Add ManagedIdentity with `AZURE_CLIENT_ID`
This ensures the Managed Identity authentication works with multiple identities assigned to a single node. Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit is contained in:
parent
d7ce67979f
commit
ccb65c74f0
|
@ -66,22 +66,16 @@ type BlobClient struct {
|
||||||
//
|
//
|
||||||
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
|
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
|
||||||
// `clientSecret` fields are found.
|
// `clientSecret` fields are found.
|
||||||
// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
|
|
||||||
// fields are found. To match with the JSON from:
|
|
||||||
// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
|
|
||||||
// - azidentity.ClientCertificateCredential when `tenantId`,
|
// - azidentity.ClientCertificateCredential when `tenantId`,
|
||||||
// `clientCertificate` (and optionally `clientCertificatePassword`) fields
|
// `clientCertificate` (and optionally `clientCertificatePassword`) fields
|
||||||
// are found.
|
// are found.
|
||||||
// - azidentity.ManagedIdentityCredential for a User ID, when a `clientId`
|
// - azidentity.ManagedIdentityCredential for a User ID, when a `clientId`
|
||||||
// field but no `tenantId` is found.
|
// field but no `tenantId` is found.
|
||||||
// - azidentity.ManagedIdentityCredential for a Resource ID, when a
|
// - azblob.SharedKeyCredential when an `accountKey` field is found.
|
||||||
// `resourceId` field is found.
|
|
||||||
// - azblob.SharedKeyCredential when an `accountKey` field is found.
|
|
||||||
// The account name is extracted from the endpoint specified on the Bucket
|
// The account name is extracted from the endpoint specified on the Bucket
|
||||||
// object.
|
// object.
|
||||||
// - azidentity.ChainedTokenCredential with azidentity.EnvironmentCredential
|
// - azidentity.ChainedTokenCredential with azidentity.EnvironmentCredential
|
||||||
// and azidentity.ManagedIdentityCredential with defaults if no Secret is
|
// and azidentity.ManagedIdentityCredential.
|
||||||
// given.
|
|
||||||
//
|
//
|
||||||
// If no credentials are found, and the azidentity.ChainedTokenCredential can
|
// If no credentials are found, and the azidentity.ChainedTokenCredential can
|
||||||
// not be established. A simple client without credentials is returned.
|
// not be established. A simple client without credentials is returned.
|
||||||
|
@ -292,16 +286,11 @@ func (c *BlobClient) ObjectIsNotFound(err error) bool {
|
||||||
// based on the data fields of the given Secret. It returns, in order:
|
// based on the data fields of the given Secret. It returns, in order:
|
||||||
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
|
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
|
||||||
// `clientSecret` fields are found.
|
// `clientSecret` fields are found.
|
||||||
// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
|
|
||||||
// fields are found. To match with the JSON from:
|
|
||||||
// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
|
|
||||||
// - azidentity.ClientCertificateCredential when `tenantId`,
|
// - azidentity.ClientCertificateCredential when `tenantId`,
|
||||||
// `clientCertificate` (and optionally `clientCertificatePassword`) fields
|
// `clientCertificate` (and optionally `clientCertificatePassword`) fields
|
||||||
// are found.
|
// are found.
|
||||||
// - azidentity.ManagedIdentityCredential for a User ID, when a `clientId`
|
// - azidentity.ManagedIdentityCredential for a User ID, when a `clientId`
|
||||||
// field but no `tenantId` is found.
|
// field but no `tenantId` is found.
|
||||||
// - azidentity.ManagedIdentityCredential for a Resource ID, when a
|
|
||||||
// `resourceId` field is found.
|
|
||||||
// - Nil, if no valid set of credential fields was found.
|
// - Nil, if no valid set of credential fields was found.
|
||||||
func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
|
func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
|
||||||
if secret == nil {
|
if secret == nil {
|
||||||
|
@ -357,10 +346,14 @@ func sharedCredentialFromSecret(endpoint string, secret *corev1.Secret) (*azblob
|
||||||
// chainCredentialWithSecret tries to create a set of tokens, and returns an
|
// chainCredentialWithSecret tries to create a set of tokens, and returns an
|
||||||
// azidentity.ChainedTokenCredential if at least one of the following tokens was
|
// azidentity.ChainedTokenCredential if at least one of the following tokens was
|
||||||
// successfully created:
|
// successfully created:
|
||||||
// - azidentity.EnvironmentCredential
|
//
|
||||||
// - azidentity.ManagedIdentityCredential
|
// - azidentity.EnvironmentCredential with `authorityHost` from Secret, if
|
||||||
// If a Secret with an `authorityHost` is provided, this is set on the
|
// provided.
|
||||||
// azidentity.EnvironmentCredentialOptions. It may return nil.
|
// - azidentity.ManagedIdentityCredential with Client ID from AZURE_CLIENT_ID
|
||||||
|
// environment variable, if found.
|
||||||
|
// - azidentity.ManagedIdentityCredential with defaults.
|
||||||
|
//
|
||||||
|
// If no valid token is created, it returns nil.
|
||||||
func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
|
func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
|
||||||
var creds []azcore.TokenCredential
|
var creds []azcore.TokenCredential
|
||||||
|
|
||||||
|
@ -374,6 +367,13 @@ func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, e
|
||||||
if token, _ := azidentity.NewEnvironmentCredential(credOpts); token != nil {
|
if token, _ := azidentity.NewEnvironmentCredential(credOpts); token != nil {
|
||||||
creds = append(creds, token)
|
creds = append(creds, token)
|
||||||
}
|
}
|
||||||
|
if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
|
||||||
|
if token, _ := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
|
||||||
|
ID: azidentity.ClientID(clientID),
|
||||||
|
}); token != nil {
|
||||||
|
creds = append(creds, token)
|
||||||
|
}
|
||||||
|
}
|
||||||
if token, _ := azidentity.NewManagedIdentityCredential(nil); token != nil {
|
if token, _ := azidentity.NewManagedIdentityCredential(nil); token != nil {
|
||||||
creds = append(creds, token)
|
creds = append(creds, token)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue