github.com/openshift/installer@v1.4.17/docs/dev/azure/azure_client_certs_auth.md (about)

     1  # Azure Authentication using Client certificates
     2  
     3  Azure accepts client certificates as a means of authentication in the service principal and terraform accepts it too. 
     4  As of 4.12, the Installer accepts certificate-based service principals in addition to secret-based service principals.
     5  
     6  ### Pitfalls
     7  Although the installer can now use the certs to authenticate, CCO does not support this and hence the installer
     8  should create the cluster in manual credentials mode only.
     9  
    10  ### Prerequisites
    11  - A certificate that is suitable for Azure is created. 
    12  - Register the certificate with Azure as part of App Registrations in the Azure AD.
    13  More information on how to do these steps is below.
    14  
    15  ## Steps
    16  The installer takes the service principal for authentication and the current requirement is that these fields are
    17  populated.
    18  
    19  After [1], we no longer need to pass the client secret and can pass the clientCertificate and clientCertificatePassword fields.
    20  
    21  1. Populate the service principal with the following fields. The service principal is by default in ~/.azure/osServicePrincipal.json
    22  -- subscriptionId
    23  -- tenantId
    24  -- clientId
    25  -- clientCertificate (this must be the path to the pfx file generated)
    26  -- clientCertificatePassword (optional)
    27  2. Run openshift-installer
    28  
    29  The installer will automatically pick up the values in the sevice principal and switch to certificate based authentication.
    30  
    31  ## Extras
    32  ### Creating a certificate
    33  Azure expects a PEM file certificate for App registrations that are used for authentication. It then expects the PEM certificate and the
    34  key to be combined into a PFX file for authentication requests any application makes. We can use openssl to create these certificates.
    35  There are multiple ways to generate certificate but the key points to remember is that terraform does not accept the latest algorithms 
    36  for generating pfx files and we need to convert them using old algorithms [2].
    37  
    38  To generate a certificate, enter the following command using openssl
    39  
    40  `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365`
    41  
    42  This command will ask a few questions that need to be answered and it generates a PEM certificate and a PEM key file that are valid for one year.
    43  
    44  Once this command is done, we need to register this certificate with Azure AD. Navigate to the AD and click on App Registrations.
    45  We can either reuse an existing registration or create a new one in which case, enter the name and make sure the Supported Account Types is set to
    46  the appropriate permission. Redirect URI is optional and need not be entered.
    47  
    48  Once the registration is created, click on it, navigate to the Certificates and Secrets section and click on the Upload Certificate to upload the PEM
    49  certificate that we created. This marks the end of the certificate generation section.
    50  
    51  We need to now create the pfx file that we would need to authenticate with azure. This can be done with the following command.
    52  
    53  `openssl pkcs12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -export -macalg sha1 -inkey key.pem -in cert.pem -export -out cert.pfx`
    54  
    55  This ensures the pfx file is generated with an algorithm that terraform understands. The pfx file is now ready to use for auth and can be set to the
    56  "clientCertificate" key in the osServicePrincipal.json file mentioned above.
    57  
    58  ### References
    59  [1] - PR for enabling Azure certs auth : https://github.com/openshift/installer/pull/6250
    60  [2] - https://github.com/hashicorp/terraform-provider-azurerm/issues/16228