remove secret and use cert for aad app in e2e pipeline (#3116)

* remove secret and use cert

* address comment

tests_e2e/pipeline/pipeline-cleanup.yml

@@ -18,9 +18,9 @@ parameters:
   - name: service_connections
     type: object
     default:
-      - azuremanagement
-      - azuremanagement.china
-      - azuremanagement.government
+      - waagenttests.public
+      - waagenttests.china
+      - waagenttests.gov
 
 pool:
   name: waagent-pool

tests_e2e/pipeline/pipeline.yml

@@ -1,7 +1,7 @@
 # variables:
   #
   # NOTE: When creating the pipeline, "connection_info" must be added as a variable pointing to the
-  #       corresponding key vault; see wiki for details.
+  #        cloud specific service connection; see wiki for details.
   #
 
 parameters:
@@ -78,16 +78,17 @@ jobs:
           architecture: 'x64'
 
       # Extract the Azure cloud from the "connection_info" variable. Its value includes one of
-      # 'public', 'china', or 'government' as a suffix (the suffix comes after the last '-').
+      # 'public', 'china', or 'gov' as a suffix (the suffix comes after the '.').
       - bash: |
-          case $(echo $CONNECTION_INFO | sed 's/^.*-//') in
+          case $(echo $CONNECTION_INFO | sed 's/.*\.//') in
               public)
                   echo "##vso[task.setvariable variable=cloud]AzureCloud"
                   ;;
               china)
                   echo "##vso[task.setvariable variable=cloud]AzureChinaCloud"
+                  
                   ;;
-              government)
+              gov)
                   echo "##vso[task.setvariable variable=cloud]AzureUSGovernment"
                   ;;
               *)
@@ -106,17 +107,27 @@ jobs:
       - task: AzureKeyVault@2
         displayName: "Fetch connection info"
         inputs:
-          azureSubscription: 'azuremanagement'
-          KeyVaultName: '$(connection_info)'
+          azureSubscription: $(connection_info)
+          KeyVaultName: 'waagenttests'
           SecretsFilter: '*'
 
+      - task: AzureCLI@2
+        displayName: "Download connection certificate"
+        inputs:
+          azureSubscription: $(connection_info)
+          scriptType: bash
+          scriptLocation: inlineScript
+          inlineScript: |
+            # This temporary directory removed after the pipeline execution
+            mkdir -p $(Agent.TempDirectory)/app
+            az keyvault secret download --file $(Agent.TempDirectory)/app/cert.pem --vault-name waagenttests --name AZURE-CLIENT-CERTIFICATE
+
       - bash: $(Build.SourcesDirectory)/tests_e2e/pipeline/scripts/execute_tests.sh
         displayName: "Execute tests"
         continueOnError: true
         env:
           SUBSCRIPTION_ID: $(SUBSCRIPTION-ID)
           AZURE_CLIENT_ID: $(AZURE-CLIENT-ID)
-          AZURE_CLIENT_SECRET: $(AZURE-CLIENT-SECRET)
           AZURE_TENANT_ID: $(AZURE-TENANT-ID)
           CR_USER: $(CR-USER)
           CR_SECRET: $(CR-SECRET)

tests_e2e/pipeline/scripts/execute_tests.sh

@@ -72,13 +72,17 @@ fi
 #
 IP_ADDRESS=$(curl -4 ifconfig.io/ip)
 
+# certificate location in the container
+AZURE_CLIENT_CERTIFICATE_PATH="/home/waagent/app/cert.pem"
+
 docker run --rm \
     --volume "$BUILD_SOURCESDIRECTORY:/home/waagent/WALinuxAgent" \
     --volume "$AGENT_TEMPDIRECTORY"/ssh:/home/waagent/.ssh \
+    --volume "$AGENT_TEMPDIRECTORY"/app:/home/waagent/app \
     --volume "$LOGS_DIRECTORY":/home/waagent/logs \
     --env AZURE_CLIENT_ID \
-    --env AZURE_CLIENT_SECRET \
     --env AZURE_TENANT_ID \
+    --env AZURE_CLIENT_CERTIFICATE_PATH=$AZURE_CLIENT_CERTIFICATE_PATH \
     waagenttests.azurecr.io/waagenttests \
     bash --login -c \
       "lisa \