Skip to content

Commit

Permalink
Merge pull request #3942 from jbpaux/fix/azure-sovereign-clouds
Browse files Browse the repository at this point in the history
fix(azure): sovereign cloud support
  • Loading branch information
k8s-ci-robot authored Oct 8, 2023
2 parents bc22050 + 45e2c2f commit a429215
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 24 deletions.
7 changes: 4 additions & 3 deletions provider/azure/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,15 +70,16 @@ func NewAzureProvider(configFile string, domainFilter endpoint.DomainFilter, zon
if err != nil {
return nil, fmt.Errorf("failed to read Azure config file '%s': %v", configFile, err)
}
cred, err := getCredentials(*cfg)
cred, clientOpts, err := getCredentials(*cfg)
if err != nil {
return nil, fmt.Errorf("failed to get credentials: %w", err)
}
zonesClient, err := dns.NewZonesClient(cfg.SubscriptionID, cred, nil)

zonesClient, err := dns.NewZonesClient(cfg.SubscriptionID, cred, clientOpts)
if err != nil {
return nil, err
}
recordSetsClient, err := dns.NewRecordSetsClient(cfg.SubscriptionID, cred, nil)
recordSetsClient, err := dns.NewRecordSetsClient(cfg.SubscriptionID, cred, clientOpts)
if err != nil {
return nil, err
}
Expand Down
7 changes: 4 additions & 3 deletions provider/azure/azure_private_dns.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,15 +64,16 @@ func NewAzurePrivateDNSProvider(configFile string, domainFilter endpoint.DomainF
if err != nil {
return nil, fmt.Errorf("failed to read Azure config file '%s': %v", configFile, err)
}
cred, err := getCredentials(*cfg)
cred, clientOpts, err := getCredentials(*cfg)
if err != nil {
return nil, fmt.Errorf("failed to get credentials: %w", err)
}
zonesClient, err := privatedns.NewPrivateZonesClient(cfg.SubscriptionID, cred, nil)

zonesClient, err := privatedns.NewPrivateZonesClient(cfg.SubscriptionID, cred, clientOpts)
if err != nil {
return nil, err
}
recordSetsClient, err := privatedns.NewRecordSetsClient(cfg.SubscriptionID, cred, nil)
recordSetsClient, err := privatedns.NewRecordSetsClient(cfg.SubscriptionID, cred, clientOpts)
if err != nil {
return nil, err
}
Expand Down
37 changes: 19 additions & 18 deletions provider/azure/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"strings"

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
log "github.com/sirupsen/logrus"
Expand Down Expand Up @@ -65,10 +66,16 @@ func getConfig(configFile, resourceGroup, userAssignedIdentityClientID string) (
}

// getAccessToken retrieves Azure API access token.
func getCredentials(cfg config) (azcore.TokenCredential, error) {
func getCredentials(cfg config) (azcore.TokenCredential, *arm.ClientOptions, error) {
cloudCfg, err := getCloudConfiguration(cfg.Cloud)
if err != nil {
return nil, fmt.Errorf("failed to get cloud configuration: %w", err)
return nil, nil, fmt.Errorf("failed to get cloud configuration: %w", err)
}
clientOpts := azcore.ClientOptions{
Cloud: cloudCfg,
}
armClientOpts := &arm.ClientOptions{
ClientOptions: clientOpts,
}

// Try to retrieve token with service principal credentials.
Expand All @@ -83,25 +90,21 @@ func getCredentials(cfg config) (azcore.TokenCredential, error) {
!strings.EqualFold(cfg.ClientSecret, "msi") {
log.Info("Using client_id+client_secret to retrieve access token for Azure API.")
opts := &azidentity.ClientSecretCredentialOptions{
ClientOptions: azcore.ClientOptions{
Cloud: cloudCfg,
},
ClientOptions: clientOpts,
}
cred, err := azidentity.NewClientSecretCredential(cfg.TenantID, cfg.ClientID, cfg.ClientSecret, opts)
if err != nil {
return nil, fmt.Errorf("failed to create service principal token: %w", err)
return nil, nil, fmt.Errorf("failed to create service principal token: %w", err)
}
return cred, nil
return cred, armClientOpts, nil
}

// Try to retrieve token with Workload Identity.
if cfg.UseWorkloadIdentityExtension {
log.Info("Using workload identity extension to retrieve access token for Azure API.")

wiOpt := azidentity.WorkloadIdentityCredentialOptions{
ClientOptions: azcore.ClientOptions{
Cloud: cloudCfg,
},
ClientOptions: clientOpts,
// In a standard scenario, Client ID and Tenant ID are expected to be read from environment variables.
// Though, in certain cases, it might be important to have an option to override those (e.g. when AZURE_TENANT_ID is not set
// through a webhook or azure.workload.identity/client-id service account annotation is absent). When any of those values are
Expand All @@ -112,31 +115,29 @@ func getCredentials(cfg config) (azcore.TokenCredential, error) {

cred, err := azidentity.NewWorkloadIdentityCredential(&wiOpt)
if err != nil {
return nil, fmt.Errorf("failed to create a workload identity token: %w", err)
return nil, nil, fmt.Errorf("failed to create a workload identity token: %w", err)
}

return cred, nil
return cred, armClientOpts, nil
}

// Try to retrieve token with MSI.
if cfg.UseManagedIdentityExtension {
log.Info("Using managed identity extension to retrieve access token for Azure API.")
msiOpt := azidentity.ManagedIdentityCredentialOptions{
ClientOptions: azcore.ClientOptions{
Cloud: cloudCfg,
},
ClientOptions: clientOpts,
}
if cfg.UserAssignedIdentityID != "" {
msiOpt.ID = azidentity.ClientID(cfg.UserAssignedIdentityID)
}
cred, err := azidentity.NewManagedIdentityCredential(&msiOpt)
if err != nil {
return nil, fmt.Errorf("failed to create the managed service identity token: %w", err)
return nil, nil, fmt.Errorf("failed to create the managed service identity token: %w", err)
}
return cred, nil
return cred, armClientOpts, nil
}

return nil, fmt.Errorf("no credentials provided for Azure API")
return nil, nil, fmt.Errorf("no credentials provided for Azure API")
}

func getCloudConfiguration(name string) (cloud.Configuration, error) {
Expand Down

0 comments on commit a429215

Please sign in to comment.