Skip to content
This repository has been archived by the owner on Jul 26, 2022. It is now read-only.

Support Azure sovereign cloud environments #871

Merged
merged 4 commits into from
Dec 16, 2021
Merged

Support Azure sovereign cloud environments #871

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8a35c18
Support Azure sovereign cloud environments
ericabramov Nov 18, 2021
d694598
Fix style issues
ericabramov Nov 21, 2021
51765bc
fix: js types
Flydiverny Dec 16, 2021
25ecfad
refactor: one liners🤷
Flydiverny Dec 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions charts/kubernetes-external-secrets/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ env:
# AWS_SSM_ENDPOINT: http://ssm-fips.us-east-1.amazonaws.com
# AWS_SM_ENDPOINT: http://secretsmanager-fips.us-east-1.amazonaws.com

# Use Azure Environment-oriented KeyVault endpoints
# AZURE_ENVIRONMENT: AzureUSGovernment
# AZURE_KEY_VAULT_DNS_SUFFIX: vault.usgovcloudapi.net

# Create environment variables from existing k8s secrets
envVarsFromSecret: {}
# AWS_ACCESS_KEY_ID:
Expand Down
16 changes: 14 additions & 2 deletions config/azure-config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,26 @@
'use strict'

const { DefaultAzureCredential } = require('@azure/identity')
const { DefaultAzureCredential, AzureAuthorityHosts } = require('@azure/identity')
// DefaultAzureCredential expects the following three environment variables:
// - AZURE_TENANT_ID: The tenant ID in Azure Active Directory
// - AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant
// - AZURE_CLIENT_SECRET: The client secret for the registered application
// An optional environment variable AZURE_ENVIRONMENT may be provided to specify cloud environment

const authorityHostMap = new Map()
authorityHostMap.set('AzureCloud', AzureAuthorityHosts.AzurePublicCloud)
authorityHostMap.set('AzureChinaCloud', AzureAuthorityHosts.AzureChina)
authorityHostMap.set('AzureGermanCloud', AzureAuthorityHosts.AzureGermany)
authorityHostMap.set('AzureUSGovernment', AzureAuthorityHosts.AzureGovernment)

module.exports = {
azureKeyVault: () => {
const credential = new DefaultAzureCredential()
var env = process.env.AZURE_ENVIRONMENT
Flydiverny marked this conversation as resolved.
Show resolved Hide resolved
if (!env) {
env = 'AzureCloud' // default
}
var host = authorityHostMap.get(env)
Flydiverny marked this conversation as resolved.
Show resolved Hide resolved
const credential = new DefaultAzureCredential({ authorityHost: host })
return credential
}
}
8 changes: 7 additions & 1 deletion lib/backends/azure-keyvault-backend.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,16 @@ class AzureKeyVaultBackend extends KVBackend {
constructor ({ credential, logger }) {
super({ logger })
this._credential = credential
var suffix = process.env.AZURE_KEY_VAULT_DNS_SUFFIX
Flydiverny marked this conversation as resolved.
Show resolved Hide resolved
if (suffix == null) {
Flydiverny marked this conversation as resolved.
Show resolved Hide resolved
this._endpointSuffix = 'vault.azure.net' // Default
} else {
this._endpointSuffix = suffix
}
}

_keyvaultClient ({ keyVaultName }) {
const url = `https://${keyVaultName}.vault.azure.net`
const url = `https://${keyVaultName}.${this._endpointSuffix}`
const client = new SecretClient(url, this._credential)
return client
}
Expand Down