Azure · jaiveerk · Feb 3, 2025 · Feb 10, 2025
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -46,6 +46,8 @@ func init() {
 	flag.DurationVar(&Flags.DnsSyncInterval, "dns-sync-interval", defaultDnsSyncInterval, "interval at which to sync DNS records")
 	flag.StringVar(&Flags.CrdPath, "crd", "/crd", "location of the CRD manifests. manifests should be directly in this directory, not in a subdirectory")
 	flag.BoolVar(&Flags.EnableGateway, "enable-gateway", false, "whether or not to support and create controllers for Gateway API resources")
+	// default value of blank since externalDNS will only overwrite if this value isn't blank - https://github.com/kubernetes-sigs/external-dns/blob/290f8c848dc726b1266b9185c4ebb5b397488090/provider/azure/config.go#L70C5-L70C33
+	flag.StringVar(&Flags.ActiveDirectoryAuthorityHost, "active-directory-authority-host", "", "the base URL of the cloud's Azure Active Directory")
 }
 
 func (c *Config) Validate() error {

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -59,6 +59,24 @@ var validateTestCases = []struct {
 			CrdPath:                  validCrdPath,
 		},
 	},
+	{
+		Name: "valid-full-with-adah",
+		Conf: &Config{
+			DefaultController:            Standard,
+			NS:                           "test-namespace",
+			Registry:                     "test-registry",
+			MSIClientID:                  "test-msi-client-id",
+			TenantID:                     "test-tenant-id",
+			Cloud:                        "test-cloud",
+			Location:                     "test-location",
+			ConcurrencyWatchdogThres:     101,
+			ConcurrencyWatchdogVotes:     2,
+			ClusterUid:                   "test-cluster-uid",
+			OperatorDeployment:           "app-routing-operator",
+			CrdPath:                      validCrdPath,
+			ActiveDirectoryAuthorityHost: "https://login.microsoftonline.com/",
+		},
+	},
 	{
 		Name: "missing operator deployment",
 		Conf: &Config{

diff --git a/pkg/config/types.go b/pkg/config/types.go
@@ -77,4 +77,5 @@ type Config struct {
 	DnsSyncInterval                     time.Duration
 	CrdPath                             string
 	EnableGateway                       bool
+	ActiveDirectoryAuthorityHost        string
 }
diff --git a/pkg/controller/keyvault/gateway_secret_provider_class.go b/pkg/controller/keyvault/gateway_secret_provider_class.go
@@ -124,6 +124,7 @@ func (g *GatewaySecretProviderClassReconciler) Reconcile(ctx context.Context, re
 				TenantId:        g.config.TenantID,
 				KeyvaultCertUri: certUri,
 				Name:            generateGwListenerCertName(gwObj.Name, listener.Name),
+				Cloud:           g.config.Cloud,
 			}
 			err = buildSPC(spc, spcConf)
 			if err != nil {

diff --git a/pkg/controller/keyvault/kv_util.go b/pkg/controller/keyvault/kv_util.go
@@ -107,6 +107,11 @@ func buildSPC(spc *secv1.SecretProviderClass, spcConfig spcConfig) error {
 		spc.Spec.Parameters[kvcsi.CloudNameParameter] = spcConfig.Cloud
 	}
 
+	// special case for StackCloud
+	if spcConfig.Cloud == "AzureStackCloud" {
+		spc.Spec.Parameters["cloudEnvFileName"] = "/etc/kubernetes/akscustom.json"
+	}
+
 	return nil
 }
 

diff --git a/pkg/manifests/external_dns.go b/pkg/manifests/external_dns.go
@@ -297,11 +297,12 @@ func newExternalDNSClusterRoleBinding(conf *config.Config, externalDnsConfig *Ex
 
 func newExternalDNSConfigMap(conf *config.Config, externalDnsConfig *ExternalDnsConfig) (*corev1.ConfigMap, string) {
 	jsMap := map[string]interface{}{
-		"tenantId":       externalDnsConfig.tenantId,
-		"subscriptionId": externalDnsConfig.subscription,
-		"resourceGroup":  externalDnsConfig.resourceGroup,
-		"cloud":          conf.Cloud,
-		"location":       conf.Location,
+		"tenantId":                     externalDnsConfig.tenantId,
+		"subscriptionId":               externalDnsConfig.subscription,
+		"resourceGroup":                externalDnsConfig.resourceGroup,
+		"cloud":                        conf.Cloud,
+		"location":                     conf.Location,
+		"activeDirectoryAuthorityHost": conf.ActiveDirectoryAuthorityHost,
 	}
 	jsMap[externalDnsConfig.identityType.externalDNSIdentityConfiguration()] = true
 

diff --git a/pkg/manifests/external_dns_test.go b/pkg/manifests/external_dns_test.go
@@ -102,7 +102,7 @@ var (
 	}{
 		{
 			Name: "full",
-			Conf: &config.Config{ClusterUid: clusterUid, DnsSyncInterval: time.Minute * 3},
+			Conf: &config.Config{ClusterUid: clusterUid, DnsSyncInterval: time.Minute * 3, ActiveDirectoryAuthorityHost: "https://login.microsoftonline.com/"},
 			Deploy: &appsv1.Deployment{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "test-operator-deploy",

diff --git a/pkg/manifests/fixtures/external_dns/all-possibilities.yaml b/pkg/manifests/fixtures/external_dns/all-possibilities.yaml
@@ -78,7 +78,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  azure.json: '{"cloud":"","location":"","resourceGroup":"test-resource-group-public","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
+  azure.json: '{"activeDirectoryAuthorityHost":"","cloud":"","location":"","resourceGroup":"test-resource-group-public","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
 kind: ConfigMap
 metadata:
   creationTimestamp: null
@@ -112,7 +112,7 @@ spec:
       labels:
         app: external-dns
         app.kubernetes.io/managed-by: aks-app-routing-operator
-        checksum/configmap: 7a7768971308cadb
+        checksum/configmap: 26c8b3887b528306
         kubernetes.azure.com/managedby: aks
     spec:
       affinity:
@@ -271,7 +271,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  azure.json: '{"cloud":"","location":"","resourceGroup":"test-resource-group-private","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
+  azure.json: '{"activeDirectoryAuthorityHost":"","cloud":"","location":"","resourceGroup":"test-resource-group-private","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
 kind: ConfigMap
 metadata:
   creationTimestamp: null
@@ -305,7 +305,7 @@ spec:
       labels:
         app: external-dns-private
         app.kubernetes.io/managed-by: aks-app-routing-operator
-        checksum/configmap: aa75575c57a3fa54
+        checksum/configmap: 7b857b2a6b5287e0
         kubernetes.azure.com/managedby: aks
     spec:
       affinity:
@@ -462,7 +462,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  azure.json: '{"cloud":"","location":"","resourceGroup":"test-resource-group-public","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useWorkloadIdentityExtension":true}'
+  azure.json: '{"activeDirectoryAuthorityHost":"","cloud":"","location":"","resourceGroup":"test-resource-group-public","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useWorkloadIdentityExtension":true}'
 kind: ConfigMap
 metadata:
   creationTimestamp: null
@@ -496,7 +496,7 @@ spec:
       labels:
         app: test-dns-config-external-dns
         app.kubernetes.io/managed-by: aks-app-routing-operator
-        checksum/configmap: e363a30964578be3
+        checksum/configmap: c2dfce1b21bcd96b
         kubernetes.azure.com/managedby: aks
     spec:
       affinity:
@@ -654,7 +654,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  azure.json: '{"cloud":"","location":"","resourceGroup":"test-resource-group-private","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useWorkloadIdentityExtension":true}'
+  azure.json: '{"activeDirectoryAuthorityHost":"","cloud":"","location":"","resourceGroup":"test-resource-group-private","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useWorkloadIdentityExtension":true}'
 kind: ConfigMap
 metadata:
   creationTimestamp: null
@@ -688,7 +688,7 @@ spec:
       labels:
         app: test-dns-config-private-external-dns
         app.kubernetes.io/managed-by: aks-app-routing-operator
-        checksum/configmap: 10d3362c74fab97c
+        checksum/configmap: 7f248ea40060b041
         kubernetes.azure.com/managedby: aks
     spec:
       affinity:

diff --git a/pkg/manifests/fixtures/external_dns/full.yaml b/pkg/manifests/fixtures/external_dns/full.yaml
@@ -78,7 +78,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  azure.json: '{"cloud":"","location":"","resourceGroup":"test-resource-group-public","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
+  azure.json: '{"activeDirectoryAuthorityHost":"https://login.microsoftonline.com/","cloud":"","location":"","resourceGroup":"test-resource-group-public","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
 kind: ConfigMap
 metadata:
   creationTimestamp: null
@@ -112,7 +112,7 @@ spec:
       labels:
         app: external-dns
         app.kubernetes.io/managed-by: aks-app-routing-operator
-        checksum/configmap: 7a7768971308cadb
+        checksum/configmap: 86d95ce2f8b58999
         kubernetes.azure.com/managedby: aks
     spec:
       affinity:
@@ -271,7 +271,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  azure.json: '{"cloud":"","location":"","resourceGroup":"test-resource-group-private","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
+  azure.json: '{"activeDirectoryAuthorityHost":"https://login.microsoftonline.com/","cloud":"","location":"","resourceGroup":"test-resource-group-private","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
 kind: ConfigMap
 metadata:
   creationTimestamp: null
@@ -305,7 +305,7 @@ spec:
       labels:
         app: external-dns-private
         app.kubernetes.io/managed-by: aks-app-routing-operator
-        checksum/configmap: aa75575c57a3fa54
+        checksum/configmap: b9795d4a196f584d
         kubernetes.azure.com/managedby: aks
     spec:
       affinity:

diff --git a/pkg/manifests/fixtures/external_dns/no-ownership.yaml b/pkg/manifests/fixtures/external_dns/no-ownership.yaml
@@ -78,7 +78,7 @@ subjects:
 ---
 apiVersion: v1
 data:
-  azure.json: '{"cloud":"","location":"","resourceGroup":"test-resource-group-public","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
+  azure.json: '{"activeDirectoryAuthorityHost":"","cloud":"","location":"","resourceGroup":"test-resource-group-public","subscriptionId":"test-subscription-id","tenantId":"test-tenant-id","useManagedIdentityExtension":true,"userAssignedIdentityID":"test-client-id"}'
 kind: ConfigMap
 metadata:
   creationTimestamp: null
@@ -112,7 +112,7 @@ spec:
       labels:
         app: external-dns
         app.kubernetes.io/managed-by: aks-app-routing-operator
-        checksum/configmap: 7a7768971308cadb
+        checksum/configmap: 26c8b3887b528306
         kubernetes.azure.com/managedby: aks
     spec:
       affinity: