Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticating to MSSQL via Managed Identity AzureAD administrator is failing #173

Open
bak-fts opened this issue Apr 16, 2024 · 1 comment
Open

Authenticating to MSSQL via Managed Identity AzureAD administrator is failing #173

bak-fts opened this issue Apr 16, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@bak-fts
Copy link

bak-fts commented Apr 16, 2024

What happened?

I tried to authenticate provider-sql as the AzureAD administrator of an MSSQL Server provisioned by Crossplane via the MSSQLServer.sql.azure managed resource with the AzureAD administrator referencing a UserAssignedIdentity.managedidentity managed resource.

To do this, I constructed a secret referenced by the ProviderConfig.mssql object using the client ID as username of the User Assigned Identity, FQDN as endpoint of the MSSQL Server, and fedauth set to ActiveDirectoryManagedIdentity.

When attempting to manage resources in Crossplane via this SQL provider and this provider config, I got an error on the resources like the following:

    Message:               observe failed: cannot select user: The requested identity isn't assigned to this resource.
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced

How can we reproduce it?

Create a managed identity and MSSQL Server like the following.

          # ---------------------------------------------------------
          # Admin User Assigned Identity
          # ---------------------------------------------------------
          - name: AdminUserAssignedIdentity
            base:
              apiVersion: managedidentity.azure.upbound.io/v1beta1
              kind: UserAssignedIdentity
              metadata:
                labels:
                  selector: admin
              spec:
                forProvider:
                  name: id-admin
                  location: switzerlandnorth
                  resourceGroupNameSelector:
                    matchLabels:
                      selector: database
            patches:
              - type: ToCompositeFieldPath
                fromFieldPath: status.atProvider.clientId
                toFieldPath: status.internal.adminIdentityClientId
              - type: ToCompositeFieldPath
                fromFieldPath: status.atProvider.principalId
                toFieldPath: status.internal.adminIdentityPrincipalId
                # To
              - type: ToCompositeFieldPath
                fromFieldPath: status.atProvider.clientId
                toFieldPath: status.internal.adminIdentityClientId

          # ---------------------------------------------------------
          # MS SQL Server
          # ---------------------------------------------------------
          - name: MSSQLServer
            base:
              apiVersion: sql.azure.upbound.io/v1beta1
              kind: MSSQLServer
              metadata:
                labels:
                  selector: main
              spec:
                forProvider:
                  resourceGroupNameSelector:
                    matchLabels:
                      selector: database
                  administratorLogin: fides
                  administratorLoginPasswordSecretRef:
                    key: password
                    name: "" # patched
                    namespace: default
                  azureadAdministrator:
                    - loginUsernameSelector:
                        matchControllerRef: true
                        matchLabels:
                          selector: admin
                      objectIdSelector:
                        matchControllerRef: true
                        matchLabels:
                          selector: admin
                  minimumTlsVersion: "1.2"
                  publicNetworkAccessEnabled: false
                  identity:
                    - type: SystemAssigned
                  location: switzerlandnorth
            patches:
              - type: FromCompositeFieldPath
                fromFieldPath: spec.forComposer.sqlServerVersion
                toFieldPath: spec.forProvider.version
                # To
              - type: ToCompositeFieldPath
                fromFieldPath: status.atProvider.fullyQualifiedDomainName
                toFieldPath: status.internal.sqlServerEndpoint

Then create a secret to be referenced by the ProviderConfig, and the ProviderConfig object itself:

          # ---------------------------------------------------------
          # SQL Connection Secret
          # ---------------------------------------------------------
          # Instead of relying on writeConnectionSecretToRef in MSSQL Server,
          # we write it manually to set fedauth=ActiveDirectoryManagedIdentity
          - name: SQLConnectionSecret
            base:
              apiVersion: kubernetes.crossplane.io/v1alpha1
              kind: Object
              spec:
                providerConfigRef:
                  name: crossplane-cluster
                forProvider:
                  manifest:
                    apiVersion: v1
                    kind: Secret
                    metadata:
                      name: sql-connection-secret
                      namespace: default
                    type: Opaque
                    data:
                      # echo -n ActiveDirectoryManagedIdentity|base64
                      fedauth: QWN0aXZlRGlyZWN0b3J5TWFuYWdlZElkZW50aXR5
            patches:
              - type: FromCompositeFieldPath
                fromFieldPath: status.internal.sqlServerEndpoint
                transforms:
                  - type: string
                    string:
                      type: Convert
                      convert: ToBase64
                toFieldPath: spec.forProvider.manifest.data[endpoint]
              - type: FromCompositeFieldPath
                fromFieldPath: status.internal.adminIdentityClientId
                transforms:
                  - type: string
                    string:
                      type: Convert
                      convert: ToBase64
                toFieldPath: spec.forProvider.manifest.data[username]

          # ---------------------------------------------------------
          # SQL ProviderConfig Kubernetes Object
          # ---------------------------------------------------------
          - name: SQLProviderConfigKubernetesObject
            base:
              apiVersion: kubernetes.crossplane.io/v1alpha2
              kind: Object
              spec:
                providerConfigRef:
                  name: crossplane-cluster
                forProvider:
                  manifest:
                    apiVersion: mssql.sql.crossplane.io/v1alpha1
                    kind: ProviderConfig
                    metadata:
                      name: default
                    spec:
                      credentials:
                        source: MSSQLConnectionSecret
                        connectionSecretRef:
                          name: sql-connection-secret
                          namespace: default

Finally, try to provision any resource using the provider-sql provider and observe the error.

  Warning  CannotObserveExternalResource  23s (x103 over 22h)  managed/user.mssql.sql.crossplane.io  cannot select user: The requested identity isn't assigned to this resource.

What environment did it happen in?

Crossplane version: 1.15
provider-sql version: v0.9.0
@bak-fts bak-fts added the bug Something isn't working label Apr 16, 2024
@Duologic
Copy link
Member

Is this a duplicate of #165?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Duologic @bak-fts