Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: migrate from autorest/adal to azidentity #195

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

aramase
Copy link
Member

@aramase aramase commented Jan 4, 2023

Signed-off-by: Anish Ramasekar anish.ramasekar@gmail.com

Reason for Change:

  • Migrate from autorest/adal to azidentity
  • Migrate from github.com/Azure/azure-sdk-for-go/services/keyvault to sdk/keyvault

Issue Fixed:

fixes #179
fixes #180

Notes for Reviewers:

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Comment on lines +108 to +118
// {
// desc: "no error with proxy mode",
// config: &config.AzureConfig{ClientID: "clientid", ClientSecret: "clientsecret", TenantID: "tenantid"},
// vaultName: "testkv",
// keyName: "key1",
// keyVersion: "262067a9e8ba401aa8a746c5f1a7e147",
// proxyMode: true,
// proxyAddress: "localhost",
// proxyPort: 7788,
// expectedVaultURL: "http://localhost:7788/testkv.vault.azure.net/",
// },
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bingosummer It looks azidentity expects the authority host to be https. I had to comment this out because it failed the unit test

=== RUN   TestNewKeyVaultClient/no_error_with_proxy_mode
    /go/src/github.com/Azure/kubernetes-kms/pkg/plugin/keyvault_test.go:135: newKeyVaultClient() failed with error: failed to get key vault token, error: cannot use an authority host without https

I assume it'll fail when proxy is used but let's test this. The test image is aramase/keyvault:azkeys.00.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't hit the error cannot use an authority host without https, but I hit the following error.

I0109 08:06:14.823988       1 server.go:77] encrypt request started
E0109 08:06:15.063933       1 server.go:80] "failed to encrypt" err="failed to encrypt, error: challenge resource \"https://vault.azure.net\" doesn't match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information"
E0109 08:06:15.064069       1 grpc.go:45] "GRPC request error" err="failed to encrypt, error: challenge resource \"https://vault.azure.net\" doesn't match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information"

Will test again later about the error cannot use an authority host without https.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I use SP instead of managed identity, I hit an error:

E0109 11:06:13.954338       1 grpc.go:45] "GRPC request error" err=<
	failed to encrypt, error: ClientSecretCredential authentication failed
	POST https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token
	--------------------------------------------------------------------------------
	RESPONSE 400 Bad Request
	--------------------------------------------------------------------------------
	{
	  "error": "invalid_scope",
	  "error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://vault.azure.net openid offline_access profile is not valid.\r\nTrace ID: 75447226-d7f4-45c3-a56c-b844c719ea04\r\nCorrelation ID: 44d79503-6a49-49fc-9efb-ab6bc481c0e9\r\nTimestamp: 2023-01-09 11:06:13Z",
	  "error_codes": [
	    70011
	  ],
	  "timestamp": "2023-01-09 11:06:13Z",
	  "trace_id": "75447226-d7f4-45c3-a56c-b844c719ea04",
	  "correlation_id": "44d79503-6a49-49fc-9efb-ab6bc481c0e9"
	}
	--------------------------------------------------------------------------------
	To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#client-secret
 >

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants