Add support for Azure client certificate auth #2786
Conversation
…zure-service-operator into feature/client-cert-auth
super-harsh
requested review from
davefellows,
theunrepentantgeek,
matthchr and
babbageclunk
as code owners
Codecov Report
@@ Coverage Diff @@
## main #2786 +/- ##
==========================================
- Coverage 52.49% 52.49% -0.01%
==========================================
Files 1000 1001 +1
Lines 418800 418813 +13
==========================================
+ Hits 219842 219843 +1
- Misses 163731 163745 +14
+ Partials 35227 35225 -2
... and 3 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
| export AZURE_CLIENT_ID="00000000-0000-0000-0000-00000000000" # The client ID (sometimes called App Id) of the Service Principal. | ||
| export AZURE_SUBSCRIPTION_ID="00000000-0000-0000-0000-00000000000" # The Azure Subscription ID the identity is in. | ||
| export AZURE_TENANT_ID="00000000-0000-0000-0000-00000000000" # The Azure AAD Tenant the identity/subscription is associated with. | ||
| export AZURE_CLIENT_CERTIFICATE="myCertificateValue" # The client certificate of the Service Principal. |
There was a problem hiding this comment.
minor: This should be the ASCII of the cert right? Can you make it look more like the cert? I think usually they will start with a header and then some values?
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
| export AZURE_CLIENT_ID="00000000-0000-0000-0000-00000000000" # The client ID (sometimes called App Id) of the Service Principal. | ||
| export AZURE_SUBSCRIPTION_ID="00000000-0000-0000-0000-00000000000" # The Azure Subscription ID the identity is in. | ||
| export AZURE_TENANT_ID="00000000-0000-0000-0000-00000000000" # The Azure AAD Tenant the identity/subscription is associated with. | ||
| export AZURE_CLIENT_CERTIFICATE="-----BEGIN PRIVATE KEY----- |
There was a problem hiding this comment.
minor: does this export command actually work? Not sure how multiline exports work.
There was a problem hiding this comment.
yes, it does.. will have to do something like export AZURE_CLIENT_CERTIFICATE=cat certFile.pem`. Also, we have a livetest for this.
|
|
||
| ### Prerequisites | ||
| 1. An existing Azure Service Principal. | ||
| 2. Certificate in ASCII format such as PEM, CER, or DER. |
There was a problem hiding this comment.
Any kind of certificate? Or are only certain algorithms/signing-authorities accepted? Probably too much detail to cover here, but a link would be useful.
v2/cmd/controller/main.go
Outdated
| } else if cert := os.Getenv(config.ClientCertificateVar); cert != "" { | ||
| certPassword := os.Getenv(config.ClientCertificatePasswordVar) | ||
| credential, err = identity.NewClientCertificateCredential(cfg.TenantID, cfg.ClientID, []byte(cert), []byte(certPassword)) | ||
| if err != nil { | ||
| return nil, errors.Wrapf(err, "unable to get client certificate credential") | ||
| } |
There was a problem hiding this comment.
This chain of if statements is unwieldy and challenging to read.
Suggest getting rid of the chaining by having each block unconditionally return. E.g.
if cfg.UseWorkloadIdentityAuth {
credential, err = identity.NewWorkloadIdentityCredential(cfg.TenantID, cfg.ClientID)
if err != nil {
return nil, errors.Wrapf(err, "unable to get workload identity credential")
}
return credential, nil
} then the next block can stand alone
if cert := os.Getenv(config.ClientCertificateVar); cert != "" {
... elided
}and the default case doesn't need any nesting
credential, err = azidentity.NewDefaultAzureCredential(nil)
if err != nil {
return nil, errors.Wrapf(err, "unable to get default azure credential")
}
return credential, err| credential, err = azidentity.NewClientSecretCredential(string(tenantID), string(clientID), string(clientSecret), nil) | ||
| if err != nil { | ||
| return nil, "", errors.Wrap(err, errors.Errorf("invalid Client Secret Credential for %q encountered", nsName.String()).Error()) | ||
| } | ||
| } else if clientCert, hasClientCert := secret.Data[config.ClientCertificateVar]; hasClientCert { |
There was a problem hiding this comment.
Another case where chaining of the if statements makes it challenging for someone unfamiliar with the code. Maybe use a similar fix?
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
* Add support for Azure client certificate auth Co-authored-by: Harshdeep Singh <harshdsingh@microsoft.com> Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com> Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
Closes #2761
What this PR does / why we need it:
This PR adds support to handle client auth using Certificates