Add ManagedIdentity with `AZURE_CLIENT_ID`

This ensures the Managed Identity authentication works with multiple
identities assigned to a single node.

Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit is contained in:
Hidde Beydals 2022-03-04 18:31:12 +01:00
parent d7ce67979f
commit ccb65c74f0
1 changed files with 17 additions and 17 deletions

View File

@ -66,22 +66,16 @@ type BlobClient struct {
// //
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and // - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
// `clientSecret` fields are found. // `clientSecret` fields are found.
// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
// fields are found. To match with the JSON from:
// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
// - azidentity.ClientCertificateCredential when `tenantId`, // - azidentity.ClientCertificateCredential when `tenantId`,
// `clientCertificate` (and optionally `clientCertificatePassword`) fields // `clientCertificate` (and optionally `clientCertificatePassword`) fields
// are found. // are found.
// - azidentity.ManagedIdentityCredential for a User ID, when a `clientId` // - azidentity.ManagedIdentityCredential for a User ID, when a `clientId`
// field but no `tenantId` is found. // field but no `tenantId` is found.
// - azidentity.ManagedIdentityCredential for a Resource ID, when a // - azblob.SharedKeyCredential when an `accountKey` field is found.
// `resourceId` field is found.
// - azblob.SharedKeyCredential when an `accountKey` field is found.
// The account name is extracted from the endpoint specified on the Bucket // The account name is extracted from the endpoint specified on the Bucket
// object. // object.
// - azidentity.ChainedTokenCredential with azidentity.EnvironmentCredential // - azidentity.ChainedTokenCredential with azidentity.EnvironmentCredential
// and azidentity.ManagedIdentityCredential with defaults if no Secret is // and azidentity.ManagedIdentityCredential.
// given.
// //
// If no credentials are found, and the azidentity.ChainedTokenCredential can // If no credentials are found, and the azidentity.ChainedTokenCredential can
// not be established. A simple client without credentials is returned. // not be established. A simple client without credentials is returned.
@ -292,16 +286,11 @@ func (c *BlobClient) ObjectIsNotFound(err error) bool {
// based on the data fields of the given Secret. It returns, in order: // based on the data fields of the given Secret. It returns, in order:
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and // - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
// `clientSecret` fields are found. // `clientSecret` fields are found.
// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
// fields are found. To match with the JSON from:
// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
// - azidentity.ClientCertificateCredential when `tenantId`, // - azidentity.ClientCertificateCredential when `tenantId`,
// `clientCertificate` (and optionally `clientCertificatePassword`) fields // `clientCertificate` (and optionally `clientCertificatePassword`) fields
// are found. // are found.
// - azidentity.ManagedIdentityCredential for a User ID, when a `clientId` // - azidentity.ManagedIdentityCredential for a User ID, when a `clientId`
// field but no `tenantId` is found. // field but no `tenantId` is found.
// - azidentity.ManagedIdentityCredential for a Resource ID, when a
// `resourceId` field is found.
// - Nil, if no valid set of credential fields was found. // - Nil, if no valid set of credential fields was found.
func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, error) { func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
if secret == nil { if secret == nil {
@ -357,10 +346,14 @@ func sharedCredentialFromSecret(endpoint string, secret *corev1.Secret) (*azblob
// chainCredentialWithSecret tries to create a set of tokens, and returns an // chainCredentialWithSecret tries to create a set of tokens, and returns an
// azidentity.ChainedTokenCredential if at least one of the following tokens was // azidentity.ChainedTokenCredential if at least one of the following tokens was
// successfully created: // successfully created:
// - azidentity.EnvironmentCredential //
// - azidentity.ManagedIdentityCredential // - azidentity.EnvironmentCredential with `authorityHost` from Secret, if
// If a Secret with an `authorityHost` is provided, this is set on the // provided.
// azidentity.EnvironmentCredentialOptions. It may return nil. // - azidentity.ManagedIdentityCredential with Client ID from AZURE_CLIENT_ID
// environment variable, if found.
// - azidentity.ManagedIdentityCredential with defaults.
//
// If no valid token is created, it returns nil.
func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, error) { func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
var creds []azcore.TokenCredential var creds []azcore.TokenCredential
@ -374,6 +367,13 @@ func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, e
if token, _ := azidentity.NewEnvironmentCredential(credOpts); token != nil { if token, _ := azidentity.NewEnvironmentCredential(credOpts); token != nil {
creds = append(creds, token) creds = append(creds, token)
} }
if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
if token, _ := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ClientID(clientID),
}); token != nil {
creds = append(creds, token)
}
}
if token, _ := azidentity.NewManagedIdentityCredential(nil); token != nil { if token, _ := azidentity.NewManagedIdentityCredential(nil); token != nil {
creds = append(creds, token) creds = append(creds, token)
} }