Support fields from `az` generated Azure SP

This supports the fields as documented in the AKS documentation:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal

Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit is contained in:
Hidde Beydals 2022-03-04 00:57:33 +01:00
parent cc805b4c55
commit c5c9160ec5
2 changed files with 43 additions and 0 deletions

View File

@ -51,6 +51,11 @@ const (
clientCertificateField = "clientCertificate"
clientCertificatePasswordField = "clientCertificatePassword"
accountKeyField = "accountKey"
// Ref: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
tenantField = "tenant"
appIDField = "appId"
passwordField = "password"
)
// BlobClient is a minimal Azure Blob client for fetching objects.
@ -65,6 +70,9 @@ type BlobClient struct {
//
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
// `clientSecret` fields are found.
// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
// fields are found. To match with the JSON from:
// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
// - azidentity.ClientCertificateCredential when `tenantId`,
// `clientCertificate` (and optionally `clientCertificatePassword`) fields
// are found.
@ -130,6 +138,13 @@ func ValidateSecret(secret *corev1.Secret) error {
}
}
}
if _, hasTenant := secret.Data[tenantField]; hasTenant {
if _, hasAppID := secret.Data[appIDField]; hasAppID {
if _, hasPassword := secret.Data[passwordField]; hasPassword {
valid = true
}
}
}
if _, hasResourceID := secret.Data[resourceIDField]; hasResourceID {
valid = true
}
@ -284,6 +299,13 @@ func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, e
return azidentity.NewClientCertificateCredential(string(tenantID), string(clientID), certs, key, nil)
}
}
if tenant, hasTenant := secret.Data[tenantField]; hasTenant {
if appId, hasAppID := secret.Data[appIDField]; hasAppID {
if password, hasPassword := secret.Data[passwordField]; hasPassword {
return azidentity.NewClientSecretCredential(string(tenant), string(appId), string(password), nil)
}
}
}
if hasClientID {
return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ClientID(clientID),

View File

@ -76,6 +76,16 @@ func TestValidateSecret(t *testing.T) {
},
},
},
{
name: "valid ServicePrincipal Secret",
secret: &corev1.Secret{
Data: map[string][]byte{
tenantField: []byte("some-tenant-id-"),
appIDField: []byte("some-client-id-"),
passwordField: []byte("some-client-secret-"),
},
},
},
{
name: "valid SharedKey Secret",
secret: &corev1.Secret{
@ -230,6 +240,17 @@ func Test_tokenCredentialFromSecret(t *testing.T) {
},
want: &azidentity.ClientSecretCredential{},
},
{
name: "with Tenant, AppID and Password fields",
secret: &corev1.Secret{
Data: map[string][]byte{
appIDField: []byte("client-id"),
tenantField: []byte("tenant-id"),
passwordField: []byte("client-secret"),
},
},
want: &azidentity.ClientSecretCredential{},
},
{
name: "empty secret",
secret: &corev1.Secret{},