Skip to content

Commit

Permalink
Pass environmental key vault suffix to client
Browse files Browse the repository at this point in the history
Signed-off-by: Zhongcheng Lao <[email protected]>
  • Loading branch information
laozc committed Apr 15, 2023
1 parent 3d51877 commit f060a55
Show file tree
Hide file tree
Showing 7 changed files with 76 additions and 31 deletions.
44 changes: 30 additions & 14 deletions cmd/azure-keyvault-controller/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -176,16 +176,17 @@ func main() {
eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: kubeClient.CoreV1().Events("")})

var token azcore.TokenCredential
var keyVaultDNSSuffix string
klog.Infof("use `%s` as authType", authType)
switch authType {
case "azureCloudConfig":
token, err = getCredentialsFromCloudConfig(cloudconfig)
token, keyVaultDNSSuffix, err = getCredentialsFromCloudConfig(cloudconfig)
if err != nil {
klog.ErrorS(err, "failed to create cloud config provider for azure key vault", "file", cloudconfig)
os.Exit(1)
}
case "environment":
token, err = getCredentialsFromEnvironment()
token, keyVaultDNSSuffix, err = getCredentialsFromEnvironment()
if err != nil {
klog.ErrorS(err, "failed to create credentials provider from environment for azure key vault")
os.Exit(1)
Expand All @@ -197,7 +198,7 @@ func main() {
klog.Infof(msg)
})
}
token, err = getCredentialsFromAzidentity()
token, keyVaultDNSSuffix, err = getCredentialsFromAzidentity()
if err != nil {
klog.ErrorS(err, "failed to create credentials provider from azidentity for azure key vault")
os.Exit(1)
Expand All @@ -208,7 +209,7 @@ func main() {
os.Exit(1)
}

vaultService := vault.NewService(token)
vaultService := vault.NewService(token, keyVaultDNSSuffix)

recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: controllerAgentName})

Expand Down Expand Up @@ -256,34 +257,49 @@ func healthHandler(w http.ResponseWriter, r *http.Request) {
}
}

func getCredentialsFromCloudConfig(cloudconfig string) (azure.LegacyTokenCredential, error) {
func getCredentialsFromCloudConfig(cloudconfig string) (azure.LegacyTokenCredential, string, error) {
f, err := os.Open(cloudconfig)
if err != nil {
return nil, fmt.Errorf("failed reading azure config from %s, error: %+v", cloudconfig, err)
return nil, "", fmt.Errorf("failed reading azure config from %s, error: %+v", cloudconfig, err)
}
defer f.Close()

cloudCnfProvider, err := credentialprovider.NewFromCloudConfig(f)
if err != nil {
return nil, fmt.Errorf("failed reading azure config from %s, error: %+v", cloudconfig, err)
return nil, "", fmt.Errorf("failed reading azure config from %s, error: %+v", cloudconfig, err)
}

return cloudCnfProvider.GetAzureKeyVaultCredentials()
token, err := cloudCnfProvider.GetAzureKeyVaultCredentials()
if err != nil {
return nil, "", nil
}

return token, cloudCnfProvider.GetAzureKeyVaultDNSSuffix(), err
}

func getCredentialsFromEnvironment() (azure.LegacyTokenCredential, error) {
func getCredentialsFromEnvironment() (azure.LegacyTokenCredential, string, error) {
provider, err := credentialprovider.NewFromEnvironment()
if err != nil {
return nil, fmt.Errorf("failed to create azure credentials provider, error: %+v", err)
return nil, "", fmt.Errorf("failed to create azure credentials provider, error: %+v", err)
}

return provider.GetAzureKeyVaultCredentials()
token, err := provider.GetAzureKeyVaultCredentials()
if err != nil {
return nil, "", nil
}

return token, provider.GetAzureKeyVaultDNSSuffix(), err
}

func getCredentialsFromAzidentity() (azure.LegacyTokenCredential, error) {
func getCredentialsFromAzidentity() (azure.LegacyTokenCredential, string, error) {
provider, err := credentialprovider.NewFromAzidentity()
if err != nil {
return nil, fmt.Errorf("failed to create azure identity provider, error: %+v", err)
return nil, "", fmt.Errorf("failed to create azure identity provider, error: %+v", err)
}
token, err := provider.GetAzureKeyVaultCredentials()
if err != nil {
return nil, "", nil
}
return provider.GetAzureKeyVaultCredentials()

return token, provider.GetAzureKeyVaultDNSSuffix(), err
}
8 changes: 4 additions & 4 deletions cmd/azure-keyvault-env/authentication.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,17 +87,17 @@ func createMtlsClient(clientCertDir string) (*http.Client, error) {
return client, nil
}

func getCredentials() (azure.LegacyTokenCredential, error) {
func getCredentials() (azure.LegacyTokenCredential, string, error) {
provider, err := credentialprovider.NewFromEnvironment()
if err != nil {
return nil, fmt.Errorf("failed to create credentials provider for azure key vault, error: %w", err)
return nil, "", fmt.Errorf("failed to create credentials provider for azure key vault, error: %w", err)
}

creds, err := provider.GetAzureKeyVaultCredentials()
if err != nil {
return nil, fmt.Errorf("failed to get credentials for azure key vault, error: %w", err)
return nil, "", fmt.Errorf("failed to get credentials for azure key vault, error: %w", err)
}
return creds, nil
return creds, provider.GetAzureKeyVaultDNSSuffix(), nil
}

func getCredentialsAuthService(authServiceAddress string, authServiceValidationAddress string, clientCertDir string) (azure.LegacyTokenCredential, error) {
Expand Down
12 changes: 10 additions & 2 deletions cmd/azure-keyvault-env/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
"github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/akv2k8s"
"github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/akv2k8s/transformers"
"github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/azure"
"github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/azure/credentialprovider"
vault "github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/azure/keyvault/client"
akv "github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/k8s/apis/azurekeyvault/v2beta1"
clientset "github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/k8s/client/clientset/versioned"
Expand Down Expand Up @@ -250,21 +251,28 @@ func main() {
}

var creds azure.LegacyTokenCredential
var keyVaultDNSSuffix string
if config.useAuthService {
provider, err := credentialprovider.NewFromEnvironment()
if err != nil {
klog.ErrorS(err, "failed to get provider from environment", "failedTimes", config.retryTimes)
os.Exit(1)
}
keyVaultDNSSuffix = provider.GetAzureKeyVaultDNSSuffix()
creds, err = getCredentialsAuthService(config.authServiceAddress, config.authServiceValidationAddress, config.clientCertDir)
if err != nil {
klog.ErrorS(err, "failed to get credentials", "failedTimes", config.retryTimes)
os.Exit(1)
}
} else {
creds, err = getCredentials()
creds, keyVaultDNSSuffix, err = getCredentials()
if err != nil {
klog.ErrorS(err, "failed to get credentials", "failedTimes", config.retryTimes)
os.Exit(1)
}
}

vaultService := vault.NewService(creds)
vaultService := vault.NewService(creds, keyVaultDNSSuffix)

klog.V(4).InfoS("reading azurekeyvaultsecret's referenced in env variables")
cfg, err := rest.InClusterConfig()
Expand Down
14 changes: 14 additions & 0 deletions pkg/azure/credentialprovider/akv.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,11 @@ func (c CloudConfigCredentialProvider) GetAzureKeyVaultCredentials() (azure.Lega
return azure.NewLegacyTokenCredentialAdal(token), nil
}

// GetAzureKeyVaultDNSSuffix returns the environment specific Azure Key Vault DNS suffix
func (c CloudConfigCredentialProvider) GetAzureKeyVaultDNSSuffix() string {
return c.environment.KeyVaultDNSSuffix
}

// GetAzureKeyVaultCredentials will get Azure credentials
func (c EnvironmentCredentialProvider) GetAzureKeyVaultCredentials() (azure.LegacyTokenCredential, error) {
azureToken, err := getCredentials(c.envSettings, c.envSettings.Environment.ResourceIdentifiers.KeyVault)
Expand All @@ -92,7 +97,11 @@ func (c EnvironmentCredentialProvider) GetAzureKeyVaultCredentials() (azure.Lega
}

return azure.NewLegacyTokenCredentialAdal(azureToken.token), nil
}

// GetAzureKeyVaultDNSSuffix returns the environment specific Azure Key Vault DNS suffix
func (c EnvironmentCredentialProvider) GetAzureKeyVaultDNSSuffix() string {
return c.envSettings.Environment.KeyVaultDNSSuffix
}

func getCredentialsAzidentity() (azure.LegacyTokenCredential, error) {
Expand All @@ -108,3 +117,8 @@ func getCredentialsAzidentity() (azure.LegacyTokenCredential, error) {
func (c AzidentityCredentialProvider) GetAzureKeyVaultCredentials() (azure.LegacyTokenCredential, error) {
return getCredentialsAzidentity()
}

// GetAzureKeyVaultDNSSuffix returns the environment specific Azure Key Vault DNS suffix
func (c AzidentityCredentialProvider) GetAzureKeyVaultDNSSuffix() string {
return c.envSettings.Environment.KeyVaultDNSSuffix
}
1 change: 1 addition & 0 deletions pkg/azure/credentialprovider/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ type CredentialProvider interface {
GetAzureKeyVaultCredentials() (myazure.LegacyTokenCredential, error)
GetAcrCredentials(image string) (k8sCredentialProvider.DockerConfigEntry, error)
// IsAcrRegistry(image string) bool
GetAzureKeyVaultDNSSuffix() string
}

// UserAssignedManagedIdentityProvider provides credentials for Azure using managed identity
Expand Down
24 changes: 15 additions & 9 deletions pkg/azure/keyvault/client/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,18 +48,24 @@ type CertificateOptions struct {
}

type azureKeyVaultService struct {
credentials azure.LegacyTokenCredential
credentials azure.LegacyTokenCredential
keyVaultDNSSuffix string
}

// NewService creates a new AzureKeyVaultService
func NewService(creds azure.LegacyTokenCredential) Service {
func NewService(creds azure.LegacyTokenCredential, keyVaultDNSSuffix string) Service {
return &azureKeyVaultService{
credentials: creds,
credentials: creds,
keyVaultDNSSuffix: keyVaultDNSSuffix,
}
}

func vaultNameToURL(name string) string {
return fmt.Sprintf("https://%s.vault.azure.net", name)
func (a *azureKeyVaultService) vaultNameToURL(name string) string {
suffix := a.keyVaultDNSSuffix
if suffix == "" {
suffix = "vault.azure.net"
}
return fmt.Sprintf("https://%s.%s", name, suffix)
}

// GetSecret download secrets from Azure Key Vault
Expand All @@ -68,7 +74,7 @@ func (a *azureKeyVaultService) GetSecret(vaultSpec *akvs.AzureKeyVault) (string,
return "", fmt.Errorf("azurekeyvaultsecret.spec.vault.object.name not set")
}

client, err := azsecrets.NewClient(vaultNameToURL(vaultSpec.Name), a.credentials, nil)
client, err := azsecrets.NewClient(a.vaultNameToURL(vaultSpec.Name), a.credentials, nil)
if err != nil {
return "", err
}
Expand All @@ -88,7 +94,7 @@ func (a *azureKeyVaultService) GetKey(vaultSpec *akvs.AzureKeyVault) (string, er
return "", fmt.Errorf("azurekeyvaultsecret.spec.vault.object.name not set")
}

client, err := azkeys.NewClient(vaultNameToURL(vaultSpec.Name), a.credentials, nil)
client, err := azkeys.NewClient(a.vaultNameToURL(vaultSpec.Name), a.credentials, nil)
if err != nil {
return "", err
}
Expand All @@ -107,11 +113,11 @@ func (a *azureKeyVaultService) GetKey(vaultSpec *akvs.AzureKeyVault) (string, er

// GetCertificate download public/private certificates from Azure Key Vault
func (a *azureKeyVaultService) GetCertificate(vaultSpec *akvs.AzureKeyVault, options *CertificateOptions) (*Certificate, error) {
client, err := azcertificates.NewClient(vaultNameToURL(vaultSpec.Name), a.credentials, &azcertificates.ClientOptions{})
client, err := azcertificates.NewClient(a.vaultNameToURL(vaultSpec.Name), a.credentials, &azcertificates.ClientOptions{})
if err != nil {
return nil, err
}
clientSecret, err := azsecrets.NewClient(vaultNameToURL(vaultSpec.Name), a.credentials, &azsecrets.ClientOptions{})
clientSecret, err := azsecrets.NewClient(a.vaultNameToURL(vaultSpec.Name), a.credentials, &azsecrets.ClientOptions{})
if err != nil {
return nil, err
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/azure/keyvault/client/service_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ func TestIntegrationGetSecret(t *testing.T) {
t.Error(err)
}

srvc := NewService(creds)
srvc := NewService(creds, provider.GetAzureKeyVaultDNSSuffix())
akvSecret := newAzureKeyVaultSecret("mySecret", "akv2k8s-test", "my-secret")

secret, err := srvc.GetSecret(&akvSecret.Spec.Vault)
Expand All @@ -115,7 +115,7 @@ func TestIntegrationEnvironmentGetSecret(t *testing.T) {
t.Error(err)
}

srvc := NewService(creds)
srvc := NewService(creds, provider.GetAzureKeyVaultDNSSuffix())
akvSecret := newAzureKeyVaultSecret("mySecret", "akv2k8s-test", "my-secret")

secret, err := srvc.GetSecret(&akvSecret.Spec.Vault)
Expand Down

0 comments on commit f060a55

Please sign in to comment.