fixup! feat: fall back to env vars for clientID/tenantID with OIDCTokenFile

JefeDavis · JefeDavis · commit df33c57b28e0 · 2026-04-06T14:53:15.000-04:00
Signed-off-by: Jeff Davis &lt;mr.jefedavis@gmail.com&gt;
diff --git a/internal/clients/azure.go b/internal/clients/azure.go
@@ -204,6 +204,15 @@ func msiAuth(pcSpec *namespacedv1beta1.ProviderConfigSpec, ps *terraform.Setup)
 	return nil
 }
 
+// specOrEnv returns the spec value if non-nil and non-empty, otherwise the
+// value of the named environment variable.
+func specOrEnv(specVal *string, envVar string) string {
+	if specVal != nil && len(*specVal) > 0 {
+		return *specVal
+	}
+	return os.Getenv(envVar)
+}
+
 func oidcAuth(pcSpec *namespacedv1beta1.ProviderConfigSpec, ps *terraform.Setup) error {
 	if pcSpec.SubscriptionID == nil || len(*pcSpec.SubscriptionID) == 0 {
 		return errors.New(errSubscriptionIDNotSet)
@@ -213,18 +222,12 @@ func oidcAuth(pcSpec *namespacedv1beta1.ProviderConfigSpec, ps *terraform.Setup)
 	// Azure Workload Identity webhook is enabled on the provider pod, it injects
 	// AZURE_TENANT_ID and AZURE_CLIENT_ID per pod, enabling per-provider managed
 	// identities without a cluster-wide ClusterProviderConfig per identity.
-	tenantID := os.Getenv(envAzureTenantID)
-	if pcSpec.TenantID != nil && len(*pcSpec.TenantID) > 0 {
-		tenantID = *pcSpec.TenantID
-	}
+	tenantID := specOrEnv(pcSpec.TenantID, envAzureTenantID)
 	if tenantID == "" {
 		return errors.New(errTenantIDNotSet)
 	}
 
-	clientID := os.Getenv(envAzureClientID)
-	if pcSpec.ClientID != nil && len(*pcSpec.ClientID) > 0 {
-		clientID = *pcSpec.ClientID
-	}
+	clientID := specOrEnv(pcSpec.ClientID, envAzureClientID)
 	if clientID == "" {
 		return errors.New(errClientIDNotSet)
 	}
