-
Notifications
You must be signed in to change notification settings - Fork 998
/
azure_aad_podidentity.go
107 lines (90 loc) · 2.9 KB
/
azure_aad_podidentity.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package azure
import (
"context"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"net/url"
"os"
"strconv"
"time"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/kedacore/keda/v2/pkg/util"
)
const (
MSIURL = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=%s"
MSIURLWithClientID = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=%s&client_id=%s"
)
var globalHTTPTimeout time.Duration
func init() {
valueStr, found := os.LookupEnv("KEDA_HTTP_DEFAULT_TIMEOUT")
globalHTTPTimeoutMS := 3000
if found && valueStr != "" {
value, err := strconv.Atoi(valueStr)
if err == nil {
globalHTTPTimeoutMS = value
}
}
globalHTTPTimeout = time.Duration(globalHTTPTimeoutMS) * time.Millisecond
}
// GetAzureADPodIdentityToken returns the AADToken for resource
func GetAzureADPodIdentityToken(ctx context.Context, httpClient util.HTTPDoer, identityID, audience string) (AADToken, error) {
var token AADToken
var urlStr string
if identityID == "" {
urlStr = fmt.Sprintf(MSIURL, url.QueryEscape(audience))
} else {
urlStr = fmt.Sprintf(MSIURLWithClientID, url.QueryEscape(audience), url.QueryEscape(identityID))
}
req, err := http.NewRequestWithContext(ctx, "GET", urlStr, nil)
if err != nil {
return token, fmt.Errorf("error getting aad-pod-identity token - %w", err)
}
req.Header = map[string][]string{
"Metadata": {"true"},
}
resp, err := httpClient.Do(req)
if err != nil {
return token, fmt.Errorf("error getting aad-pod-identity token - %w", err)
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return token, fmt.Errorf("error getting aad-pod-identity token - %w", err)
}
err = json.Unmarshal(body, &token)
if err != nil {
return token, fmt.Errorf("error getting aad-pod-identity token - %w", errors.New(string(body)))
}
return token, nil
}
type ManagedIdentityWrapper struct {
cred *azidentity.ManagedIdentityCredential
}
func ManagedIdentityWrapperCredential(clientID string) (*ManagedIdentityWrapper, error) {
opts := &azidentity.ManagedIdentityCredentialOptions{}
if clientID != "" {
opts.ID = azidentity.ClientID(clientID)
}
msiCred, err := azidentity.NewManagedIdentityCredential(opts)
if err != nil {
return nil, err
}
return &ManagedIdentityWrapper{
cred: msiCred,
}, nil
}
func (w *ManagedIdentityWrapper) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
c, cancel := context.WithTimeout(ctx, globalHTTPTimeout)
defer cancel()
tk, err := w.cred.GetToken(c, opts)
if ctxErr := c.Err(); errors.Is(ctxErr, context.DeadlineExceeded) {
// timeout: signal the chain to try its next credential, if any
err = azidentity.NewCredentialUnavailableError("managed identity timed out")
}
return tk, err
}