Use workload identity for azure cli when Federated token file is present

[nawazkh]

What type of PR is this?
/kind feature

What this PR does / why we need it:

• ensure-azcli.sh will log in using AZURE_WORKLOAD_ID and --federated-token when AZURE_FEDERATED_TOKEN_FILE is available in the env.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
POC as part of https://github.com/kubernetes/test-infra/blob/master/docs/job-migration-todo.md and #4976

Special notes for your reviewer:

• Once this PR merges

  • We should be updating CAPZ test jobs with preset-azure-cred-wi: "true" preset and dropping any unrelated credential presets.
  • Migrate other test jobs to use WI.

• cherry-pick candidate

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

`ensure-azcli.sh` will log in using `AZURE_WORKLOAD_ID` if `AZURE_FEDERATED_TOKEN_FILE` is available in the env.

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 62.24%. Comparing base (5a3f86f) to head (c3f6e88).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4939      +/-   ##
==========================================
- Coverage   62.25%   62.24%   -0.02%     
==========================================
  Files         201      201              
  Lines       16912    16912              
==========================================
- Hits        10529    10527       -2     
- Misses       5590     5592       +2     
  Partials      793      793              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mboersma]

/lgtm

Seems like the right first step, so as not to break anything. I like your plan of action in the PR description. 👍🏻

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 1ad89fce498c9d1e5d73f4822f4df9d3cc83499e

[jackfrancis]

/test ls

[k8s-ci-robot]

@jackfrancis: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test pull-cluster-api-provider-azure-apiversion-upgrade
• /test pull-cluster-api-provider-azure-build
• /test pull-cluster-api-provider-azure-ci-entrypoint
• /test pull-cluster-api-provider-azure-e2e
• /test pull-cluster-api-provider-azure-e2e-aks
• /test pull-cluster-api-provider-azure-test
• /test pull-cluster-api-provider-azure-verify

The following commands are available to trigger optional jobs:

• /test pull-cluster-api-provider-azure-apidiff
• /test pull-cluster-api-provider-azure-capi-e2e
• /test pull-cluster-api-provider-azure-conformance
• /test pull-cluster-api-provider-azure-conformance-custom-builds
• /test pull-cluster-api-provider-azure-conformance-dual-stack-with-ci-artifacts
• /test pull-cluster-api-provider-azure-conformance-ipv6-with-ci-artifacts
• /test pull-cluster-api-provider-azure-conformance-with-ci-artifacts
• /test pull-cluster-api-provider-azure-e2e-optional
• /test pull-cluster-api-provider-azure-e2e-workload-upgrade
• /test pull-cluster-api-provider-azure-windows-containerd-upstream-with-ci-artifacts-serial-slow
• /test pull-cluster-api-provider-azure-windows-custom-builds
• /test pull-cluster-api-provider-azure-windows-with-ci-artifacts

Use /test all to run the following jobs that were automatically triggered:

• pull-cluster-api-provider-azure-apidiff
• pull-cluster-api-provider-azure-build
• pull-cluster-api-provider-azure-ci-entrypoint
• pull-cluster-api-provider-azure-e2e
• pull-cluster-api-provider-azure-e2e-aks
• pull-cluster-api-provider-azure-test
• pull-cluster-api-provider-azure-verify

In response to this:

/test ls

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jackfrancis]

/test pull-cluster-api-provider-azure-capi-e2e
/test pull-cluster-api-provider-azure-conformance
/test pull-cluster-api-provider-azure-conformance-custom-builds
/test pull-cluster-api-provider-azure-conformance-dual-stack-with-ci-artifacts
/test pull-cluster-api-provider-azure-conformance-ipv6-with-ci-artifacts
/test pull-cluster-api-provider-azure-conformance-with-ci-artifacts
/test pull-cluster-api-provider-azure-e2e-optional
/test pull-cluster-api-provider-azure-e2e-workload-upgrade
/test pull-cluster-api-provider-azure-windows-custom-builds
/test pull-cluster-api-provider-azure-windows-with-ci-artifacts

[mboersma]

This isn't a bugfix per se, but still I think we may want to cherry-pick this change in order to test it through test-infra.

[nawazkh]

/test pull-cluster-api-provider-azure-e2e-optional

[nawazkh]

/test pull-cluster-api-provider-azure-e2e-with-wi-optional

[nawazkh]

/test pull-cluster-api-provider-azure-e2e-with-wi-optional

[nawazkh]

/test pull-cluster-api-provider-azure-e2e-with-wi-optional

[nawazkh]

${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} is the penultimate workaround in the list of exceptions.
SC2086#exceptions

Note that the value of ENABLE_AUTH_MODE_LOGIN immaterial as long as it is set for ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} evaluate to "--auth-mode login"

[jsturtevant]

TIL

[nawazkh]

/test pull-cluster-api-provider-azure-windows-custom-builds

[nawazkh]

Created and closed the PR kubernetes/test-infra#32938. Adding here for my reference.

[jsturtevant]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 3866d1706d03a0465758caa8c982783d9830e1a8

[jsturtevant]

/retitle Use workload identity for azure cli when Federated token file is present

[nawazkh]

/unhold

[nojnhuh]

/lgtm

Thanks @nawazkh!

[mboersma]

/lgtm

[mboersma]

You can assign and export in one line, just fyi:

export ENABLE_AUTH_MODE_LOGIN="true"

[nawazkh]

I got a diff to use in the upcoming CAPZ test migration PR :)

[jackfrancis]

Sometimes linter complains about assign + export in one line though!

[k8s-ci-robot]

@nawazkh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-azure-e2e-optional	ebe5917	link	false	/test pull-cluster-api-provider-azure-e2e-optional

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[nawazkh]

Timed out.. :(

 [FAILED] Timed out after 1800.001s.
  Timed out waiting for 3 control plane machines to exist
  Expected
      <int>: 1
  to equal
      <int>: 3
  In [It] at: /home/prow/go/pkg/mod/sigs.k8s.io/cluster-api/test@v1.7.3/framework/controlplane_helpers.go:116 @ 07/10/24 20:48:37.121

/test pull-cluster-api-provider-azure-e2e