Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chores: generate token using azidentity #7435

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ require (
github.com/evanphx/json-patch v5.9.0+incompatible
github.com/fsnotify/fsnotify v1.8.0
github.com/go-logr/logr v1.4.2
github.com/jongio/azidext/go/azidext v0.5.0
github.com/onsi/ginkgo/v2 v2.21.0
github.com/onsi/gomega v1.35.1
github.com/prometheus/client_golang v1.20.5
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -177,8 +177,12 @@ github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/jongio/azidext/go/azidext v0.5.0 h1:uPInXD4NZ3J0k79FPwIA0YXknFn+WcqZqSgs3/jPgvQ=
github.com/jongio/azidext/go/azidext v0.5.0/go.mod h1:TVRX/hJhzbsCKaOIzicH6a8IvOH0hpjWk/JwZZgtXeU=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
Expand Down
62 changes: 19 additions & 43 deletions pkg/provider/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,8 @@ import (

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/go-autorest/autorest"
"github.com/Azure/go-autorest/autorest/adal"
"github.com/Azure/go-autorest/autorest/azure"

"github.com/jongio/azidext/go/azidext"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
Expand Down Expand Up @@ -662,12 +661,7 @@ func (az *Cloud) InitializeCloudFromConfig(ctx context.Context, config *Config,
return err
}
az.AuthProvider = authProvider
// If uses network resources in different AAD Tenant, then prepare corresponding Service Principal Token for VM/VMSS client and network resources client
multiTenantServicePrincipalToken, networkResourceServicePrincipalToken, err := az.getAuthTokenInMultiTenantEnv(servicePrincipalToken, authProvider)
if err != nil {
return err
}
az.configAzureClients(servicePrincipalToken, multiTenantServicePrincipalToken, networkResourceServicePrincipalToken)
az.configAzureClients(authProvider)

if az.ComputeClientFactory == nil {
var cred azcore.TokenCredential
Expand Down Expand Up @@ -870,23 +864,6 @@ func (az *Cloud) setLBDefaults(config *Config) error {
return nil
}

func (az *Cloud) getAuthTokenInMultiTenantEnv(_ *adal.ServicePrincipalToken, authProvider *azclient.AuthProvider) (adal.MultitenantOAuthTokenProvider, adal.OAuthTokenProvider, error) {
var err error
var multiTenantOAuthToken adal.MultitenantOAuthTokenProvider
var networkResourceServicePrincipalToken adal.OAuthTokenProvider
if az.Config.UsesNetworkResourceInDifferentTenant() {
multiTenantOAuthToken, err = ratelimitconfig.GetMultiTenantServicePrincipalToken(&az.Config.AzureClientConfig, &az.Environment, authProvider)
if err != nil {
return nil, nil, err
}
networkResourceServicePrincipalToken, err = ratelimitconfig.GetNetworkResourceServicePrincipalToken(&az.Config.AzureClientConfig, &az.Environment, authProvider)
if err != nil {
return nil, nil, err
}
}
return multiTenantOAuthToken, networkResourceServicePrincipalToken, nil
}

func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
// Conditionally configure resource request backoff
resourceRequestBackoff := wait.Backoff{
Expand Down Expand Up @@ -928,11 +905,10 @@ func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
}

func (az *Cloud) configAzureClients(
servicePrincipalToken *adal.ServicePrincipalToken,
multiTenantOAuthTokenProvider adal.MultitenantOAuthTokenProvider,
networkResourceServicePrincipalToken adal.OAuthTokenProvider,
authProvider *azclient.AuthProvider,
) {
azClientConfig := az.getAzureClientConfig(servicePrincipalToken)
token := azidext.NewTokenCredentialAdapter(authProvider.GetAzIdentity(), []string{azidext.DefaultManagementScope})
azClientConfig := az.getAzureClientConfig(token)

// Prepare AzureClientConfig for all azure clients
interfaceClientConfig := azClientConfig.WithRateLimiter(az.Config.InterfaceRateLimit)
Expand All @@ -957,22 +933,22 @@ func (az *Cloud) configAzureClients(
vmasClientConfig := azClientConfig.WithRateLimiter(az.Config.AvailabilitySetRateLimit)

// If uses network resources in different AAD Tenant, update Authorizer for VM/VMSS/VMAS client config
if multiTenantOAuthTokenProvider != nil {
multiTenantServicePrincipalTokenAuthorizer := autorest.NewMultiTenantServicePrincipalTokenAuthorizer(multiTenantOAuthTokenProvider)
if authProvider.IsMultiTenantModeEnabled() {
multiTenantOAuthTokenProvider := azidext.NewTokenCredentialAdapter(authProvider.GetMultiTenantIdentity(), []string{azidext.DefaultManagementScope})

vmClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmssClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmssVMClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmasClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmssClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmssVMClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmasClientConfig.Authorizer = multiTenantOAuthTokenProvider
}

// If uses network resources in different AAD Tenant, update SubscriptionID and Authorizer for network resources client config
if networkResourceServicePrincipalToken != nil {
networkResourceServicePrincipalTokenAuthorizer := autorest.NewBearerAuthorizer(networkResourceServicePrincipalToken)
subnetClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
routeTableClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
publicIPClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
if authProvider.GetNetworkAzIdentity() != nil {
networkResourceServicePrincipalToken := azidext.NewTokenCredentialAdapter(authProvider.GetNetworkAzIdentity(), []string{azidext.DefaultManagementScope})
subnetClientConfig.Authorizer = networkResourceServicePrincipalToken
routeTableClientConfig.Authorizer = networkResourceServicePrincipalToken
loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalToken
publicIPClientConfig.Authorizer = networkResourceServicePrincipalToken
}

if az.UsesNetworkResourceInDifferentSubscription() {
Expand Down Expand Up @@ -1000,13 +976,13 @@ func (az *Cloud) configAzureClients(
az.privatednszonegroupclient = privatednszonegroupclient.New(privateDNSZoenGroupConfig)
}

func (az *Cloud) getAzureClientConfig(servicePrincipalToken *adal.ServicePrincipalToken) *azclients.ClientConfig {
func (az *Cloud) getAzureClientConfig(token autorest.Authorizer) *azclients.ClientConfig {
azClientConfig := &azclients.ClientConfig{
CloudName: az.Config.Cloud,
Location: az.Config.Location,
SubscriptionID: az.Config.SubscriptionID,
ResourceManagerEndpoint: az.Environment.ResourceManagerEndpoint,
Authorizer: autorest.NewBearerAuthorizer(servicePrincipalToken),
Authorizer: token,
Backoff: &retry.Backoff{Steps: 1},
DisableAzureStackCloud: az.Config.DisableAzureStackCloud,
UserAgent: az.Config.UserAgent,
Expand Down
1 change: 1 addition & 0 deletions pkg/provider/azure_mock_vmsets.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

49 changes: 25 additions & 24 deletions pkg/provider/config/azure_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,33 +199,34 @@ func GetMultiTenantServicePrincipalToken(config *AzureClientConfig, env *azure.E
return nil, fmt.Errorf("creating the multi-tenant OAuth config: %w", err)
}

if len(config.AADClientSecret) > 0 && !strings.EqualFold(config.AADClientSecret, "msi") {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
return adal.NewMultiTenantServicePrincipalToken(
multiTenantOAuthConfig,
config.AADClientID,
config.AADClientSecret,
env.ServiceManagementEndpoint)
}

if len(config.AADClientCertPath) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
certData, err := os.ReadFile(config.AADClientCertPath)
if err != nil {
return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
if !config.UseManagedIdentityExtension {
if len(config.AADClientSecret) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
return adal.NewMultiTenantServicePrincipalToken(
multiTenantOAuthConfig,
config.AADClientID,
config.AADClientSecret,
env.ServiceManagementEndpoint)
}
certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
if err != nil {
return nil, fmt.Errorf("decoding the client certificate: %w", err)

if len(config.AADClientCertPath) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
certData, err := os.ReadFile(config.AADClientCertPath)
if err != nil {
return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
}
certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
if err != nil {
return nil, fmt.Errorf("decoding the client certificate: %w", err)
}
return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
multiTenantOAuthConfig,
config.AADClientID,
certificate,
privateKey,
env.ServiceManagementEndpoint)
}
return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
multiTenantOAuthConfig,
config.AADClientID,
certificate,
privateKey,
env.ServiceManagementEndpoint)
}

if authProvider.ComputeCredential != nil && authProvider.NetworkCredential != nil {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "msi_with_auxiliary_token")
return armauth.NewMultiTenantTokenProvider(
Expand Down
7 changes: 7 additions & 0 deletions vendor/github.com/jongio/azidext/go/azidext/LICENSE

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,9 @@ github.com/imdario/mergo
# github.com/inconshreveable/mousetrap v1.1.0
## explicit; go 1.18
github.com/inconshreveable/mousetrap
# github.com/jongio/azidext/go/azidext v0.5.0
## explicit; go 1.18
github.com/jongio/azidext/go/azidext
# github.com/josharian/intern v1.0.0
## explicit; go 1.5
github.com/josharian/intern
Expand Down
Loading