feat(azuredns): provide ability to configure authentication methods

go-acme · Sep 27, 2023 · f4ab2aa · f4ab2aa
1 parent c2fd449
commit f4ab2aa
Show file tree

Hide file tree

Showing 3 changed files with 161 additions and 45 deletions.
diff --git a/providers/dns/azuredns/azuredns.go b/providers/dns/azuredns/azuredns.go
@@ -3,12 +3,14 @@
 package azuredns
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/platform/config/env"
@@ -31,6 +33,12 @@ const (
 	EnvTTL                = envNamespace + "TTL"
 	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
 	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+
+	EnvUseEnvVars = envNamespace + "USE_ENV_VARS"
+	EnvUseWli     = envNamespace + "USE_WLI"
+	EnvUseMsi     = envNamespace + "USE_MSI"
+	EnvUseCli     = envNamespace + "USE_CLI"
+	EnvMsiTimeout = envNamespace + "MSI_TIMEOUT"
 )
 
 // Config is used to configure the creation of the DNSProvider.
@@ -49,6 +57,12 @@ type Config struct {
 	PropagationTimeout time.Duration
 	PollingInterval    time.Duration
 	TTL                int
+
+	UseEnvVars bool
+	UseWli     bool
+	UseMsi     bool
+	UseCli     bool
+	MsiTimeout time.Duration
 }
 
 // NewDefaultConfig returns a default configuration for the DNSProvider.
@@ -58,7 +72,37 @@ func NewDefaultConfig() *Config {
 		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
 		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, 2*time.Second),
 		Environment:        cloud.AzurePublic,
+		UseEnvVars:         env.GetOrDefaultBool(EnvUseEnvVars, true),
+		UseWli:             env.GetOrDefaultBool(EnvUseWli, true),
+		UseMsi:             env.GetOrDefaultBool(EnvUseMsi, true),
+		UseCli:             env.GetOrDefaultBool(EnvUseCli, true),
+		MsiTimeout:         env.GetOrDefaultSecond(EnvMsiTimeout, 2*time.Second),
+	}
+}
+
+// timeoutWrapper wraps a ManagedIdentityCredential to add a timeout.
+type timeoutWrapper struct {
+	cred    azcore.TokenCredential
+	timeout time.Duration
+}
+
+// timeoutWrapper GetToken implements the azcore.TokenCredential interface.
+func (w *timeoutWrapper) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	var tk azcore.AccessToken
+	var err error
+	if w.timeout > 0 {
+		c, cancel := context.WithTimeout(ctx, w.timeout)
+		defer cancel()
+		tk, err = w.cred.GetToken(c, opts)
+		if ce := c.Err(); errors.Is(ce, context.DeadlineExceeded) {
+			err = azidentity.NewCredentialUnavailableError("managed identity timed out")
+		} else {
+			w.timeout = 0
+		}
+	} else {
+		tk, err = w.cred.GetToken(ctx, opts)
 	}
+	return tk, err
 }
 
 // DNSProvider implements the challenge.Provider interface.
@@ -103,30 +147,10 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 		return nil, errors.New("azuredns: the configuration of the DNS provider is nil")
 	}
 
-	var err error
-	var credentials azcore.TokenCredential
-	if config.ClientID != "" && config.ClientSecret != "" && config.TenantID != "" {
-		options := azidentity.ClientSecretCredentialOptions{
-			ClientOptions: azcore.ClientOptions{
-				Cloud: config.Environment,
-			},
-		}
-
-		credentials, err = azidentity.NewClientSecretCredential(config.TenantID, config.ClientID, config.ClientSecret, &options)
-		if err != nil {
-			return nil, fmt.Errorf("azuredns: %w", err)
-		}
-	} else {
-		options := azidentity.DefaultAzureCredentialOptions{
-			ClientOptions: azcore.ClientOptions{
-				Cloud: config.Environment,
-			},
-		}
-
-		credentials, err = azidentity.NewDefaultAzureCredential(&options)
-		if err != nil {
-			return nil, fmt.Errorf("azuredns: %w", err)
-		}
+	creds := getCredentials(config)
+	credentials, err := azidentity.NewChainedTokenCredential(*creds, nil)
+	if err != nil {
+		return nil, errors.New("azuredns: Unable to retrieve valid credentials")
 	}
 
 	if config.SubscriptionID == "" {
@@ -153,6 +177,43 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 	return &DNSProvider{provider: dnsProvider}, nil
 }
 
+func getCredentials(config *Config) *[]azcore.TokenCredential {
+	var creds []azcore.TokenCredential
+	clientOptions := azcore.ClientOptions{Cloud: config.Environment}
+
+	var err error
+	var cred azcore.TokenCredential
+	if config.UseEnvVars {
+		cred, err = azidentity.NewEnvironmentCredential(&azidentity.EnvironmentCredentialOptions{ClientOptions: clientOptions})
+		if err == nil {
+			creds = append(creds, cred)
+		}
+	}
+
+	if config.UseWli {
+		cred, err = azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{ClientOptions: clientOptions})
+		if err == nil {
+			creds = append(creds, cred)
+		}
+	}
+
+	if config.UseMsi {
+		cred, err = azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{ClientOptions: clientOptions})
+		if err == nil {
+			creds = append(creds, &timeoutWrapper{cred, time.Second})
+		}
+	}
+
+	if config.UseCli {
+		cred, err = azidentity.NewAzureCLICredential(nil)
+		if err == nil {
+			creds = append(creds, cred)
+		}
+	}
+
+	return &creds
+}
+
 // Timeout returns the timeout and interval to use when checking for DNS propagation.
 // Adjusting here to cope with spikes in propagation times.
 func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {

diff --git a/providers/dns/azuredns/azuredns.toml b/providers/dns/azuredns/azuredns.toml
@@ -45,19 +45,55 @@ lego --domains example.com --email your_example@email.com --dns azuredns run
 Additional = '''
 ## Description
 
-Azure Credentials are automatically detected in the following locations and prioritized in the following order:
+Azure Credentials automatically detects in the following locations and prioritized in the following order:
 
 1. Environment variables for client secret: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_SECRET`
 2. Environment variables for client certificate: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_CERTIFICATE_PATH`
 3. Workload identity for resources hosted in Azure environment (see below)
-4. Shared credentials file (defaults to `~/.azure`), used by Azure CLI
+4. Shared credentials (defaults to `~/.azure` folder), used by Azure CLI
 
 Link:
 - [Azure Authentication](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication)
 
+### Environment variables
+
+#### Client secret
+
+The Azure Credentials can be configured using the following environment variables:
+* AZURE_CLIENT_ID = "Client ID"
+* AZURE_CLIENT_SECRET = "Client secret"
+* AZURE_TENANT_ID = "Tenant ID"
+
+This authentication method can be disabled by setting the `AZURE_USE_ENV_VARS` environment variable to `false`.
+
+#### Client certificate
+
+The Azure Credentials can be configured using the following environment variables:
+* AZURE_CLIENT_ID = "Client ID"
+* AZURE_CLIENT_CERTIFICATE_PATH = "Client certificate path"
+* AZURE_TENANT_ID = "Tenant ID"
+
+This authentication method can be disabled by setting the `AZURE_USE_ENV_VARS` environment variable to `false`.
+
 ### Workload identity
 
-#### Azure Managed Identity
+Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials.
+
+This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand.
+
+Here is a summary of the steps to follow to use it :
+* create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`.
+* on the `Deployment` resource you must reference the previous `ServiceAccount` and add the following label : `azure.workload.identity/use: "true"`.
+* create a fedreated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL  and add the namespace and name of your kubernetes service account.
+
+Link :
+- [Azure AD Workload identity](https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html)
+
+This authentication method can be disabled by setting the `AZURE_USE_WLI` environment variable to `false`.
+
+### Azure Managed Identity
+
+#### Azure Managed Identity (with Azure workload)
 
 The Azure Managed Identity service allows linking Azure AD identities to Azure resources, without needing to manually manage client IDs and secrets.
 
@@ -87,6 +123,9 @@ az role assignment create \
 --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}/TXT/${AZ_RECORD_SET}"
 ```
 
+A timeout wrapper is configured for this authentication method. The duraction can be configured by setting the `AZURE_MSI_TIMEOUT`. The default timeout is 2 seconds.
+This authentication method can be disabled by setting the `AZURE_USE_MSI` environment variable to `false`.
+
 #### Azure Managed Identity (with Azure Arc)
 
 The Azure Arc agent provides the ability to use a Managed Identity on resources hosted outside of Azure
@@ -95,22 +134,19 @@ The Azure Arc agent provides the ability to use a Managed Identity on resources
 While the upstream `azidentity` SDK will try to automatically identify and use the Azure Arc metadata service,
 if you get `azuredns: DefaultAzureCredential: failed to acquire a token.` error messages,
 you may need to set the environment variables:
-  * `IMDS_ENDPOINT=http://localhost:40342`
-  * `IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token`
+* `IMDS_ENDPOINT=http://localhost:40342`
+* `IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token`
 
-#### Workload identity for AKS
+A timeout wrapper is configured for this authentication method. The duraction can be configured by setting the `AZURE_MSI_TIMEOUT`. The default timeout is 2 seconds.
+This authentication method can be disabled by setting the `AZURE_USE_MSI` environment variable to `false`.
 
-Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials.
+### Azure CLI
 
-This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand.
+The Azure CLI is a command-line tool provided by Microsoft to interact with Azure resources.
+It provides an easy way to authenticate by simply running `az login` command.
+The generated token will be cached by default in the `~/.azure` folder.
 
-Here is a summary of the steps to follow to use it :
-* create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`.
-* on the `Deployment` resource you must reference the previous `ServiceAccount` and add the following label : `azure.workload.identity/use: "true"`.
-* create a fedreated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL  and add the namespace and name of your kubernetes service account.
-
-Link :
-- [Azure AD Workload identity](https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html)
+This authentication method can be disabled by setting the `AZURE_USE_CLI` environment variable to `false`.
 
 '''
 
@@ -119,6 +155,12 @@ Link :
     AZURE_CLIENT_ID = "Client ID"
     AZURE_CLIENT_SECRET = "Client secret"
     AZURE_TENANT_ID = "Tenant ID"
+    AZURE_CLIENT_CERTIFICATE_PATH = "Client certificate path"
+    AZURE_USE_ENV_VARS = "Enable environment variables credentials, true by default"
+    AZURE_USE_WLI = "Enable workload identity credentials, true by default"
+    AZURE_USE_MSI = "Enable managed service identity credentials, true by default"
+    AZURE_USE_CLI = "Enable Azure CLI credentials, true by default"
+  [Configuration.DnsZone]
     AZURE_SUBSCRIPTION_ID = "DNS zone subscription ID"
     AZURE_RESOURCE_GROUP = "DNS zone resource group"
   [Configuration.Additional]
@@ -128,6 +170,7 @@ Link :
     AZURE_TTL = "The TTL of the TXT record used for the DNS challenge"
     AZURE_POLLING_INTERVAL = "Time between DNS propagation check"
     AZURE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
+    AZURE_MSI_TIMEOUT = "Managed Identity timeout duration"
 
 [Links]
   API = "https://docs.microsoft.com/en-us/go/azure/"

diff --git a/providers/dns/azuredns/azuredns_test.go b/providers/dns/azuredns/azuredns_test.go
@@ -13,13 +13,13 @@ import (
 
 const envDomain = envNamespace + "DOMAIN"
 
-var envTest = tester.NewEnvTest(
-	EnvEnvironment,
-	EnvSubscriptionID,
-	EnvResourceGroup).
-	WithDomain(envDomain)
-
 func TestNewDNSProvider(t *testing.T) {
+	envTest := tester.NewEnvTest(
+		EnvEnvironment,
+		EnvSubscriptionID,
+		EnvResourceGroup).
+		WithDomain(envDomain)
+
 	testCases := []struct {
 		desc     string
 		envVars  map[string]string
@@ -140,6 +140,12 @@ func TestNewDNSProviderConfig(t *testing.T) {
 }
 
 func TestLivePresent(t *testing.T) {
+	envTest := tester.NewEnvTest(
+		EnvEnvironment,
+		EnvSubscriptionID,
+		EnvResourceGroup).
+		WithDomain(envDomain)
+
 	if !envTest.IsLiveTest() {
 		t.Skip("skipping live test")
 	}
@@ -153,6 +159,12 @@ func TestLivePresent(t *testing.T) {
 }
 
 func TestLiveCleanUp(t *testing.T) {
+	envTest := tester.NewEnvTest(
+		EnvEnvironment,
+		EnvSubscriptionID,
+		EnvResourceGroup).
+		WithDomain(envDomain)
+
 	if !envTest.IsLiveTest() {
 		t.Skip("skipping live test")
 	}