(), "failed to create ClusterIssuer")
+			DeferCleanup(func(ctx context.Context) {
+				certmanagerClient.CertmanagerV1().ClusterIssuers().Delete(ctx, clusterIssuerName, metav1.DeleteOptions{})
+			})
+
+			By("waiting for ClusterIssuer to become ready")
+			err = waitForClusterIssuerReadiness(ctx, clusterIssuerName)
+			Expect(err).NotTo(HaveOccurred(), "timeout waiting for ClusterIssuer to become Ready")
+
+			// Create and verify certificate
+			certName := "letsencrypt-cert-azuredns-wi"
+			dnsName := fmt.Sprintf("adazwi-%s.%s", randomStr(3), appsDomain) // acronym for "ACME DNS01 AzureDNS Workload Identity"
+			createAndVerifyACMECertificate(ctx, certName, ns.Name, dnsName, clusterIssuerName, "ClusterIssuer")
+		})
+	})
+
 	Context("with IBM Cloud Internet Service Webhook", Label("Platform:IBM"), func() {
 
 		// This test uses IBM Cloud Internet Services (CIS) for the DNS-01 challenge.

test/e2e/utils_test.go

@@ -367,6 +367,48 @@ func verifyDeploymentEnv(k8sclient *kubernetes.Clientset, deploymentName string,
 	})
 }
 
+// addOverrideLabels adds the override labels to specific the cert-manager operand. The update process
+// is retried if a conflict error is encountered.
+func addOverrideLabels(client *certmanoperatorclient.Clientset, deploymentName string, labels map[string]string) error {
+	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		operator, err := client.OperatorV1alpha1().CertManagers().Get(context.TODO(), "cluster", metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+
+		updatedOperator := operator.DeepCopy()
+
+		switch deploymentName {
+		case certmanagerControllerDeployment:
+			cfg := updatedOperator.Spec.ControllerConfig
+			if cfg == nil {
+				cfg = &v1alpha1.DeploymentConfig{}
+			}
+			cfg.OverrideLabels = labels
+			updatedOperator.Spec.ControllerConfig = cfg
+		case certmanagerWebhookDeployment:
+			cfg := updatedOperator.Spec.WebhookConfig
+			if cfg == nil {
+				cfg = &v1alpha1.DeploymentConfig{}
+			}
+			cfg.OverrideLabels = labels
+			updatedOperator.Spec.WebhookConfig = cfg
+		case certmanagerCAinjectorDeployment:
+			cfg := updatedOperator.Spec.CAInjectorConfig
+			if cfg == nil {
+				cfg = &v1alpha1.DeploymentConfig{}
+			}
+			cfg.OverrideLabels = labels
+			updatedOperator.Spec.CAInjectorConfig = cfg
+		default:
+			return fmt.Errorf("unsupported deployment name: %s", deploymentName)
+		}
+
+		_, err = client.OperatorV1alpha1().CertManagers().Update(context.TODO(), updatedOperator, metav1.UpdateOptions{})
+		return err
+	})
+}
+
 // addOverrideResources adds the override resources to the specific cert-manager operand. The update process
 // is retried if a conflict error is encountered.
 func addOverrideResources(client *certmanoperatorclient.Clientset, deploymentName string, res v1alpha1.CertManagerResourceRequirements) error {
@@ -793,6 +835,20 @@ func waitForDeploymentArgAndRollout(ctx context.Context, namespace, deploymentNa
 	}, timeout)
 }
 
+// waitForDeploymentPodLabelAndRollout waits for a deployment's pod template to have
+// a specific label and for the rollout to complete. This is useful when waiting for
+// operator-driven label changes to propagate to operand deployments,
+// as it ensures the expected change has been applied before checking rollout status.
+func waitForDeploymentPodLabelAndRollout(ctx context.Context, namespace, deploymentName, labelKey, labelValue string, timeout time.Duration) error {
+	return waitForDeploymentConditionAndRollout(ctx, namespace, deploymentName, func(deployment *appsv1.Deployment) bool {
+		labels := deployment.Spec.Template.GetLabels()
+		if labels == nil {
+			return false
+		}
+		return labels[labelKey] == labelValue
+	}, timeout)
+}
+
 // waitForClusterIssuerReadiness waits for a ClusterIssuer to become Ready
 func waitForClusterIssuerReadiness(ctx context.Context, clusterIssuerName string) error {
 	return wait.PollUntilContextTimeout(ctx, fastPollInterval, lowTimeout, true,

test/go.mod

@@ -3,13 +3,19 @@ module github.com/openshift/cert-manager-operator/test
 go 1.25.0
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.3.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
 	github.com/aws/aws-sdk-go-v2 v1.40.0
 	github.com/aws/aws-sdk-go-v2/config v1.31.12
 	github.com/aws/aws-sdk-go-v2/service/iam v1.52.1
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.6
 	github.com/cert-manager/cert-manager v1.19.2
 	github.com/ghodss/yaml v1.0.0
 	github.com/google/go-cmp v0.7.0
+	github.com/google/uuid v1.6.0
 	github.com/onsi/ginkgo/v2 v2.27.5
 	github.com/onsi/gomega v1.39.0
 	github.com/openshift/api v0.0.0-20260105191300-d1c4dc4fd37b
@@ -32,6 +38,8 @@ require (
 	cloud.google.com/go/auth v0.16.5 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.16 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 // indirect
@@ -72,17 +80,18 @@ require (
 	github.com/go-openapi/swag/yamlutils v0.24.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20250903194437-c28834ac2320 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/krishicks/yaml-patch v0.0.10 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -92,6 +101,7 @@ require (
 	github.com/nxadm/tail v1.4.11 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect