azure: Verify node identity using VMSS name instead of tags

2023-07-18 05:19:46 +03:00 · 2023-07-18 05:19:46 +03:00 · 5356b028f1
parent 9d2aa4c1d8
commit 5356b028f1
2 changed files with 22 additions and 13 deletions
--- a/upup/pkg/fi/cloudup/azure/verifier.go
+++ b/upup/pkg/fi/cloudup/azure/verifier.go
@ -28,15 +28,16 @@ import (
 	"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2022-05-01/network"
 	"github.com/Azure/go-autorest/autorest/azure/auth"
 	"k8s.io/kops/pkg/bootstrap"
-	"k8s.io/kops/pkg/nodeidentity/azure"
 	"k8s.io/kops/pkg/wellknownports"
 )

 type AzureVerifierOptions struct {
+	ClusterName string `json:"clusterName,omitempty"`
 }

 type azureVerifier struct {
 	client      *client
+	clusterName string
 }

 var _ bootstrap.Verifier = &azureVerifier{}
@ -47,8 +48,13 @@ func NewAzureVerifier(ctx context.Context, opt *AzureVerifierOptions) (bootstrap
 		return nil, err
 	}

+	if opt == nil || opt.ClusterName == "" {
+		return nil, fmt.Errorf("determining cluster name")
+	}
+
 	return &azureVerifier{
 		client:      azureClient,
+		clusterName: opt.ClusterName,
 	}, nil
 }

@ -65,6 +71,11 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request
 	vmssName := v[1]
 	vmssIndex := v[2]

+	if !strings.HasSuffix(vmssName, "."+a.clusterName) {
+		return nil, fmt.Errorf("matching cluster name %q to VMSS %q", a.clusterName, vmssName)
+	}
+	igName := strings.TrimSuffix(vmssName, "."+a.clusterName)
+
 	vm, err := a.client.vmsClient.Get(ctx, a.client.resourceGroup, vmssName, vmssIndex, "")
 	if err != nil {
 		return nil, fmt.Errorf("getting info for VMSS virtual machine %q #%s: %w", vmssName, vmssIndex, err)
@ -73,11 +84,12 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request
 		return nil, fmt.Errorf("determining VMID for VMSS %q virtual machine #%s", vmssName, vmssIndex)
 	}
 	if vmId != *vm.VMID {
-		return nil, fmt.Errorf("matching VMID %q for VMSS %q virtual machine #%s", vmId, vmssName, vmssIndex)
+		return nil, fmt.Errorf("matching VMID %q to VMSS %q virtual machine #%s", vmId, vmssName, vmssIndex)
 	}
-	if vm.OsProfile == nil || *vm.OsProfile.ComputerName == "" {
+	if vm.OsProfile == nil || vm.OsProfile.ComputerName == nil || *vm.OsProfile.ComputerName == "" {
 		return nil, fmt.Errorf("determining ComputerName for VMSS %q virtual machine #%s", vmssName, vmssIndex)
 	}
+	nodeName := *vm.OsProfile.ComputerName

 	ni, err := a.client.nisClient.GetVirtualMachineScaleSetNetworkInterface(ctx, a.client.resourceGroup, vmssName, vmssIndex, vmssName+"-netconfig", "")
 	if err != nil {
@ -100,17 +112,12 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request
 	}

 	result := &bootstrap.VerifyResult{
-		NodeName:          *vm.OsProfile.ComputerName,
+		NodeName:          nodeName,
+		InstanceGroupName: igName,
 		CertificateNames:  addrs,
 		ChallengeEndpoint: challengeEndpoints[0],
 	}

-	for key, value := range vm.Tags {
-		if key == azure.InstanceGroupNameTag && value != nil {
-			result.InstanceGroupName = *value
-		}
-	}
-
 	return result, nil
 }

--- a/upup/pkg/fi/cloudup/template_functions.go
+++ b/upup/pkg/fi/cloudup/template_functions.go
@ -737,7 +737,9 @@ func (tf *TemplateFunctions) KopsControllerConfig() (string, error) {
 			config.Server.Provider.Scaleway = &scaleway.ScalewayVerifierOptions{}

 		case kops.CloudProviderAzure:
-			config.Server.Provider.Azure = &azure.AzureVerifierOptions{}
+			config.Server.Provider.Azure = &azure.AzureVerifierOptions{
+				ClusterName: tf.ClusterName(),
+			}

 		default:
 			return "", fmt.Errorf("unsupported cloud provider %s", cluster.Spec.GetCloudProvider())