Skip to content

Commit

Permalink
generate token using azidentity
Browse files Browse the repository at this point in the history
  • Loading branch information
MartinForReal committed Nov 4, 2024
1 parent 8bf9d2f commit c526005
Show file tree
Hide file tree
Showing 8 changed files with 179 additions and 67 deletions.
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ require (
github.com/evanphx/json-patch v5.9.0+incompatible
github.com/fsnotify/fsnotify v1.8.0
github.com/go-logr/logr v1.4.2
github.com/jongio/azidext/go/azidext v0.5.0
github.com/onsi/ginkgo/v2 v2.21.0
github.com/onsi/gomega v1.35.1
github.com/prometheus/client_golang v1.20.5
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -177,8 +177,12 @@ github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/jongio/azidext/go/azidext v0.5.0 h1:uPInXD4NZ3J0k79FPwIA0YXknFn+WcqZqSgs3/jPgvQ=
github.com/jongio/azidext/go/azidext v0.5.0/go.mod h1:TVRX/hJhzbsCKaOIzicH6a8IvOH0hpjWk/JwZZgtXeU=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
Expand Down
63 changes: 20 additions & 43 deletions pkg/provider/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,8 @@ import (

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/go-autorest/autorest"
"github.com/Azure/go-autorest/autorest/adal"
"github.com/Azure/go-autorest/autorest/azure"

"github.com/jongio/azidext/go/azidext"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
Expand All @@ -48,6 +47,7 @@ import (
cloudnodeutil "k8s.io/cloud-provider/node/helpers"
nodeutil "k8s.io/component-helpers/node/util"
"k8s.io/klog/v2"
"sigs.k8s.io/yaml"

Check failure on line 50 in pkg/provider/azure.go

View workflow job for this annotation

GitHub Actions / Analyze (go)

other declaration of yaml

Check failure on line 50 in pkg/provider/azure.go

View workflow job for this annotation

GitHub Actions / Lint

other declaration of yaml

Check failure on line 50 in pkg/provider/azure.go

View workflow job for this annotation

GitHub Actions / Lint

other declaration of yaml

"sigs.k8s.io/cloud-provider-azure/pkg/azclient"
"sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader"
Expand Down Expand Up @@ -703,12 +703,7 @@ func (az *Cloud) InitializeCloudFromConfig(ctx context.Context, config *Config,
return err
}
az.AuthProvider = authProvider
// If uses network resources in different AAD Tenant, then prepare corresponding Service Principal Token for VM/VMSS client and network resources client
multiTenantServicePrincipalToken, networkResourceServicePrincipalToken, err := az.getAuthTokenInMultiTenantEnv(servicePrincipalToken, authProvider)
if err != nil {
return err
}
az.configAzureClients(servicePrincipalToken, multiTenantServicePrincipalToken, networkResourceServicePrincipalToken)
az.configAzureClients(authProvider)

if az.ComputeClientFactory == nil {
var cred azcore.TokenCredential
Expand Down Expand Up @@ -906,23 +901,6 @@ func (az *Cloud) setLBDefaults(config *Config) error {
return nil
}

func (az *Cloud) getAuthTokenInMultiTenantEnv(_ *adal.ServicePrincipalToken, authProvider *azclient.AuthProvider) (adal.MultitenantOAuthTokenProvider, adal.OAuthTokenProvider, error) {
var err error
var multiTenantOAuthToken adal.MultitenantOAuthTokenProvider
var networkResourceServicePrincipalToken adal.OAuthTokenProvider
if az.Config.UsesNetworkResourceInDifferentTenant() {
multiTenantOAuthToken, err = ratelimitconfig.GetMultiTenantServicePrincipalToken(&az.Config.AzureAuthConfig, &az.Environment, authProvider)
if err != nil {
return nil, nil, err
}
networkResourceServicePrincipalToken, err = ratelimitconfig.GetNetworkResourceServicePrincipalToken(&az.Config.AzureAuthConfig, &az.Environment, authProvider)
if err != nil {
return nil, nil, err
}
}
return multiTenantOAuthToken, networkResourceServicePrincipalToken, nil
}

func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
// Conditionally configure resource request backoff
resourceRequestBackoff := wait.Backoff{
Expand Down Expand Up @@ -964,11 +942,10 @@ func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
}

func (az *Cloud) configAzureClients(
servicePrincipalToken *adal.ServicePrincipalToken,
multiTenantOAuthTokenProvider adal.MultitenantOAuthTokenProvider,
networkResourceServicePrincipalToken adal.OAuthTokenProvider,
authProvider *azclient.AuthProvider,
) {
azClientConfig := az.getAzureClientConfig(servicePrincipalToken)
token := azidext.NewTokenCredentialAdapter(authProvider.GetAzIdentity(), []string{azidext.DefaultManagementScope})
azClientConfig := az.getAzureClientConfig(token)

// Prepare AzureClientConfig for all azure clients
interfaceClientConfig := azClientConfig.WithRateLimiter(az.Config.InterfaceRateLimit)
Expand All @@ -993,22 +970,22 @@ func (az *Cloud) configAzureClients(
vmasClientConfig := azClientConfig.WithRateLimiter(az.Config.AvailabilitySetRateLimit)

// If uses network resources in different AAD Tenant, update Authorizer for VM/VMSS/VMAS client config
if multiTenantOAuthTokenProvider != nil {
multiTenantServicePrincipalTokenAuthorizer := autorest.NewMultiTenantServicePrincipalTokenAuthorizer(multiTenantOAuthTokenProvider)
if authProvider.IsMultiTenantModeEnabled() {
multiTenantOAuthTokenProvider := azidext.NewTokenCredentialAdapter(authProvider.GetMultiTenantIdentity(), []string{azidext.DefaultManagementScope})

vmClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmssClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmssVMClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmasClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmssClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmssVMClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmasClientConfig.Authorizer = multiTenantOAuthTokenProvider
}

// If uses network resources in different AAD Tenant, update SubscriptionID and Authorizer for network resources client config
if networkResourceServicePrincipalToken != nil {
networkResourceServicePrincipalTokenAuthorizer := autorest.NewBearerAuthorizer(networkResourceServicePrincipalToken)
subnetClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
routeTableClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
publicIPClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
if authProvider.GetNetworkAzIdentity() != nil {
networkResourceServicePrincipalToken := azidext.NewTokenCredentialAdapter(authProvider.GetNetworkAzIdentity(), []string{azidext.DefaultManagementScope})
subnetClientConfig.Authorizer = networkResourceServicePrincipalToken
routeTableClientConfig.Authorizer = networkResourceServicePrincipalToken
loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalToken
publicIPClientConfig.Authorizer = networkResourceServicePrincipalToken
}

if az.UsesNetworkResourceInDifferentSubscription() {
Expand Down Expand Up @@ -1037,13 +1014,13 @@ func (az *Cloud) configAzureClients(
az.privatednszonegroupclient = privatednszonegroupclient.New(privateDNSZoenGroupConfig)
}

func (az *Cloud) getAzureClientConfig(servicePrincipalToken *adal.ServicePrincipalToken) *azclients.ClientConfig {
func (az *Cloud) getAzureClientConfig(token autorest.Authorizer) *azclients.ClientConfig {
azClientConfig := &azclients.ClientConfig{
CloudName: az.Config.Cloud,
Location: az.Config.Location,
SubscriptionID: az.Config.SubscriptionID,
ResourceManagerEndpoint: az.Environment.ResourceManagerEndpoint,
Authorizer: autorest.NewBearerAuthorizer(servicePrincipalToken),
Authorizer: token,
Backoff: &retry.Backoff{Steps: 1},
DisableAzureStackCloud: az.Config.DisableAzureStackCloud,
UserAgent: az.Config.UserAgent,
Expand Down
1 change: 1 addition & 0 deletions pkg/provider/azure_mock_vmsets.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

49 changes: 25 additions & 24 deletions pkg/provider/config/azure_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,33 +193,34 @@ func GetMultiTenantServicePrincipalToken(config *AzureAuthConfig, env *azure.Env
return nil, fmt.Errorf("creating the multi-tenant OAuth config: %w", err)
}

if len(config.AADClientSecret) > 0 && !strings.EqualFold(config.AADClientSecret, "msi") {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
return adal.NewMultiTenantServicePrincipalToken(
multiTenantOAuthConfig,
config.AADClientID,
config.AADClientSecret,
env.ServiceManagementEndpoint)
}

if len(config.AADClientCertPath) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
certData, err := os.ReadFile(config.AADClientCertPath)
if err != nil {
return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
if !config.UseManagedIdentityExtension {
if len(config.AADClientSecret) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
return adal.NewMultiTenantServicePrincipalToken(
multiTenantOAuthConfig,
config.AADClientID,
config.AADClientSecret,
env.ServiceManagementEndpoint)
}
certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
if err != nil {
return nil, fmt.Errorf("decoding the client certificate: %w", err)

if len(config.AADClientCertPath) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
certData, err := os.ReadFile(config.AADClientCertPath)
if err != nil {
return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
}
certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
if err != nil {
return nil, fmt.Errorf("decoding the client certificate: %w", err)
}
return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
multiTenantOAuthConfig,
config.AADClientID,
certificate,
privateKey,
env.ServiceManagementEndpoint)
}
return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
multiTenantOAuthConfig,
config.AADClientID,
certificate,
privateKey,
env.ServiceManagementEndpoint)
}

if authProvider.ComputeCredential != nil && authProvider.NetworkCredential != nil {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "msi_with_auxiliary_token")
return armauth.NewMultiTenantTokenProvider(
Expand Down
7 changes: 7 additions & 0 deletions vendor/github.com/jongio/azidext/go/azidext/LICENSE

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,9 @@ github.com/imdario/mergo
# github.com/inconshreveable/mousetrap v1.1.0
## explicit; go 1.18
github.com/inconshreveable/mousetrap
# github.com/jongio/azidext/go/azidext v0.5.0
## explicit; go 1.18
github.com/jongio/azidext/go/azidext
# github.com/josharian/intern v1.0.0
## explicit; go 1.5
github.com/josharian/intern
Expand Down

0 comments on commit c526005

Please sign in to comment.