generate token using azidentity

Signed-off-by: MartinForReal <[email protected]>

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/evanphx/json-patch v5.9.0+incompatible
 	github.com/fsnotify/fsnotify v1.8.0
 	github.com/go-logr/logr v1.4.2
+	github.com/jongio/azidext/go/azidext v0.5.0
 	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/onsi/gomega v1.35.1
 	github.com/prometheus/client_golang v1.20.5

go.sum

@@ -177,8 +177,12 @@ github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
 github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
+github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/jongio/azidext/go/azidext v0.5.0 h1:uPInXD4NZ3J0k79FPwIA0YXknFn+WcqZqSgs3/jPgvQ=
+github.com/jongio/azidext/go/azidext v0.5.0/go.mod h1:TVRX/hJhzbsCKaOIzicH6a8IvOH0hpjWk/JwZZgtXeU=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=

pkg/provider/azure.go

@@ -29,9 +29,8 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/go-autorest/autorest"
-	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
-
+	"github.com/jongio/azidext/go/azidext"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -48,6 +47,7 @@ import (
 	cloudnodeutil "k8s.io/cloud-provider/node/helpers"
 	nodeutil "k8s.io/component-helpers/node/util"
 	"k8s.io/klog/v2"
+	"sigs.k8s.io/yaml"
 
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader"
@@ -68,16 +68,13 @@ import (
 	"sigs.k8s.io/cloud-provider-azure/pkg/azureclients/vmsizeclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azureclients/vmssclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azureclients/vmssvmclient"
-	"sigs.k8s.io/cloud-provider-azure/pkg/provider/privatelinkservice"
-	"sigs.k8s.io/cloud-provider-azure/pkg/provider/subnet"
-	"sigs.k8s.io/cloud-provider-azure/pkg/provider/zone"
-
-	"sigs.k8s.io/yaml"
-
 	azcache "sigs.k8s.io/cloud-provider-azure/pkg/cache"
 	"sigs.k8s.io/cloud-provider-azure/pkg/consts"
 	ratelimitconfig "sigs.k8s.io/cloud-provider-azure/pkg/provider/config"
+	"sigs.k8s.io/cloud-provider-azure/pkg/provider/privatelinkservice"
 	"sigs.k8s.io/cloud-provider-azure/pkg/provider/securitygroup"
+	"sigs.k8s.io/cloud-provider-azure/pkg/provider/subnet"
+	"sigs.k8s.io/cloud-provider-azure/pkg/provider/zone"
 	"sigs.k8s.io/cloud-provider-azure/pkg/retry"
 	utilsets "sigs.k8s.io/cloud-provider-azure/pkg/util/sets"
 	"sigs.k8s.io/cloud-provider-azure/pkg/util/taints"
@@ -705,12 +702,7 @@ func (az *Cloud) InitializeCloudFromConfig(ctx context.Context, config *Config,
 		return err
 	}
 	az.AuthProvider = authProvider
-	// If uses network resources in different AAD Tenant, then prepare corresponding Service Principal Token for VM/VMSS client and network resources client
-	multiTenantServicePrincipalToken, networkResourceServicePrincipalToken, err := az.getAuthTokenInMultiTenantEnv(servicePrincipalToken, authProvider)
-	if err != nil {
-		return err
-	}
-	az.configAzureClients(servicePrincipalToken, multiTenantServicePrincipalToken, networkResourceServicePrincipalToken)
+	az.configAzureClients(authProvider)
 
 	if az.ComputeClientFactory == nil {
 		var cred azcore.TokenCredential
@@ -912,23 +904,6 @@ func (az *Cloud) setLBDefaults(config *Config) error {
 	return nil
 }
 
-func (az *Cloud) getAuthTokenInMultiTenantEnv(_ *adal.ServicePrincipalToken, authProvider *azclient.AuthProvider) (adal.MultitenantOAuthTokenProvider, adal.OAuthTokenProvider, error) {
-	var err error
-	var multiTenantOAuthToken adal.MultitenantOAuthTokenProvider
-	var networkResourceServicePrincipalToken adal.OAuthTokenProvider
-	if az.Config.UsesNetworkResourceInDifferentTenant() {
-		multiTenantOAuthToken, err = ratelimitconfig.GetMultiTenantServicePrincipalToken(&az.Config.AzureAuthConfig, &az.Environment, authProvider)
-		if err != nil {
-			return nil, nil, err
-		}
-		networkResourceServicePrincipalToken, err = ratelimitconfig.GetNetworkResourceServicePrincipalToken(&az.Config.AzureAuthConfig, &az.Environment, authProvider)
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-	return multiTenantOAuthToken, networkResourceServicePrincipalToken, nil
-}
-
 func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
 	// Conditionally configure resource request backoff
 	resourceRequestBackoff := wait.Backoff{
@@ -970,11 +945,10 @@ func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
 }
 
 func (az *Cloud) configAzureClients(
-	servicePrincipalToken *adal.ServicePrincipalToken,
-	multiTenantOAuthTokenProvider adal.MultitenantOAuthTokenProvider,
-	networkResourceServicePrincipalToken adal.OAuthTokenProvider,
+	authProvider *azclient.AuthProvider,
 ) {
-	azClientConfig := az.getAzureClientConfig(servicePrincipalToken)
+	token := azidext.NewTokenCredentialAdapter(authProvider.GetAzIdentity(), []string{azidext.DefaultManagementScope})
+	azClientConfig := az.getAzureClientConfig(token)
 
 	// Prepare AzureClientConfig for all azure clients
 	interfaceClientConfig := azClientConfig.WithRateLimiter(az.Config.InterfaceRateLimit)
@@ -999,22 +973,22 @@ func (az *Cloud) configAzureClients(
 	vmasClientConfig := azClientConfig.WithRateLimiter(az.Config.AvailabilitySetRateLimit)
 
 	// If uses network resources in different AAD Tenant, update Authorizer for VM/VMSS/VMAS client config
-	if multiTenantOAuthTokenProvider != nil {
-		multiTenantServicePrincipalTokenAuthorizer := autorest.NewMultiTenantServicePrincipalTokenAuthorizer(multiTenantOAuthTokenProvider)
+	if authProvider.IsMultiTenantModeEnabled() {
+		multiTenantOAuthTokenProvider := azidext.NewTokenCredentialAdapter(authProvider.GetMultiTenantIdentity(), []string{azidext.DefaultManagementScope})
 
-		vmClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
-		vmssClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
-		vmssVMClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
-		vmasClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
+		vmClientConfig.Authorizer = multiTenantOAuthTokenProvider
+		vmssClientConfig.Authorizer = multiTenantOAuthTokenProvider
+		vmssVMClientConfig.Authorizer = multiTenantOAuthTokenProvider
+		vmasClientConfig.Authorizer = multiTenantOAuthTokenProvider
 	}
 
 	// If uses network resources in different AAD Tenant, update SubscriptionID and Authorizer for network resources client config
-	if networkResourceServicePrincipalToken != nil {
-		networkResourceServicePrincipalTokenAuthorizer := autorest.NewBearerAuthorizer(networkResourceServicePrincipalToken)
-		subnetClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
-		routeTableClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
-		loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
-		publicIPClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
+	if authProvider.GetNetworkAzIdentity() != nil {
+		networkResourceServicePrincipalToken := azidext.NewTokenCredentialAdapter(authProvider.GetNetworkAzIdentity(), []string{azidext.DefaultManagementScope})
+		subnetClientConfig.Authorizer = networkResourceServicePrincipalToken
+		routeTableClientConfig.Authorizer = networkResourceServicePrincipalToken
+		loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalToken
+		publicIPClientConfig.Authorizer = networkResourceServicePrincipalToken
 	}
 
 	if az.UsesNetworkResourceInDifferentSubscription() {
@@ -1043,13 +1017,13 @@ func (az *Cloud) configAzureClients(
 	az.privatednszonegroupclient = privatednszonegroupclient.New(privateDNSZoenGroupConfig)
 }
 
-func (az *Cloud) getAzureClientConfig(servicePrincipalToken *adal.ServicePrincipalToken) *azclients.ClientConfig {
+func (az *Cloud) getAzureClientConfig(token autorest.Authorizer) *azclients.ClientConfig {
 	azClientConfig := &azclients.ClientConfig{
 		CloudName:               az.Config.Cloud,
 		Location:                az.Config.Location,
 		SubscriptionID:          az.Config.SubscriptionID,
 		ResourceManagerEndpoint: az.Environment.ResourceManagerEndpoint,
-		Authorizer:              autorest.NewBearerAuthorizer(servicePrincipalToken),
+		Authorizer:              token,
 		Backoff:                 &retry.Backoff{Steps: 1},
 		DisableAzureStackCloud:  az.Config.DisableAzureStackCloud,
 		UserAgent:               az.Config.UserAgent,

pkg/provider/config/azure_auth.go

@@ -193,33 +193,34 @@ func GetMultiTenantServicePrincipalToken(config *AzureAuthConfig, env *azure.Env
 		return nil, fmt.Errorf("creating the multi-tenant OAuth config: %w", err)
 	}
 
-	if len(config.AADClientSecret) > 0 && !strings.EqualFold(config.AADClientSecret, "msi") {
-		logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
-		return adal.NewMultiTenantServicePrincipalToken(
-			multiTenantOAuthConfig,
-			config.AADClientID,
-			config.AADClientSecret,
-			env.ServiceManagementEndpoint)
-	}
-
-	if len(config.AADClientCertPath) > 0 {
-		logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
-		certData, err := os.ReadFile(config.AADClientCertPath)
-		if err != nil {
-			return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
+	if !config.UseManagedIdentityExtension {
+		if len(config.AADClientSecret) > 0 {
+			logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
+			return adal.NewMultiTenantServicePrincipalToken(
+				multiTenantOAuthConfig,
+				config.AADClientID,
+				config.AADClientSecret,
+				env.ServiceManagementEndpoint)
 		}
-		certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
-		if err != nil {
-			return nil, fmt.Errorf("decoding the client certificate: %w", err)
+
+		if len(config.AADClientCertPath) > 0 {
+			logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
+			certData, err := os.ReadFile(config.AADClientCertPath)
+			if err != nil {
+				return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
+			}
+			certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
+			if err != nil {
+				return nil, fmt.Errorf("decoding the client certificate: %w", err)
+			}
+			return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
+				multiTenantOAuthConfig,
+				config.AADClientID,
+				certificate,
+				privateKey,
+				env.ServiceManagementEndpoint)
 		}
-		return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
-			multiTenantOAuthConfig,
-			config.AADClientID,
-			certificate,
-			privateKey,
-			env.ServiceManagementEndpoint)
 	}
-
 	if authProvider.ComputeCredential != nil && authProvider.NetworkCredential != nil {
 		logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "msi_with_auxiliary_token")
 		return armauth.NewMultiTenantTokenProvider(

vendor/modules.txt

@@ -338,6 +338,9 @@ github.com/imdario/mergo
 # github.com/inconshreveable/mousetrap v1.1.0
 ## explicit; go 1.18
 github.com/inconshreveable/mousetrap
+# github.com/jongio/azidext/go/azidext v0.5.0
+## explicit; go 1.18
+github.com/jongio/azidext/go/azidext
 # github.com/josharian/intern v1.0.0
 ## explicit; go 1.5
 github.com/josharian/intern