CORE-427: Azure AKS OIDC federation / Azure VM user-assigned managed identity support #17157
Conversation
andijcr
force-pushed
the
feat/aks_oidc_support
branch
from
23500fc
to
fc45043
Compare
andijcr
changed the title
andijcr
force-pushed
the
feat/aks_oidc_support
branch
2 times, most recently
from
2390890
to
d11ce73
Compare
|
new failures in https://buildkite.com/redpanda/redpanda/builds/46403#018e53e6-7781-4791-9788-c5539a80b1d2: new failures in https://buildkite.com/redpanda/redpanda/builds/46403#018e540d-e5d6-4582-be55-33ad5036bac0: new failures in https://buildkite.com/redpanda/redpanda/builds/46435#018e567e-7793-426c-96d4-1343812ca47a: new failures in https://buildkite.com/redpanda/redpanda/builds/46435#018e5690-3c51-4ff3-8163-8a71a3864772: new failures in https://buildkite.com/redpanda/redpanda/builds/46733#018e77cf-c715-4835-87a5-2fe6002e31d3: |
There was a problem hiding this comment.
looking good.
- should we avoid the trailing return type?
- pointed out a few things that looks like they need unit tests
- do you have a good sense for how well the code coverage is for the tests you've added?
- is there a test plan written down somewhere for testing on azure?
andijcr
force-pushed
the
feat/aks_oidc_support
branch
from
d11ce73
to
0312938
Compare
|
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46435#018e567e-778d-41a7-90d5-e1ae098ff741 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46624#018e671b-8488-4d12-90f1-939431136853 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46624#018e672d-51e5-474a-9723-c8b0a3148913 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46733#018e77cf-c71b-4120-b84e-b0cec4eaabf6 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46733#018e77e2-6d2a-4314-a587-e4112d3ac567 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46733#018e77e2-6d26-4dd8-9db5-1acb42f55243 |
andijcr
force-pushed
the
feat/aks_oidc_support
branch
from
0312938
to
a3badbf
Compare
|
as discussed, followup with ducktape testing is moved here #17374 |
andijcr
force-pushed
the
feat/aks_oidc_support
branch
from
a3badbf
to
cad8307
Compare
not an actual problem, but calling `<< credentials{abs_credentials{}}`
would cause infinite recursion, because the implementation for
credential would not find an operator<< abs_credential, and instead
would call itself since credentials is constructible from
abs_credentials.
the fix is to use a concept to ensure that the actual calling type is
credential and not an implicit conversion
parse_json_response_and_validate acceps a schema string_view, performs schema validation on the json::Document read from the iobuf parameters, and returns the document or an error in case of validation failures.
requests urls are saved as is, url params are not removed from the url, failing simple queries via has_calls and get_latests_request to not break existing behavior, these calls accepts ignore_url_params to perform a search only on the part before '?'
oauth on ABS requires an access token and the header x-ms-version. this commit incroduces apply_abs_oauth_credentials
AKS OpenID Credential federations places a jwt in the pod that can be used to get an access token with a limited lifespan. this commit introduces an implmentation of refresh credentials for this usecase
azure_vm_refresh_impl calls the vm IMDS endpoint to retrieve an access_token, and converts it to an abs_oauth_credentials configuration: cloud_storage_azure_managed_identity_id to be used with cloud_credentials_source::azure_vm_instance_metadata
in config_multi_property_validation small refactor for the next commit, when support is added for new cloud_credentials_source
extended validation to ensure that cloud_storage_azure_managed_identity_id is set if cloud_storage_credentials_source is azure_vm_instance_metadata
for readability, less lines and clutter
adapted get_abs_config to work with credential_source equal to either config_file, azure_aks_oidc_federation, azure_vm_instance_metadata. removed the strict requirement to have a shared_key. for managed idendities the autorization is done with an access_token.
andijcr
force-pushed
the
feat/aks_oidc_support
branch
from
cad8307
to
8ea1ee4
Compare
|
fixed merge conflict, addressed comments, trailing return type fix. previous ci failure was #16324 (it's failing a lot in dev) |
|
|
||
| return ss::visit( | ||
| maybe_jresp, | ||
| [](auto err_resp) -> api_response_parse_result { |
There was a problem hiding this comment.
why doesn't this auto case match everything? will the more specific case (e.g. Document&) be chosen when possible?
There was a problem hiding this comment.
ye it's the rule of template overloading having lower precedence than exact type match
| "&resource=https%3A%2F%2Fstorage.azure.com%2F" | ||
| "&client_id={}", | ||
| client_id_opt.value())); | ||
| req.set("Metadata", "true"); |
There was a problem hiding this comment.
https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#security-and-authentication
it's part of a mitigation to prevent redirection of requests.
since it's a get request, this header (required) make sure that the request originated from the app and it's not unintended/malicious
| // to the vm-local IMDS | ||
| auto req = http::client::request_header{}; | ||
| req.method(boost::beast::http::verb::get); | ||
| // TODO fix deps and use boost::url |
There was a problem hiding this comment.
do you need a follow issue for this? the comment isn't clear what is needed.
There was a problem hiding this comment.
don't think so, it's a comment i forgot to remove. boost::url has a nice interface to compose get requests, but it's not part of our dependencies. probably not really worth it.
| return std::visit( | ||
| ss::make_visitor( |
There was a problem hiding this comment.
why did you use ss::visit previous, but std::visit here?
dotnwat
changed the title
AKS
ASK managed identities are implemented with cloud_role/refresh_credentials implementations
azure_aks_refresh_impl.ccapply_abs_oauth_credentials.ccazure_aks_refresh_impl.ccreads these environment variablesto compose a POST request to retrieve an authorization token that
azure_aks_refresh_impl.ccwill use to authorize calls to ABS.The env variables are set up directly by AKS.
Azure VM
User-assigned managed identity via IMDS on a azure VM is implemented in
azure_vm_refresh_implit requires setting
cloud_storage_azure_managed_identity_idin configs to the user-assigned managed identity client_id.The implementation will perform a GET request to the instance metadata service to retrieve an authorization token
Fixes https://github.com/redpanda-data/core-internal/issues/1125
Fixes https://github.com/redpanda-data/core-internal/issues/1126
Backports Required
Release Notes
Features