Use azidentity instead of ADAL #2748
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
@r4f4: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
|
Welcome @r4f4! |
k8s-ci-robot
added
size/L
|
Hi @r4f4. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/release-note-none |
k8s-ci-robot
added
release-note-none
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| "github.com/Azure/go-autorest/autorest" | ||
| "github.com/Azure/go-autorest/autorest/adal" | ||
| "github.com/jongio/azidext/go/azidext" |
There was a problem hiding this comment.
what is this repo? it seems that it's in someone's personal GitHub org?
There was a problem hiding this comment.
should we be following https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/MIGRATION.md instead?
There was a problem hiding this comment.
It's what I did. See the section https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/MIGRATION.md#use-azidentity-credentials-with-older-packages where they recommend jongio's repo for getting an adapter so the new authorizer can work with older SDK clients.
There was a problem hiding this comment.
Got it, thanks for clarifying
|
This would be nice to get in. I have mentioned about this in workload identity proposal as a future work -- but prior work is fine. With azure workload identity, it seem we have to have use azidentity. |
| @@ -136,44 +139,50 @@ func (p *ManagedControlPlaneCredentialsProvider) GetAuthorizer(ctx context.Conte | |||
|
|
|||
| // GetAuthorizer returns an Azure authorizer based on the provided azure identity and cluster metadata. | |||
| func (p *AzureCredentialsProvider) GetAuthorizer(ctx context.Context, resourceManagerEndpoint, activeDirectoryEndpoint string, clusterMeta metav1.ObjectMeta) (autorest.Authorizer, error) { | |||
| var spt *adal.ServicePrincipalToken | |||
| var authErr error | |||
| var cred azcore.TokenCredential | |||
There was a problem hiding this comment.
Any particular reason for declaring these variables explicitly vs using shorthand in the switch case?
e.g
cred, err := azidentity.NewManagedIdentityCredential(&options)
There was a problem hiding this comment.
Yes. If I don't do this then I can't use them on lines https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/2748/files#diff-b6ab207506064afcbd1d777c1c7296e2953d2653a8843bfb39107af5cf5b0a87R174-R177.
The alternative would be to duplicate those lines in each case branch, which I tried to avoid.
azure/scope/identity.go
Outdated
| if len(endpoint) > 0 && endpoint[len(endpoint)-1] != '/' { | ||
| endpoint += "/" | ||
| } |
There was a problem hiding this comment.
Why is this additional / added here? resourceManagerEndpoint in the GetAuthorizer call should already have the exact url that the token needs to be requested for? FYI, adding an extra slash or removing an existing one can render the token unusable because the resource identifier has to be an exact match.
xref: https://github.com/Azure/azure-workload-identity/blob/main/pkg/proxy/proxy.go#L194-L203
There was a problem hiding this comment.
I was just looking at #2814 and found a ref to this, so figured i'll review it. I didn't mean to lurk 😆
There was a problem hiding this comment.
Thanks for the review. I've changed the code to be similar to the one you linked.
k8s-ci-robot
added
size/M
|
/retest |
|
@r4f4 -- The PR is still titled |
I just noticed that this code https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/azure/scope/clients.go#L96-L98 needs to be changed as well.
Now what is a problem is that autorest uses different env vars from MSAL for client certificate authentication. autorest uses [1] https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential |
|
[1] Re the env variables -- if MSAL uses a different env var name that will mean to communicate this to users to set up a env variable with the new name if a capz version containing this change is used or upgraded to. [2] I do not see ordering as a problem too. But it is worth to put these in release note and as well as in PR description. @aramase @CecileRobertMichon Any thoughts? |
k8s-ci-robot
added
size/L
k8s-ci-robot
removed
lgtm
|
Rebased and added the comment as requested. |
|
/retest |
1 similar comment
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Are we keeping the 3 distinct commits intentionally or would it make sense to squash those? |
|
I think that should be squashed and @r4f4 kept it for easy reviews. @CecileRobertMichon @r4f4 -- Please squash the commits. |
k8s-ci-robot
removed
the
lgtm
|
Squashed commits. |
|
/retest |
ADAL is being deprecated, so use azidentity with an adapter so the new authentication can work with v1 SDK clients. Note that for certificate authentication, autorest uses the `AZURE_CERTIFICATE_` prefix for environment variables whereas azidentity uses `AZURE_CLIENT_CERTIFICATE_`. We make sure the latter is set to the value of the former so as not to break upgrades. Signed-off-by: Rafael Fonseca <[email protected]>
|
/test pull-cluster-api-provider-azure-e2e-optional |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mboersma, sonasingh46 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
|
another flake? /retest |
ADAL is being deprecated, so use azidentity with an adapter so the new authentication can work with v1 SDK clients. The only impact for users is to update the environment variables used for certificate authentication, from
AZURE_CERTIFICATE_toAZURE_CLIENT_CERTIFICATE_.Signed-off-by: Rafael Fonseca [email protected]
What type of PR is this?
/kind other
What this PR does / why we need it: ADAL is being deprecated, so use azidentity with an adapter so the new authentication can work with v1 SDK clients.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
TODOs:
Release note: