From c5c9160ec52fe39a39236af6ce680c27a66546f2 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 4 Mar 2022 00:57:33 +0100 Subject: [PATCH] Support fields from `az` generated Azure SP This supports the fields as documented in the AKS documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal Signed-off-by: Hidde Beydals --- pkg/azure/blob.go | 22 ++++++++++++++++++++++ pkg/azure/blob_test.go | 21 +++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/pkg/azure/blob.go b/pkg/azure/blob.go index 6bcb177e..a24b4f0b 100644 --- a/pkg/azure/blob.go +++ b/pkg/azure/blob.go @@ -51,6 +51,11 @@ const ( clientCertificateField = "clientCertificate" clientCertificatePasswordField = "clientCertificatePassword" accountKeyField = "accountKey" + + // Ref: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal + tenantField = "tenant" + appIDField = "appId" + passwordField = "password" ) // BlobClient is a minimal Azure Blob client for fetching objects. @@ -65,6 +70,9 @@ type BlobClient struct { // // - azidentity.ClientSecretCredential when `tenantId`, `clientId` and // `clientSecret` fields are found. +// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password` +// fields are found. To match with the JSON from: +// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal // - azidentity.ClientCertificateCredential when `tenantId`, // `clientCertificate` (and optionally `clientCertificatePassword`) fields // are found. @@ -130,6 +138,13 @@ func ValidateSecret(secret *corev1.Secret) error { } } } + if _, hasTenant := secret.Data[tenantField]; hasTenant { + if _, hasAppID := secret.Data[appIDField]; hasAppID { + if _, hasPassword := secret.Data[passwordField]; hasPassword { + valid = true + } + } + } if _, hasResourceID := secret.Data[resourceIDField]; hasResourceID { valid = true } @@ -284,6 +299,13 @@ func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, e return azidentity.NewClientCertificateCredential(string(tenantID), string(clientID), certs, key, nil) } } + if tenant, hasTenant := secret.Data[tenantField]; hasTenant { + if appId, hasAppID := secret.Data[appIDField]; hasAppID { + if password, hasPassword := secret.Data[passwordField]; hasPassword { + return azidentity.NewClientSecretCredential(string(tenant), string(appId), string(password), nil) + } + } + } if hasClientID { return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{ ID: azidentity.ClientID(clientID), diff --git a/pkg/azure/blob_test.go b/pkg/azure/blob_test.go index 98a74e16..0c7de7a4 100644 --- a/pkg/azure/blob_test.go +++ b/pkg/azure/blob_test.go @@ -76,6 +76,16 @@ func TestValidateSecret(t *testing.T) { }, }, }, + { + name: "valid ServicePrincipal Secret", + secret: &corev1.Secret{ + Data: map[string][]byte{ + tenantField: []byte("some-tenant-id-"), + appIDField: []byte("some-client-id-"), + passwordField: []byte("some-client-secret-"), + }, + }, + }, { name: "valid SharedKey Secret", secret: &corev1.Secret{ @@ -230,6 +240,17 @@ func Test_tokenCredentialFromSecret(t *testing.T) { }, want: &azidentity.ClientSecretCredential{}, }, + { + name: "with Tenant, AppID and Password fields", + secret: &corev1.Secret{ + Data: map[string][]byte{ + appIDField: []byte("client-id"), + tenantField: []byte("tenant-id"), + passwordField: []byte("client-secret"), + }, + }, + want: &azidentity.ClientSecretCredential{}, + }, { name: "empty secret", secret: &corev1.Secret{},