From 5356b028f159a0aa24ae217053d7c12dd8838a1b Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Tue, 18 Jul 2023 05:19:46 +0300 Subject: [PATCH] azure: Verify node identity using VMSS name instead of tags --- upup/pkg/fi/cloudup/azure/verifier.go | 31 ++++++++++++++--------- upup/pkg/fi/cloudup/template_functions.go | 4 ++- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/upup/pkg/fi/cloudup/azure/verifier.go b/upup/pkg/fi/cloudup/azure/verifier.go index 3ce31bd7b6..7f5ccd8188 100644 --- a/upup/pkg/fi/cloudup/azure/verifier.go +++ b/upup/pkg/fi/cloudup/azure/verifier.go @@ -28,15 +28,16 @@ import ( "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2022-05-01/network" "github.com/Azure/go-autorest/autorest/azure/auth" "k8s.io/kops/pkg/bootstrap" - "k8s.io/kops/pkg/nodeidentity/azure" "k8s.io/kops/pkg/wellknownports" ) type AzureVerifierOptions struct { + ClusterName string `json:"clusterName,omitempty"` } type azureVerifier struct { - client *client + client *client + clusterName string } var _ bootstrap.Verifier = &azureVerifier{} @@ -47,8 +48,13 @@ func NewAzureVerifier(ctx context.Context, opt *AzureVerifierOptions) (bootstrap return nil, err } + if opt == nil || opt.ClusterName == "" { + return nil, fmt.Errorf("determining cluster name") + } + return &azureVerifier{ - client: azureClient, + client: azureClient, + clusterName: opt.ClusterName, }, nil } @@ -65,6 +71,11 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request vmssName := v[1] vmssIndex := v[2] + if !strings.HasSuffix(vmssName, "."+a.clusterName) { + return nil, fmt.Errorf("matching cluster name %q to VMSS %q", a.clusterName, vmssName) + } + igName := strings.TrimSuffix(vmssName, "."+a.clusterName) + vm, err := a.client.vmsClient.Get(ctx, a.client.resourceGroup, vmssName, vmssIndex, "") if err != nil { return nil, fmt.Errorf("getting info for VMSS virtual machine %q #%s: %w", vmssName, vmssIndex, err) @@ -73,11 +84,12 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request return nil, fmt.Errorf("determining VMID for VMSS %q virtual machine #%s", vmssName, vmssIndex) } if vmId != *vm.VMID { - return nil, fmt.Errorf("matching VMID %q for VMSS %q virtual machine #%s", vmId, vmssName, vmssIndex) + return nil, fmt.Errorf("matching VMID %q to VMSS %q virtual machine #%s", vmId, vmssName, vmssIndex) } - if vm.OsProfile == nil || *vm.OsProfile.ComputerName == "" { + if vm.OsProfile == nil || vm.OsProfile.ComputerName == nil || *vm.OsProfile.ComputerName == "" { return nil, fmt.Errorf("determining ComputerName for VMSS %q virtual machine #%s", vmssName, vmssIndex) } + nodeName := *vm.OsProfile.ComputerName ni, err := a.client.nisClient.GetVirtualMachineScaleSetNetworkInterface(ctx, a.client.resourceGroup, vmssName, vmssIndex, vmssName+"-netconfig", "") if err != nil { @@ -100,17 +112,12 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request } result := &bootstrap.VerifyResult{ - NodeName: *vm.OsProfile.ComputerName, + NodeName: nodeName, + InstanceGroupName: igName, CertificateNames: addrs, ChallengeEndpoint: challengeEndpoints[0], } - for key, value := range vm.Tags { - if key == azure.InstanceGroupNameTag && value != nil { - result.InstanceGroupName = *value - } - } - return result, nil } diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go index 598f1076d6..51e472b6c7 100644 --- a/upup/pkg/fi/cloudup/template_functions.go +++ b/upup/pkg/fi/cloudup/template_functions.go @@ -737,7 +737,9 @@ func (tf *TemplateFunctions) KopsControllerConfig() (string, error) { config.Server.Provider.Scaleway = &scaleway.ScalewayVerifierOptions{} case kops.CloudProviderAzure: - config.Server.Provider.Azure = &azure.AzureVerifierOptions{} + config.Server.Provider.Azure = &azure.AzureVerifierOptions{ + ClusterName: tf.ClusterName(), + } default: return "", fmt.Errorf("unsupported cloud provider %s", cluster.Spec.GetCloudProvider())