Support fields from `az` generated Azure SP
This supports the fields as documented in the AKS documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit is contained in:
parent
cc805b4c55
commit
c5c9160ec5
|
@ -51,6 +51,11 @@ const (
|
|||
clientCertificateField = "clientCertificate"
|
||||
clientCertificatePasswordField = "clientCertificatePassword"
|
||||
accountKeyField = "accountKey"
|
||||
|
||||
// Ref: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
|
||||
tenantField = "tenant"
|
||||
appIDField = "appId"
|
||||
passwordField = "password"
|
||||
)
|
||||
|
||||
// BlobClient is a minimal Azure Blob client for fetching objects.
|
||||
|
@ -65,6 +70,9 @@ type BlobClient struct {
|
|||
//
|
||||
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
|
||||
// `clientSecret` fields are found.
|
||||
// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
|
||||
// fields are found. To match with the JSON from:
|
||||
// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
|
||||
// - azidentity.ClientCertificateCredential when `tenantId`,
|
||||
// `clientCertificate` (and optionally `clientCertificatePassword`) fields
|
||||
// are found.
|
||||
|
@ -130,6 +138,13 @@ func ValidateSecret(secret *corev1.Secret) error {
|
|||
}
|
||||
}
|
||||
}
|
||||
if _, hasTenant := secret.Data[tenantField]; hasTenant {
|
||||
if _, hasAppID := secret.Data[appIDField]; hasAppID {
|
||||
if _, hasPassword := secret.Data[passwordField]; hasPassword {
|
||||
valid = true
|
||||
}
|
||||
}
|
||||
}
|
||||
if _, hasResourceID := secret.Data[resourceIDField]; hasResourceID {
|
||||
valid = true
|
||||
}
|
||||
|
@ -284,6 +299,13 @@ func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, e
|
|||
return azidentity.NewClientCertificateCredential(string(tenantID), string(clientID), certs, key, nil)
|
||||
}
|
||||
}
|
||||
if tenant, hasTenant := secret.Data[tenantField]; hasTenant {
|
||||
if appId, hasAppID := secret.Data[appIDField]; hasAppID {
|
||||
if password, hasPassword := secret.Data[passwordField]; hasPassword {
|
||||
return azidentity.NewClientSecretCredential(string(tenant), string(appId), string(password), nil)
|
||||
}
|
||||
}
|
||||
}
|
||||
if hasClientID {
|
||||
return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
|
||||
ID: azidentity.ClientID(clientID),
|
||||
|
|
|
@ -76,6 +76,16 @@ func TestValidateSecret(t *testing.T) {
|
|||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid ServicePrincipal Secret",
|
||||
secret: &corev1.Secret{
|
||||
Data: map[string][]byte{
|
||||
tenantField: []byte("some-tenant-id-"),
|
||||
appIDField: []byte("some-client-id-"),
|
||||
passwordField: []byte("some-client-secret-"),
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid SharedKey Secret",
|
||||
secret: &corev1.Secret{
|
||||
|
@ -230,6 +240,17 @@ func Test_tokenCredentialFromSecret(t *testing.T) {
|
|||
},
|
||||
want: &azidentity.ClientSecretCredential{},
|
||||
},
|
||||
{
|
||||
name: "with Tenant, AppID and Password fields",
|
||||
secret: &corev1.Secret{
|
||||
Data: map[string][]byte{
|
||||
appIDField: []byte("client-id"),
|
||||
tenantField: []byte("tenant-id"),
|
||||
passwordField: []byte("client-secret"),
|
||||
},
|
||||
},
|
||||
want: &azidentity.ClientSecretCredential{},
|
||||
},
|
||||
{
|
||||
name: "empty secret",
|
||||
secret: &corev1.Secret{},
|
||||
|
|
Loading…
Reference in New Issue