Support fields from `az` generated Azure SP

This supports the fields as documented in the AKS documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-03-04 00:57:33 +01:00 · 2022-03-04 00:57:33 +01:00 · c5c9160ec5
parent cc805b4c55
commit c5c9160ec5
2 changed files with 43 additions and 0 deletions
--- a/pkg/azure/blob.go
+++ b/pkg/azure/blob.go
@ -51,6 +51,11 @@ const (
 	clientCertificateField         = "clientCertificate"
 	clientCertificatePasswordField = "clientCertificatePassword"
 	accountKeyField                = "accountKey"
+
+	// Ref: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
+	tenantField   = "tenant"
+	appIDField    = "appId"
+	passwordField = "password"
 )

 // BlobClient is a minimal Azure Blob client for fetching objects.
@ -65,6 +70,9 @@ type BlobClient struct {
 //
 //  - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
 //    `clientSecret` fields are found.
+//  - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
+//    fields are found. To match with the JSON from:
+//    https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
 //  - azidentity.ClientCertificateCredential when `tenantId`,
 //    `clientCertificate` (and optionally `clientCertificatePassword`) fields
 //    are found.
@ -130,6 +138,13 @@ func ValidateSecret(secret *corev1.Secret) error {
 			}
 		}
 	}
+	if _, hasTenant := secret.Data[tenantField]; hasTenant {
+		if _, hasAppID := secret.Data[appIDField]; hasAppID {
+			if _, hasPassword := secret.Data[passwordField]; hasPassword {
+				valid = true
+			}
+		}
+	}
 	if _, hasResourceID := secret.Data[resourceIDField]; hasResourceID {
 		valid = true
 	}
@ -284,6 +299,13 @@ func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, e
 			return azidentity.NewClientCertificateCredential(string(tenantID), string(clientID), certs, key, nil)
 		}
 	}
+	if tenant, hasTenant := secret.Data[tenantField]; hasTenant {
+		if appId, hasAppID := secret.Data[appIDField]; hasAppID {
+			if password, hasPassword := secret.Data[passwordField]; hasPassword {
+				return azidentity.NewClientSecretCredential(string(tenant), string(appId), string(password), nil)
+			}
+		}
+	}
 	if hasClientID {
 		return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
 			ID: azidentity.ClientID(clientID),
--- a/pkg/azure/blob_test.go
+++ b/pkg/azure/blob_test.go
@ -76,6 +76,16 @@ func TestValidateSecret(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "valid ServicePrincipal Secret",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					tenantField:   []byte("some-tenant-id-"),
+					appIDField:    []byte("some-client-id-"),
+					passwordField: []byte("some-client-secret-"),
+				},
+			},
+		},
 		{
 			name: "valid SharedKey Secret",
 			secret: &corev1.Secret{
@ -230,6 +240,17 @@ func Test_tokenCredentialFromSecret(t *testing.T) {
 			},
 			want: &azidentity.ClientSecretCredential{},
 		},
+		{
+			name: "with Tenant, AppID and Password fields",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					appIDField:    []byte("client-id"),
+					tenantField:   []byte("tenant-id"),
+					passwordField: []byte("client-secret"),
+				},
+			},
+			want: &azidentity.ClientSecretCredential{},
+		},
 		{
 			name:   "empty secret",
 			secret: &corev1.Secret{},