Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different BSL credentials may conflict when deploying on Azure #6393

Closed
ywk253100 opened this issue Jun 14, 2023 · 8 comments
Closed

Different BSL credentials may conflict when deploying on Azure #6393

ywk253100 opened this issue Jun 14, 2023 · 8 comments
Assignees
@ywk253100
Labels
Area/Cloud/Azure
Milestone
v1.13

Comments

@ywk253100
Copy link
Contributor

Currently, Velero populates the storage credentials into the environment variables and Azure SDK reads them to do the auth.
Similar logic appears in two places of Velero:

However, different BSLs may have different credentials which could be set by the Credential field, the credential of one BSL may be overridden by others when dealing the BSLs concurrently, e.g. do the backup and restore with different BSL in the same time.

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

  • 👍 for "I would like to see this bug fixed as soon as possible"
  • 👎 for "There are more important bugs to focus on right now"
@ywk253100 ywk253100 self-assigned this Jun 14, 2023
@anshulahuja98
Copy link
Collaborator

So overall how I see this is that we wish to replace NewDefaultAzureCredentialto something which can take the values in function inputs.
NewDefaultAzureCredential - comes with it's own set of benefits since it tries various auth approaches - ServicePrincipal / MSI /Workload Identity etc.

There is no equivalent function which takes these values as inputs and tries all auth mechanisms.

One route I see by which we can achieve this is by somehow bringing the logic of NewDefaultAzureCredential in our impl and create a ChainedTokenCredential, then use that further.

func AzureCredential(config map[]){
// Try to create NewClientSecretCredential with secret, principal ID, client ID
NewClientSecretCredential () // This does not have dependency on environment variables.
ChainedTokenCredential.Append()

WorkloadIdentity()
ChainedTokenCredential.Append()

MSICredential()
ChainedTokenCredential.Append()

}

Code ref : https://github.com/Azure/azure-sdk-for-go/blob/a98f12ec13aeff1991f2343db112f0d89bf1cdae/sdk/azidentity/default_azure_credential.go#L60

NewClientSecretCredential atleast will solve for environment dependence of NewEnvironmentCredential

for other routes, we'll have to slightly deeper into handling, but hopefully they should be solvable.

If this approach seems messy and indeterministic to an extent, we can also evaluate adding another field in the BSL which says which auth mode to use - MSI/ SP/ WKLD IDentity etc.
That could translate into an if-else tree to choose which auth mode to use when.

@ywk253100
Copy link
Contributor Author

@anshulahuja98 That's exactly what I'm thinking of.

The change should appear in three places: Azure plugin, Velero repository code and Kopia, we need to maintain duplicated code if we implement the logic separately.
Is it possible that we implement a ConfigCredential which is like the EnvironmentCredential but reads the credentials from a map in upstream Azure SDK? Seems that's pretty reasonable for the code that uses Azure SDK and runs concurrently.

@anshulahuja98
Copy link
Collaborator

EnvironmentCredential is just a wrapper on top of NewClientSecretCredential . We can simply use that.

Are you talking about an implementation similar to NewDefaultAzureCredential instead?

@ywk253100
Copy link
Contributor Author

Two levels for the implementation of Azure SDK:

The first one is implementing a ConfigCredential which is like the EnvironmentCredential but reads the credentials from a map. Besides the ClientSecretCredential we also need the ClientCertificateCredential and UsernamePasswordCredential as the current code supports all of them.

The second level is implementing a new function like the NewDefaultAzureCredential but wraps the ConfigCredential instead(make ConfigCredential, WorkloadIdentityCredential, ManagedIdentityCredential and CLICredential as a chain).

With these two new implementations, developers can use them to interact with Azure in concurrent code.

@anshulahuja98
Copy link
Collaborator

Hmm, it does make sense, but might be slightly difficult to convince the SDK team.
Might need to start a bit of code to see how the interfaces will end up looking like and then we can create an Issue in their repo wiith more details. And see what they think of it.

@ywk253100
Copy link
Contributor Author

OK. I'll implement that on the Kopia side and let estimate that again after the work

@ywk253100
Copy link
Contributor Author

Opened an issue for Azure SDK: Azure/azure-sdk-for-go#21061

@pradeepkchaturvedi pradeepkchaturvedi added the 1.13-candidate issue/pr that should be considered to target v1.13 minor release label Aug 4, 2023
@reasonerjt reasonerjt removed the 1.13-candidate issue/pr that should be considered to target v1.13 minor release label Aug 23, 2023
@reasonerjt reasonerjt added this to the v1.13 milestone Aug 23, 2023
@ywk253100
Copy link
Contributor Author

Fixed by vmware-tanzu/velero-plugin-for-microsoft-azure#206 and #6686

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywk253100 ywk253100

Labels
Area/Cloud/Azure
Projects
None yet
Milestone
v1.13
Development

No branches or pull requests
5 participants
@reasonerjt @ywk253100 @anshulahuja98 @pradeepkchaturvedi @Lyndon-Li