chore: Replace deprecated autorest SDK with azidentity

[shahramk64]

Description

What this PR does / why we need it:

Azure authentication currently uses go-autorest SDK. It's now deprecated and using MSAL and azidentity SDKs are now recommended. This PR replaces the deprecated SDK with azidentity.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #1630

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
• This change requires a documentation update

How Has This Been Tested?

This tutorial was followed to test authenticating AKS with AKV and retrieval of certificates.
1- KeyManagementProvider scenario: After deploying the following kmp resource using kubectl apply -f kmp_config.yaml, the Ratify pod log shows successful retrieval of the certificate.

kmp_config.yaml:

apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider
metadata:
  name: keymanagementprovider-akv
spec:
  type: azurekeyvault
  parameters:
    vaultURI: https://skal21kv.vault.azure.net/
    keys:
      - name: cosign
        version: 16c798cd4be049908bdcd841d20c19cd
    certificates:
      - name: wabbit-networks-io
        version: 3d6a30dfb52645ebb307d99e900c10ad
    tenantID: 72f988bf-86f1-41af-91ab-2d7cd011db47
    clientID: 6f77181a-6ca6-404d-accc-703b3ae18d03

Ratify logs:

time=2024-11-05T04:27:27.618019657Z level=info msg=provider.cloudEnv.KeyVaultEndpoint https://vault.azure.net/, provider.vaultURI https://skal21kv.vault.azure.net/ component-type=keyManagementProvider go.version=go1.22.8
time=2024-11-05T04:27:27.618039936Z level=info msg=kvEndpoint https://skal21kv.vault.azure.net component-type=keyManagementProvider go.version=go1.22.8
time=2024-11-05T04:27:27.618466847Z level=info msg=azsecrets kvclient created successfully component-type=keyManagementProvider go.version=go1.22.8
time=2024-11-05T04:27:27.618525541Z level=info msg=fetching secret from key vault, certName wabbit-networks-io, certVersion %!v(MISSING) component-type=keyManagementProvider go.version=go1.22.8
time=2024-11-05T04:27:27.901644022Z level=info msg=1 certificate(s) & 1 key(s) fetched for key management provider keymanagementprovider-akv

It was also verified by the following command:
kubectl describe KeyManagementProvider keymanagementprovider-akv

Name:         keymanagementprovider-akv
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  config.ratify.deislabs.io/v1beta1
Kind:         KeyManagementProvider
Metadata:
  Creation Timestamp:  2024-11-05T04:27:27Z
  Generation:          1
  Resource Version:    1802478
  UID:                 889e589a-f696-4410-bd01-73bfa8a330b3
Spec:
  Parameters:
    Certificates:
      Name:     wabbit-networks-io
      Version:  3d6a30dfb52645ebb307d99e900c10ad
    Client ID:  6f77181a-6ca6-404d-accc-703b3ae18d03
    Keys:
      Name:          cosign
      Version:       16c798cd4be049908bdcd841d20c19cd
    Tenant ID:       72f988bf-86f1-41af-91ab-2d7cd011db47
    Vault URI:       https://skal21kv.vault.azure.net/
  Refresh Interval:  
  Type:              azurekeyvault
Status:
  Issuccess:        true
  Lastfetchedtime:  2024-11-05T04:27:27Z
  Properties:
    Certificates:
      Last Refreshed:  2024-11-05T04:27:27Z
      Name:            wabbit-networks-io
      Version:         3d6a30dfb52645ebb307d99e900c10ad
    Keys:
      Last Refreshed:  2024-11-05T04:27:27Z
      Name:            cosign
      Version:         16c798cd4be049908bdcd841d20c19cd
Events:                <none>

2- CertificateStore scenario: After deploying the following certificate store resource using kubectl apply -f cs_config.yaml, the Ratify pod log shows successful retrieval of the certificate.

cs_config.yaml:

apiVersion: config.ratify.deislabs.io/v1beta1
kind: CertificateStore
metadata:
  name: certstore-akv
spec:
  provider: azurekeyvault
  parameters:
    vaultURI: https://skal21kv.vault.azure.net/
    certificates: |
      array:
        - |
          certificateName: wabbit-networks-io
          certificateVersion: 3d6a30dfb52645ebb307d99e900c10ad
    tenantID: 72f988bf-86f1-41af-91ab-2d7cd011db47
    clientID: 6f77181a-6ca6-404d-accc-703b3ae18d03

Ratify logs:

time=2024-11-11T10:26:40.87690862Z level=info msg=reconciling certificate store 'gatekeeper-system/certstore-akv'
time=2024-11-11T10:26:41.589902887Z level=info msg=1 certificates fetched for certificate store gatekeeper-system/certstore-akv

It was also verified by the following command:
kubectl describe CertificateStore certstore-akv

Name:         certstore-akv
Namespace:    gatekeeper-system
Labels:       <none>
Annotations:  <none>
API Version:  config.ratify.deislabs.io/v1beta1
Kind:         CertificateStore
Metadata:
  Creation Timestamp:  2024-11-11T10:26:40Z
  Generation:          1
  Resource Version:    4036265
  UID:                 a9f89508-e7a0-45a4-855f-b1e7ec0ee13e
Spec:
  Parameters:
    Certificates:  array:
  - |
    certificateName: wabbit-networks-io
    certificateVersion: 3d6a30dfb52645ebb307d99e900c10ad

    Client ID:  6f77181a-6ca6-404d-accc-703b3ae18d03
    Tenant ID:  72f988bf-86f1-41af-91ab-2d7cd011db47
    Vault URI:  https://skal21kv.vault.azure.net/
  Provider:     azurekeyvault
Status:
  Issuccess:        true
  Lastfetchedtime:  2024-11-11T10:26:40Z
  Properties:
    Certificates:
      Certificate Name:  wabbit-networks-io
      Last Refreshed:    2024-11-11T10:26:41Z
      Version:           3d6a30dfb52645ebb307d99e900c10ad
Events:                  <none>

Checklist:

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

Post Merge Requirements

• MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

[codecov]

Codecov Report

Attention: Patch coverage is 74.13793% with 30 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...kg/keymanagementprovider/azurekeyvault/provider.go	76.08%	17 Missing and 5 partials ⚠️
pkg/certificateprovider/azurekeyvault/provider.go	66.66%	8 Missing ⚠️

Files with missing lines	Coverage Δ
pkg/certificateprovider/azurekeyvault/auth.go	65.21% <ø> (+31.12%)	⬆️
pkg/keymanagementprovider/azurekeyvault/auth.go	65.21% <ø> (+8.39%)	⬆️
pkg/certificateprovider/azurekeyvault/provider.go	62.56% <66.66%> (+4.45%)	⬆️
...kg/keymanagementprovider/azurekeyvault/provider.go	82.66% <76.08%> (-2.19%)	⬇️

... and 28 files with indirect coverage changes

[susanshi]

Thanks for the PR @shahramk64 , looks great overall. Would you be able to include all automated and manual validation in the PR description? our automated test may have switched to using kmp, we might need to manually validate certificateprovider path to ensure this provider continues to be functional.

[shahramk64]

Manual Validation test failed. I'll continue working on this PR and will update you once it's fixed
cc: @susanshi @akashsinghal @binbin-li

[shahramk64]

@susanshi @binbin-li @akashsinghal
I fixed a bug, manual testing succeeded and I updated the PR description to include the testing evidence.

[susanshi]

Thankyou @shahramk64 ! code change looks good to me. I have two ask:

• thank you for providing the validation result for kmp CR, since this change also updated certificate provider CR, would you be able to validate certificateprovider CR and paste the result?
• would you be to review @duffney 's PR to help understand if there will be any updates required to resolve any merge conflict.

[binbin-li]

correct me if I'm wrong, but I didn't see any caller pass in a non-nil credprovider.

[shahramk64]

That's correct. It only is non-nill in unit tests for mocking purposes.

[binbin-li]

I see. I feel it's not the best way to add this nil credProvider for testing purpose, but may need some refactoring on how we invoke initKVClient function. It's out of the scope of this PR, could you add some TODO comments so that we can address it later.

[binbin-li]

I see. I feel it's not the best way to add this nil credProvider for testing purpose, but may need some refactoring on how we invoke initKVClient function. It's out of the scope of this PR, could you add some TODO comments so that we can address it later.

[akashsinghal]

do we not need cloud env information now? Is this because the new SDK can infer cloud type based on the URI?

[shahramk64]

I couldn't find any usecases for the couldName variable, other than extracting azureenv which is removed here because the new SDK only needs the vault's URI when creating a client. So I removed it.

[akashsinghal]

nil check required for secretReponse?

[shahramk64]

Go newbie question:
Is this the right way to compare the secretResponse struct with nil:

if reflect.DeepEqual(secretResponse, azsecrets.GetSecretResponse{}) {
	return nil, nil, fmt.Errorf("failed to get secret objectName:%s, objectVersion:%s, secret response is nil", keyVaultCert.Name, keyVaultCert.Version)
}

[binbin-li]

is if secretResponse == nil working in this case?

[shahramk64]

@binbin-li doesn't seem like it:

invalid operation: secretResponse == nil (mismatched types azsecrets.GetSecretResponse and untyped nil)compiler[MismatchedTypes](https://pkg.go.dev/golang.org/x/tools/internal/typesinternal#MismatchedTypes)

[akashsinghal]

have we verified the new values for each case exact the existing values? Just want to double check

[shahramk64]

Here is how the new consts are defined in azkeys:

const (
	JSONWebKeyTypeEC JSONWebKeyType = "EC"
	JSONWebKeyTypeECHSM JSONWebKeyType = "EC-HSM"
	JSONWebKeyTypeOct JSONWebKeyType = "oct"
	JSONWebKeyTypeOctHSM JSONWebKeyType = "oct-HSM"
	JSONWebKeyTypeRSA JSONWebKeyType = "RSA"
	JSONWebKeyTypeRSAHSM JSONWebKeyType = "RSA-HSM"
)

And here is how they were defined in keyvault (kv):

const (
	EC = "EC"
	ECHSM = "EC-HSM"
	Oct = "oct"
	RSA = "RSA"
	RSAHSM = "RSA-HSM"
)

I replicated the same two conditions ( both in the condition and the body of the if statements). Is that whatever you are concerned about or something else?

[shahramk64]

@duffney Can you please have a look at this PR and see if the merge makes sense to you?
Thanks