-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Azure client certificate auth #2786
Conversation
…zure-service-operator into feature/client-cert-auth
Codecov Report
@@ Coverage Diff @@
## main #2786 +/- ##
==========================================
- Coverage 52.49% 52.49% -0.01%
==========================================
Files 1000 1001 +1
Lines 418800 418813 +13
==========================================
+ Hits 219842 219843 +1
- Misses 163731 163745 +14
+ Partials 35227 35225 -2
... and 3 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Basically LGTM, left a few small comments. Happy to approve once those are resolved.
export AZURE_CLIENT_ID="00000000-0000-0000-0000-00000000000" # The client ID (sometimes called App Id) of the Service Principal. | ||
export AZURE_SUBSCRIPTION_ID="00000000-0000-0000-0000-00000000000" # The Azure Subscription ID the identity is in. | ||
export AZURE_TENANT_ID="00000000-0000-0000-0000-00000000000" # The Azure AAD Tenant the identity/subscription is associated with. | ||
export AZURE_CLIENT_CERTIFICATE="myCertificateValue" # The client certificate of the Service Principal. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: This should be the ASCII of the cert right? Can you make it look more like the cert? I think usually they will start with a header and then some values?
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
export AZURE_CLIENT_ID="00000000-0000-0000-0000-00000000000" # The client ID (sometimes called App Id) of the Service Principal. | ||
export AZURE_SUBSCRIPTION_ID="00000000-0000-0000-0000-00000000000" # The Azure Subscription ID the identity is in. | ||
export AZURE_TENANT_ID="00000000-0000-0000-0000-00000000000" # The Azure AAD Tenant the identity/subscription is associated with. | ||
export AZURE_CLIENT_CERTIFICATE="-----BEGIN PRIVATE KEY----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: does this export command actually work? Not sure how multiline exports work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it does.. will have to do something like export AZURE_CLIENT_CERTIFICATE=
cat certFile.pem`. Also, we have a livetest for this.
|
||
### Prerequisites | ||
1. An existing Azure Service Principal. | ||
2. Certificate in ASCII format such as PEM, CER, or DER. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any kind of certificate? Or are only certain algorithms/signing-authorities accepted? Probably too much detail to cover here, but a link would be useful.
v2/cmd/controller/main.go
Outdated
} else if cert := os.Getenv(config.ClientCertificateVar); cert != "" { | ||
certPassword := os.Getenv(config.ClientCertificatePasswordVar) | ||
credential, err = identity.NewClientCertificateCredential(cfg.TenantID, cfg.ClientID, []byte(cert), []byte(certPassword)) | ||
if err != nil { | ||
return nil, errors.Wrapf(err, "unable to get client certificate credential") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This chain of if statements is unwieldy and challenging to read.
Suggest getting rid of the chaining by having each block unconditionally return. E.g.
if cfg.UseWorkloadIdentityAuth {
credential, err = identity.NewWorkloadIdentityCredential(cfg.TenantID, cfg.ClientID)
if err != nil {
return nil, errors.Wrapf(err, "unable to get workload identity credential")
}
return credential, nil
}
then the next block can stand alone
if cert := os.Getenv(config.ClientCertificateVar); cert != "" {
... elided
}
and the default case doesn't need any nesting
credential, err = azidentity.NewDefaultAzureCredential(nil)
if err != nil {
return nil, errors.Wrapf(err, "unable to get default azure credential")
}
return credential, err
credential, err = azidentity.NewClientSecretCredential(string(tenantID), string(clientID), string(clientSecret), nil) | ||
if err != nil { | ||
return nil, "", errors.Wrap(err, errors.Errorf("invalid Client Secret Credential for %q encountered", nsName.String()).Error()) | ||
} | ||
} else if clientCert, hasClientCert := secret.Data[config.ClientCertificateVar]; hasClientCert { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another case where chaining of the if statements makes it challenging for someone unfamiliar with the code. Maybe use a similar fix?
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
* Add support for Azure client certificate auth Co-authored-by: Harshdeep Singh <harshdsingh@microsoft.com> Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com> Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Closes #2761
What this PR does / why we need it:
This PR adds support to handle client auth using Certificates