-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add native Azure Blob support #598
Conversation
pkg/azure/blob.go
Outdated
// - azblob.SharedKeyCredential when a "accountName" and "accountKey" are | ||
// found. | ||
// - Client without credentials. | ||
func buildServiceClient(obj *sourcev1.Bucket, secret *corev1.Secret) (_ azblob.ServiceClient, err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@laozc can you please take a look and see if this does not cover anything your version did?
Reason for this change is that I had a look at the current Azure libraries out there, and this seems to be the one with the brightest future and maintenance expectations. Given this is a new dependency introduction, this has my preference over one we eventually need to replace (or semi-copy/borrow from another project).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @hiddeco
I'm still verifying this PR in Azure environments.
I think it would be better to use the following order during authentication
- Check for client secret first to use Service Principal password login
- Check for client certificate to use Service Principal certificate login
- Use Client ID with Managed Identity login
- Use Resource ID with Managed Identity login
- Use Storage Account key based auth login
- No auth
This may ensure it works as expected when multiple Managed Identites bound on the same VM node for 3) and 4).
func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
tenantID, hasTenantID := secret.Data[tenantIDField]
clientID, hasClientID := secret.Data[clientIDField]
clientSecret, hasClientSecret := secret.Data[clientSecretField]
clientCertificate, hasClientCertificate := secret.Data[clientCertificateField]
clientCertificatePassword, _ := secret.Data[clientCertificatePasswordField]
resourceID, hasResourceID := secret.Data[resourceIDField]
if hasTenantID && hasClientID {
if hasClientSecret && string(clientSecret) != "" {
return azidentity.NewClientSecretCredential(string(tenantID), string(clientID), string(clientSecret), nil)
}
if hasClientCertificate && string(clientCertificate) != "" {
certs, key, err := azidentity.ParseCertificates(clientCertificate, clientCertificatePassword)
if err != nil {
return nil, fmt.Errorf("failed to parse client certificates: %w", err)
}
return azidentity.NewClientCertificateCredential(string(tenantID), string(clientID), certs, key, nil)
}
}
if hasClientID {
return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ClientID(clientID)})
} else if hasResourceID {
return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ResourceID(resourceID)})
}
return nil, nil
}
Let me get back to you when I have all these scenarios verified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the heads up, I will take your suggestions into account and document the reasoning in-code. Please let me know if anything else pops up, and I'll try to address it swiftly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have updated the code to your suggestion, you may also want to provide some input on #598 (review) and #598 (comment).
8920396
to
c8f22b4
Compare
Co-authored-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com> Signed-off-by: Hidde Beydals <hello@hidde.co>
ccfb4db
to
4434365
Compare
This commit introduces an Azure Blob BucketProvider implementation, capable of fetching from objects from public and private "container" buckets. The supported credential types are: - ManagedIdentity with a `resourceId` Secret data field. - ManagedIdentity with a `clientId` Secret data field. - ClientSecret with `tenantId`, `clientId` and `clientSecret` Secret data fields. - SharedKey with `accountKey` Secret data field, the Account Name is extracted from the endpoint URL specified on the object. If no Secret is provided, the Bucket is assumed to be public. Co-authored-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com> Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit allows for a Secret to be configured with `tenantId`, `clientId` and `clientCertificate` data fields (with optionally `clientCertificatePassword`) to authenticate using TLS. Signed-off-by: Hidde Beydals <hello@hidde.co>
179aa95
to
44a166e
Compare
Tests are configured in such a way that they only run for `main`. Signed-off-by: Hidde Beydals <hello@hidde.co>
44a166e
to
d55a759
Compare
Integration tests have been disabled again for pull requests after confirmed to be working in: |
7940044
to
696dcc7
Compare
@laozc please see the current state of the PR and let me know if this is acceptable. I will work on updating the tests in the meantime. |
f3eb2fd
to
166e185
Compare
eca70e4
to
7bc42a5
Compare
1346696
to
ce4e108
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stefanprodan documented in 687af2f |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
- Use octal syntax for permissions. - Fix typo. Signed-off-by: Hidde Beydals <hello@hidde.co>
Based on recommendations from Microsoft, change the order valid authentication options are taken into account. Mainly to ensure it works as expected when multiple Managed Identities are bound on the same VM node. Signed-off-by: Hidde Beydals <hello@hidde.co>
This supports the fields as documented in the AKS documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal Signed-off-by: Hidde Beydals <hello@hidde.co>
ce4e108
to
61f756f
Compare
- `authorityHost` and `clientCertificateSendChain` can now be set where applicable. - AZ CLI fields have been removed. - Fallback to `ChainedTokenCredential` with `EnvironmentCredential` and `ManagedIdentityCredential` with defaults if no Secret is given. Signed-off-by: Hidde Beydals <hello@hidde.co>
This ensures the Managed Identity authentication works with multiple identities assigned to a single node. Signed-off-by: Hidde Beydals <hello@hidde.co>
61f756f
to
ccb65c7
Compare
@laozc are you still running tests, or do you think this can be merged as is? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hiddeco Please go head with the merge. |
This PR introduces an Azure Blob BucketProvider implementation,
capable of fetching objects from public and private "container"
buckets.
The supported credential types are:
tenantId
,clientId
andclientSecret
Secretdata fields.
tenantId
,clientId
andclientSecret
Secretdata (with optionally
clientCertificatePassword
).clientId
Secret data field.accountKey
Secret data field, the account name isextracted from the endpoint URL specified on the object.
AZURE_CLIENT_ID
environment variable(when available)
If no Secret is provided or the chain can not be established, the
Bucket is assumed to be public.
Successor of #513