Merge pull request #4830 from kevinvanblokland/master

security/acme-client: add support for AzureDNS System Assigned Managed Identity
2026-02-03 20:40:37 -05:00 · 2025-11-30 22:40:05 +01:00 · 2025-11-30 22:40:05 +01:00 · e866e541da
commit e866e541da
parent ce2dfe7705 6a23ebe572
3 changed files with 14 additions and 0 deletions
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@ -226,6 +226,12 @@
        <label>Client Secret</label>
        <type>text</type>
    </field>
+    <field>
+        <id>validation.dns_azuredns_managedidentity</id>
+        <label>Use System Assigned Managed Identity</label>
+        <type>checkbox</type>
+        <help><![CDATA[When System Assigned Managed Identity is enabled the Tenant ID, APP ID and Client Secret settings are ignored by the acme client. Access tokens are obtained using the Azure Instance Metadata Service for the System Assigned Managed Identity. See <a target="_blank" href="https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token">documentation</a>.]]></help>
+    </field>
    <field>
        <label>Bunny</label>
        <type>header</type>
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
@ -43,5 +43,9 @@ class DnsAzure extends Base implements LeValidationInterface
        $this->acme_env['AZUREDNS_TENANTID'] = (string)$this->config->dns_azuredns_tenantid;
        $this->acme_env['AZUREDNS_APPID'] = (string)$this->config->dns_azuredns_appid;
        $this->acme_env['AZUREDNS_CLIENTSECRET'] = (string)$this->config->dns_azuredns_clientsecret;
+        
+        if ($this->config->dns_azuredns_managedidentity == '1') {
+            $this->acme_env['AZUREDNS_MANAGEDIDENTITY'] = 'true';
+        }
    }
 }
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@ -581,6 +581,10 @@
                <dns_azuredns_clientsecret type="TextField">
                    <Required>N</Required>
                </dns_azuredns_clientsecret>
+                <dns_azuredns_managedidentity type="BooleanField">
+                    <Default>0</Default>
+                    <Required>N</Required>
+                </dns_azuredns_managedidentity>
                <dns_bunny_api_key type="TextField">
                    <Required>N</Required>
                </dns_bunny_api_key>