fix: replace DefaultAzureCredential with AzureCLICredential for impro… (#25)

* fix: replace DefaultAzureCredential with AzureCLICredential for improved authentication

* fix karpetner helm

Author: anson627

cli/internal/aks/deploy/deploy.go

@@ -76,7 +76,7 @@ func run(ctx context.Context) error {
 		return err
 	}
 
-	credentials, err := azidentity.NewDefaultAzureCredential(nil)
+	credentials, err := azidentity.NewAzureCLICredential(nil)
 	if err != nil {
 		return err
 	}

cli/internal/aks/deploy/wireguard.go

@@ -10,8 +10,8 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v8"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -38,7 +38,7 @@ const (
 	wgKubeImage = "ghcr.io/b4fun/wg-kube:sha-11e4656"
 )
 
-func deployWireGuard(ctx context.Context, credentials *azidentity.DefaultAzureCredential, cfg *utilconfig.Config) error {
+func deployWireGuard(ctx context.Context, credentials azcore.TokenCredential, cfg *utilconfig.Config) error {
 	// Step 1: Get or generate WireGuard keys for the hub
 	log.Print("Getting WireGuard keys...")
 
@@ -93,7 +93,7 @@ func deployWireGuard(ctx context.Context, credentials *azidentity.DefaultAzureCr
 
 // getOrCreateWireGuardKeys checks if the wireguard-keys secret exists and returns those keys,
 // otherwise generates new keys.
-func getOrCreateWireGuardKeys(ctx context.Context, credentials *azidentity.DefaultAzureCredential, cfg *utilconfig.Config) (*wireguard.KeyPair, error) {
+func getOrCreateWireGuardKeys(ctx context.Context, credentials azcore.TokenCredential, cfg *utilconfig.Config) (*wireguard.KeyPair, error) {
 	loader, err := k8s.Loader(ctx, credentials, cfg)
 	if err != nil {
 		return nil, err
@@ -144,7 +144,7 @@ func getOrCreateWireGuardKeys(ctx context.Context, credentials *azidentity.Defau
 }
 
 // getWireGuardNodeIP retrieves the public and private IP of the WireGuard gateway node from Kubernetes.
-func getWireGuardNodeIP(ctx context.Context, credentials *azidentity.DefaultAzureCredential, cfg *utilconfig.Config) (publicIP, privateIP string, err error) {
+func getWireGuardNodeIP(ctx context.Context, credentials azcore.TokenCredential, cfg *utilconfig.Config) (publicIP, privateIP string, err error) {
 	loader, err := k8s.Loader(ctx, credentials, cfg)
 	if err != nil {
 		return "", "", err
@@ -219,7 +219,7 @@ func getWireGuardNodeIP(ctx context.Context, credentials *azidentity.DefaultAzur
 }
 
 // updateRouteTable updates the route table with the gateway node's private IP.
-func updateRouteTable(ctx context.Context, credentials *azidentity.DefaultAzureCredential, cfg *utilconfig.Config, gatewayPrivateIP string) error {
+func updateRouteTable(ctx context.Context, credentials azcore.TokenCredential, cfg *utilconfig.Config, gatewayPrivateIP string) error {
 	routeTablesClient, err := armnetwork.NewRouteTablesClient(cfg.SubscriptionID, credentials, nil)
 	if err != nil {
 		return err
@@ -256,7 +256,7 @@ func updateRouteTable(ctx context.Context, credentials *azidentity.DefaultAzureC
 }
 
 // associateRouteTableWithSubnets associates the wg-routes route table with the aks and nodes subnets.
-func associateRouteTableWithSubnets(ctx context.Context, credentials *azidentity.DefaultAzureCredential, cfg *utilconfig.Config) error {
+func associateRouteTableWithSubnets(ctx context.Context, credentials azcore.TokenCredential, cfg *utilconfig.Config) error {
 	subnetsClient, err := armnetwork.NewSubnetsClient(cfg.SubscriptionID, credentials, nil)
 	if err != nil {
 		return err
@@ -307,7 +307,7 @@ func associateRouteTableWithSubnets(ctx context.Context, credentials *azidentity
 // deployWireGuardToK8s deploys the WireGuard DaemonSet to the AKS cluster.
 func deployWireGuardToK8s(
 	ctx context.Context,
-	credentials *azidentity.DefaultAzureCredential,
+	credentials azcore.TokenCredential,
 	cfg *utilconfig.Config,
 	keys *wireguard.KeyPair,
 ) error {

cli/internal/config/configcmd/defaults.go

@@ -6,6 +6,7 @@ import (
 	"os"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 
 	"github.com/Azure/aks-flex/plugin/pkg/services/agentpools/api/features/kubeadm"
 	"github.com/Azure/aks-flex/plugin/pkg/util/config"
@@ -41,7 +42,17 @@ func OrPlaceholder(val string) string {
 // reachable or the required environment variables are not set, it falls back
 // to placeholder values that the user must replace manually.
 func DefaultKubeadmConfig(ctx context.Context) *kubeadm.Config {
-	cfg, err := kubeadmutil.FromAKS(ctx)
+	credentials, err := azidentity.NewAzureCLICredential(nil)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Warning: could not obtain Azure CLI credentials: %v\n", err)
+		fmt.Fprintln(os.Stderr, "Using placeholder values — edit the output before applying.")
+		return kubeadm.Config_builder{
+			Server:                   to.Ptr(placeholder),
+			CertificateAuthorityData: []byte(placeholder),
+			Token:                    to.Ptr(placeholder),
+		}.Build()
+	}
+	cfg, err := kubeadmutil.FromAKS(ctx, credentials)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Warning: could not retrieve kubeadm config from AKS cluster: %v\n", err)
 		fmt.Fprintln(os.Stderr, "Using placeholder values — edit the output before applying.")

cli/internal/config/k8sbootstrap/k8sbootstrap.go

@@ -183,7 +183,7 @@ func paramsFromContext(ctx context.Context) Params {
 		return placeholderParams()
 	}
 
-	credentials, err := azidentity.NewDefaultAzureCredential(nil)
+	credentials, err := azidentity.NewAzureCLICredential(nil)
 	if err != nil {
 		warn("could not obtain Azure credentials: %v", err)
 		return placeholderParams()

cli/internal/config/karpenter/karpenter.go

@@ -110,7 +110,7 @@ func (hc *helmContext) resolve(ctx context.Context) {
 		return
 	}
 
-	credentials, err := azidentity.NewDefaultAzureCredential(nil)
+	credentials, err := azidentity.NewAzureCLICredential(nil)
 	if err != nil {
 		warn("could not obtain Azure credentials: %v", err)
 		return

cli/internal/network/deploy/deploy.go

@@ -37,7 +37,7 @@ func run(ctx context.Context) error {
 		return err
 	}
 
-	credentials, err := azidentity.NewDefaultAzureCredential(nil)
+	credentials, err := azidentity.NewAzureCLICredential(nil)
 	if err != nil {
 		return err
 	}

plugin/pkg/util/kubeadm/azure.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/clientcmd"
@@ -19,17 +19,12 @@ import (
 	"github.com/Azure/aks-flex/plugin/pkg/util/k8s"
 )
 
-func FromAKS(ctx context.Context) (*kubeadm.Config, error) {
+func FromAKS(ctx context.Context, credentials azcore.TokenCredential) (*kubeadm.Config, error) {
 	cfg, err := config.New()
 	if err != nil {
 		return nil, err
 	}
 
-	credentials, err := azidentity.NewDefaultAzureCredential(nil)
-	if err != nil {
-		return nil, err
-	}
-
 	kubeconfig, err := k8s.Kubeconfig(ctx, credentials, cfg)
 	if err != nil {
 		return nil, err