Skip to content

Commit

Permalink
generate token using azidentity
Browse files Browse the repository at this point in the history
  • Loading branch information
MartinForReal committed Oct 31, 2024
1 parent 3c43bbf commit 7cd1fea
Show file tree
Hide file tree
Showing 10 changed files with 224 additions and 68 deletions.
10 changes: 10 additions & 0 deletions LICENSES/vendor/github.com/jongio/azidext/go/azidext/LICENSE

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ require (
github.com/evanphx/json-patch v5.9.0+incompatible
github.com/fsnotify/fsnotify v1.7.0
github.com/go-logr/logr v1.4.2
github.com/jongio/azidext/go/azidext v0.5.0
github.com/onsi/ginkgo/v2 v2.21.0
github.com/onsi/gomega v1.35.0
github.com/prometheus/client_golang v1.20.5
Expand Down
39 changes: 39 additions & 0 deletions go.sum

Large diffs are not rendered by default.

63 changes: 19 additions & 44 deletions pkg/provider/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,8 @@ import (

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/go-autorest/autorest"
"github.com/Azure/go-autorest/autorest/adal"
"github.com/Azure/go-autorest/autorest/azure"

"github.com/jongio/azidext/go/azidext"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
Expand All @@ -48,7 +47,6 @@ import (
cloudnodeutil "k8s.io/cloud-provider/node/helpers"
nodeutil "k8s.io/component-helpers/node/util"
"k8s.io/klog/v2"

"sigs.k8s.io/cloud-provider-azure/pkg/azclient"
"sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader"
azclients "sigs.k8s.io/cloud-provider-azure/pkg/azureclients"
Expand Down Expand Up @@ -705,12 +703,7 @@ func (az *Cloud) InitializeCloudFromConfig(ctx context.Context, config *Config,
return err
}
az.AuthProvider = authProvider
// If uses network resources in different AAD Tenant, then prepare corresponding Service Principal Token for VM/VMSS client and network resources client
multiTenantServicePrincipalToken, networkResourceServicePrincipalToken, err := az.getAuthTokenInMultiTenantEnv(servicePrincipalToken, authProvider)
if err != nil {
return err
}
az.configAzureClients(servicePrincipalToken, multiTenantServicePrincipalToken, networkResourceServicePrincipalToken)
az.configAzureClients(authProvider)

if az.ComputeClientFactory == nil {
var cred azcore.TokenCredential
Expand Down Expand Up @@ -908,23 +901,6 @@ func (az *Cloud) setLBDefaults(config *Config) error {
return nil
}

func (az *Cloud) getAuthTokenInMultiTenantEnv(_ *adal.ServicePrincipalToken, authProvider *azclient.AuthProvider) (adal.MultitenantOAuthTokenProvider, adal.OAuthTokenProvider, error) {
var err error
var multiTenantOAuthToken adal.MultitenantOAuthTokenProvider
var networkResourceServicePrincipalToken adal.OAuthTokenProvider
if az.Config.UsesNetworkResourceInDifferentTenant() {
multiTenantOAuthToken, err = ratelimitconfig.GetMultiTenantServicePrincipalToken(&az.Config.AzureAuthConfig, &az.Environment, authProvider)
if err != nil {
return nil, nil, err
}
networkResourceServicePrincipalToken, err = ratelimitconfig.GetNetworkResourceServicePrincipalToken(&az.Config.AzureAuthConfig, &az.Environment, authProvider)
if err != nil {
return nil, nil, err
}
}
return multiTenantOAuthToken, networkResourceServicePrincipalToken, nil
}

func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
// Conditionally configure resource request backoff
resourceRequestBackoff := wait.Backoff{
Expand Down Expand Up @@ -966,11 +942,10 @@ func (az *Cloud) setCloudProviderBackoffDefaults(config *Config) wait.Backoff {
}

func (az *Cloud) configAzureClients(
servicePrincipalToken *adal.ServicePrincipalToken,
multiTenantOAuthTokenProvider adal.MultitenantOAuthTokenProvider,
networkResourceServicePrincipalToken adal.OAuthTokenProvider,
authProvider *azclient.AuthProvider,
) {
azClientConfig := az.getAzureClientConfig(servicePrincipalToken)
token := azidext.NewTokenCredentialAdapter(authProvider.GetAzIdentity(), []string{azidext.DefaultManagementScope})
azClientConfig := az.getAzureClientConfig(token)

// Prepare AzureClientConfig for all azure clients
interfaceClientConfig := azClientConfig.WithRateLimiter(az.Config.InterfaceRateLimit)
Expand All @@ -996,22 +971,22 @@ func (az *Cloud) configAzureClients(
vmasClientConfig := azClientConfig.WithRateLimiter(az.Config.AvailabilitySetRateLimit)

// If uses network resources in different AAD Tenant, update Authorizer for VM/VMSS/VMAS client config
if multiTenantOAuthTokenProvider != nil {
multiTenantServicePrincipalTokenAuthorizer := autorest.NewMultiTenantServicePrincipalTokenAuthorizer(multiTenantOAuthTokenProvider)
if authProvider.IsMultiTenantModeEnabled() {
multiTenantOAuthTokenProvider := azidext.NewTokenCredentialAdapter(authProvider.GetMultiTenantIdentity(), []string{azidext.DefaultManagementScope})

vmClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmssClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmssVMClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmasClientConfig.Authorizer = multiTenantServicePrincipalTokenAuthorizer
vmClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmssClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmssVMClientConfig.Authorizer = multiTenantOAuthTokenProvider
vmasClientConfig.Authorizer = multiTenantOAuthTokenProvider
}

// If uses network resources in different AAD Tenant, update SubscriptionID and Authorizer for network resources client config
if networkResourceServicePrincipalToken != nil {
networkResourceServicePrincipalTokenAuthorizer := autorest.NewBearerAuthorizer(networkResourceServicePrincipalToken)
subnetClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
routeTableClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
publicIPClientConfig.Authorizer = networkResourceServicePrincipalTokenAuthorizer
if authProvider.GetNetworkAzIdentity() != nil {
networkResourceServicePrincipalToken := azidext.NewTokenCredentialAdapter(authProvider.GetNetworkAzIdentity(), []string{azidext.DefaultManagementScope})
subnetClientConfig.Authorizer = networkResourceServicePrincipalToken
routeTableClientConfig.Authorizer = networkResourceServicePrincipalToken
loadBalancerClientConfig.Authorizer = networkResourceServicePrincipalToken
publicIPClientConfig.Authorizer = networkResourceServicePrincipalToken
}

if az.UsesNetworkResourceInDifferentSubscription() {
Expand Down Expand Up @@ -1041,13 +1016,13 @@ func (az *Cloud) configAzureClients(
az.PrivateLinkServiceClient = privatelinkserviceclient.New(privateLinkServiceConfig)
}

func (az *Cloud) getAzureClientConfig(servicePrincipalToken *adal.ServicePrincipalToken) *azclients.ClientConfig {
func (az *Cloud) getAzureClientConfig(token autorest.Authorizer) *azclients.ClientConfig {
azClientConfig := &azclients.ClientConfig{
CloudName: az.Config.Cloud,
Location: az.Config.Location,
SubscriptionID: az.Config.SubscriptionID,
ResourceManagerEndpoint: az.Environment.ResourceManagerEndpoint,
Authorizer: autorest.NewBearerAuthorizer(servicePrincipalToken),
Authorizer: token,
Backoff: &retry.Backoff{Steps: 1},
DisableAzureStackCloud: az.Config.DisableAzureStackCloud,
UserAgent: az.Config.UserAgent,
Expand Down
1 change: 1 addition & 0 deletions pkg/provider/azure_mock_vmsets.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

49 changes: 25 additions & 24 deletions pkg/provider/config/azure_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,33 +193,34 @@ func GetMultiTenantServicePrincipalToken(config *AzureAuthConfig, env *azure.Env
return nil, fmt.Errorf("creating the multi-tenant OAuth config: %w", err)
}

if len(config.AADClientSecret) > 0 && !strings.EqualFold(config.AADClientSecret, "msi") {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
return adal.NewMultiTenantServicePrincipalToken(
multiTenantOAuthConfig,
config.AADClientID,
config.AADClientSecret,
env.ServiceManagementEndpoint)
}

if len(config.AADClientCertPath) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
certData, err := os.ReadFile(config.AADClientCertPath)
if err != nil {
return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
if !config.UseManagedIdentityExtension {
if len(config.AADClientSecret) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_password")
return adal.NewMultiTenantServicePrincipalToken(
multiTenantOAuthConfig,
config.AADClientID,
config.AADClientSecret,
env.ServiceManagementEndpoint)
}
certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
if err != nil {
return nil, fmt.Errorf("decoding the client certificate: %w", err)

if len(config.AADClientCertPath) > 0 {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "sp_with_certificate")
certData, err := os.ReadFile(config.AADClientCertPath)
if err != nil {
return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
}
certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
if err != nil {
return nil, fmt.Errorf("decoding the client certificate: %w", err)
}
return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
multiTenantOAuthConfig,
config.AADClientID,
certificate,
privateKey,
env.ServiceManagementEndpoint)
}
return adal.NewMultiTenantServicePrincipalTokenFromCertificate(
multiTenantOAuthConfig,
config.AADClientID,
certificate,
privateKey,
env.ServiceManagementEndpoint)
}

if authProvider.ComputeCredential != nil && authProvider.NetworkCredential != nil {
logger.V(2).Info("Setup ARM multi-tenant token provider", "method", "msi_with_auxiliary_token")
return armauth.NewMultiTenantTokenProvider(
Expand Down
7 changes: 7 additions & 0 deletions vendor/github.com/jongio/azidext/go/azidext/LICENSE

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -337,6 +337,9 @@ github.com/imdario/mergo
# github.com/inconshreveable/mousetrap v1.1.0
## explicit; go 1.18
github.com/inconshreveable/mousetrap
# github.com/jongio/azidext/go/azidext v0.5.0
## explicit; go 1.18
github.com/jongio/azidext/go/azidext
# github.com/josharian/intern v1.0.0
## explicit; go 1.5
github.com/josharian/intern
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 7cd1fea

Please sign in to comment.