Merge pull request Azure#4166 from Azure/hawkowl/ARO-15999

[ARO-15999] Initial stab at using workload identity

Author: hawkowl

pkg/env/msiauthorizer.go

@@ -20,8 +20,18 @@ const (
 	MSIContextGateway MSIContext = "GATEWAY"
 )
 
+const EnvUseWorkloadIdentity = "ARO_RP_WORKLOAD_IDENTITY"
+
 func (c *core) NewMSITokenCredential() (azcore.TokenCredential, error) {
 	if !c.IsLocalDevelopmentMode() {
+		// If ARO_RP_WORKLOAD_IDENTITY is set, use a WorkloadIdentity credential
+		// for RP authentication to FPSP keyvault instead
+		useWorkloadIdentity := os.Getenv(EnvUseWorkloadIdentity)
+		if useWorkloadIdentity != "" {
+			options := c.Environment().WorkloadIdentityCredentialOptions()
+			return azidentity.NewWorkloadIdentityCredential(options)
+		}
+
 		options := c.Environment().ManagedIdentityCredentialOptions()
 		return azidentity.NewManagedIdentityCredential(options)
 	}

pkg/util/azureclient/environments.go

@@ -149,6 +149,12 @@ func (e *AROEnvironment) ManagedIdentityCredentialOptions() *azidentity.ManagedI
 	}
 }
 
+func (e *AROEnvironment) WorkloadIdentityCredentialOptions() *azidentity.WorkloadIdentityCredentialOptions {
+	return &azidentity.WorkloadIdentityCredentialOptions{
+		ClientOptions: e.AzureClientOptions(),
+	}
+}
+
 func (e *AROEnvironment) AzureClientOptions() azcore.ClientOptions {
 	return azcore.ClientOptions{
 		Cloud: e.Cloud,