Initial enhancement

Signed-off-by: Bryan Cox <[email protected]>

enhancements/hypershift/enable-azure-creds-via-cert.md

@@ -32,45 +32,46 @@ superseded-by:
 
 ## Summary
 
-This enhancement proposes introducing an environment variable in the image registry, ingress, cloud network config,
-and storage operators. This variable would allow overriding the Azure authentication strategy used by these operators to
-leverage Azure managed service identity (MSI), regardless of the underlying cloud configuration.
+This enhancement proposes enabling image registry, ingress, cloud network config, and storage operators(azure-file and 
+azure-disk) to accept authenticating with Azure with certificates using Azure SDK for Go's generic function 
+[NewDefaultAzureCredential](https://github.com/Azure/azure-sdk-for-go/blob/4ebe2fa68c8f9f0a0737d4569810525b4ac45834/sdk/azidentity/default_azure_credential.go#L63).
 
 ## Motivation
 
-In Azure Red Hat OpenShift (ARO) Hosted Control Plane (HCP), operators running in the control plane need to
-authenticate using Azure managed service identities to communicate with cloud services. In contrast, the same operators
-running on the data plane/guest cluster side use workload identity authentication.
+In production, Azure Red Hat OpenShift (ARO) Hosted Control Plane (HCP), operators running in the control plane need to
+authenticate using Azure managed identities, backed by certificates, to communicate with cloud services. In the 
+meantime, ARO HCP will use Service Principal, backed by certificates, for development and testing. 
+
+In contrast, the same operators running on the data plane/guest cluster side use workload identity authentication.
 
 ### User Stories
 
-* [Support MSI authentication in cluster-ingress-operator](https://issues.redhat.com/browse/NE-1504)
-* [Support MSI authentication in cloud-network-config-controller](https://issues.redhat.com/browse/SDN-4450)
-* [Support MSI authentication in cluster-storage-operator](https://issues.redhat.com/browse/STOR-1748)
-* [Support MSI authentication in image-registry](https://issues.redhat.com/browse/IR-460)
+* [Explore enable getting AzureCreds via cert using generic NewDefaultAzureCredential](https://issues.redhat.com/browse/HOSTEDCP-1994)
 
 ### Goals
 
-* Agreement from ingress, image registry, network, and storage representatives on a standard approach to authenticate with MSI for ARO HCP.
+* Agreement from ingress, image registry, network, and storage representatives on a standard approach to authenticate with Azure for ARO HCP.
 
 ### Non-Goals
 
-* Implementing MSI for image registry, ingress, cloud network config, and storage operators outside the override.
+N/A
 
 ## Proposal
 
-We propose setting an environment variable, ARO_HCP_MI_CLIENT_ID, upon deployment of image registry, ingress, cloud
-network config, and storage operators in the control plane of an ARO HCP cluster. This variable will be checked by each
-operator; if set, it will override the default authentication mechanism, using a managed identity to authenticate with
-Azure cloud services instead. ARO_HCP_MI_CLIENT_ID will contain the client ID to create the new managed identity.
+We propose updating the Azure API authentication methods in image registry, ingress, cloud network config, and storage 
+operators to use the using Azure SDK for Go's generic function [NewDefaultAzureCredential](https://github.com/Azure/azure-sdk-for-go/blob/4ebe2fa68c8f9f0a0737d4569810525b4ac45834/sdk/azidentity/default_azure_credential.go#L63).
+This function walks through creating a valid Azure credential chain used to authenticate with Azure API based on what
+environment variables are set up.
 
-For operators with operands that they manage in the control plane, the operator would be responsible for propagating the
-environment variable to those operands (if the operands need cloud access).
+HyperShift would pass the following environment variables - AZURE_CLIENT_ID, AZURE_TENANT_ID, and 
+AZURE_CLIENT_CERTIFICATE_PATH - to its deployments of image registry, ingress, cloud network config, and storage 
+operators (azure-file and azure-disk) on the hosted control plane. Each of these components would then pass these  
+variables along to NewDefaultAzureCredential.
 
 ### Workflow Description
 
-* HostedCluster control plane operator will set ARO_HCP_MI_CLIENT_ID on deployment of image registry, ingress, cluster network operator (which will pass the value to cloud network config), and storage operators
-* When each operator is configuring the Azure authentication type, if the ARO_HCP_MI_CLIENT_ID is set, the operator will ignore any other Azure cloud configuration and use Managed Identity with the client ID being set to the value in ARO_HCP_MI_CLIENT_ID
+* HostedCluster control plane operator will set AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_CERTIFICATE_PATH on deployment of image registry, ingress, cluster network operator (which will pass the value to cloud network config), and storage operators (which will pass the values to azure-file and azure disk)
+* When each operator is configuring the Azure authentication type, it will call Azure SDK for Go's generic function NewDefaultAzureCredential
 
 ### API Extensions