Adding custom cloud configuration while creating Azure credentials

aparna0508 · web-flow · commit 9354d985aed6 · 2025-11-18T10:11:37.000+05:30
diff --git a/storage_drivers/azure/api/azure.go b/storage_drivers/azure/api/azure.go
@@ -233,6 +233,20 @@ type Client struct {
 
 // ValidateCloudConfiguration validates the cloud configuration and returns a cloud.Configuration.
 func ValidateCloudConfiguration(cloudConfig *CloudConfiguration) (*cloud.Configuration, error) {
+	ctx := context.Background()
+
+	// Log input configuration
+	if cloudConfig == nil {
+		Logc(ctx).Debug("ValidateCloudConfiguration called with nil cloudConfig, using default AzurePublic.")
+	} else {
+		Logc(ctx).WithFields(LogFields{
+			"cloudName":       cloudConfig.CloudName,
+			"adAuthorityHost": cloudConfig.ADAuthorityHost,
+			"audience":        cloudConfig.Audience,
+			"endpoint":        cloudConfig.Endpoint,
+		}).Debug("ValidateCloudConfiguration called with cloudConfig.")
+	}
+
 	// If no cloud config provided, use default (AzurePublic)
 	if cloudConfig == nil {
 		return &cloud.AzurePublic, nil
@@ -253,16 +267,25 @@ func ValidateCloudConfiguration(cloudConfig *CloudConfiguration) (*cloud.Configu
 
 	// Option 1: Named cloud
 	if hasCloudName {
+		var namedConfig *cloud.Configuration
 		switch cloudConfig.CloudName {
 		case "AzurePublic":
-			return &cloud.AzurePublic, nil
+			namedConfig = &cloud.AzurePublic
 		case "AzureChina":
-			return &cloud.AzureChina, nil
+			namedConfig = &cloud.AzureChina
 		case "AzureGovernment":
-			return &cloud.AzureGovernment, nil
+			namedConfig = &cloud.AzureGovernment
 		default:
 			return nil, fmt.Errorf("unknown cloudName: %s (valid values: AzurePublic, AzureChina, AzureGovernment)", cloudConfig.CloudName)
 		}
+
+		// Log resulting configuration
+		Logc(ctx).WithFields(LogFields{
+			"cloudName":                    cloudConfig.CloudName,
+			"activeDirectoryAuthorityHost": namedConfig.ActiveDirectoryAuthorityHost,
+		}).Debug("ValidateCloudConfiguration returning named cloud configuration.")
+
+		return namedConfig, nil
 	}
 
 	// Option 2: Custom configuration - all three fields must be provided
@@ -282,15 +305,24 @@ func ValidateCloudConfiguration(cloudConfig *CloudConfiguration) (*cloud.Configu
 	}
 
 	// Build custom cloud configuration
-	return &cloud.Configuration{
+	customConfig := &cloud.Configuration{
 		ActiveDirectoryAuthorityHost: cloudConfig.ADAuthorityHost,
 		Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
 			cloud.ResourceManager: {
 				Audience: cloudConfig.Audience,
 				Endpoint: cloudConfig.Endpoint,
 			},
 		},
-	}, nil
+	}
+
+	// Log resulting configuration
+	Logc(ctx).WithFields(LogFields{
+		"activeDirectoryAuthorityHost": customConfig.ActiveDirectoryAuthorityHost,
+		"resourceManagerEndpoint":      customConfig.Services[cloud.ResourceManager].Endpoint,
+		"resourceManagerAudience":      customConfig.Services[cloud.ResourceManager].Audience,
+	}).Debug("ValidateCloudConfiguration returning custom cloud configuration.")
+
+	return customConfig, nil
 }
 
 // NewDriver is a factory method for creating a new SDK interface.
@@ -308,7 +340,7 @@ func NewDriver(config ClientConfig) (Azure, error) {
 		return nil, fmt.Errorf("invalid cloud configuration: %v", err)
 	}
 
-	credential, err := GetAzureCredential(config)
+	credential, err := GetAzureCredential(config, cloudConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -360,16 +392,47 @@ func NewDriver(config ClientConfig) (Azure, error) {
 	}, nil
 }
 
-func GetAzureCredential(config ClientConfig) (credential azcore.TokenCredential, err error) {
+// GetAzureCredential creates an Azure credential with the specified cloud configuration.
+// The cloudConfig parameter should be a validated cloud configuration from ValidateCloudConfiguration().
+// If cloudConfig is nil, defaults to AzurePublic cloud.
+func GetAzureCredential(
+	config ClientConfig, cloudConfig *cloud.Configuration,
+) (credential azcore.TokenCredential, err error) {
+	// Default to AzurePublic if no cloud config provided
+	if cloudConfig == nil {
+		cloudConfig = &cloud.AzurePublic
+	}
+
 	armConfig := azclient.ARMClientConfig{
 		TenantID: config.TenantID,
 	}
 
-	authProvider, err := azclient.NewAuthProvider(&armConfig, &config.AzureAuthConfig)
+	// Set cloud-specific ARM configuration
+	// For named clouds: use CloudName (e.g., "AzurePublic", "AzureChina", "AzureGovernment")
+	// For custom clouds: use ResourceManagerEndpoint to let azclient build custom configuration
+	if config.CloudConfig != nil {
+		if config.CloudConfig.CloudName != "" {
+			armConfig.Cloud = config.CloudConfig.CloudName
+		} else if config.CloudConfig.Endpoint != "" {
+			armConfig.ResourceManagerEndpoint = config.CloudConfig.Endpoint
+		}
+	}
+
+	// Create auth provider with cloud-aware client options
+	// The cloud configuration must be set before credentials are created to ensure
+	// the correct authority host is used (e.g., login.microsoftonline.us for Azure Government)
+	authProviderOptions := []azclient.AuthProviderOption{
+		azclient.WithClientOptionsMutFn(func(option *policy.ClientOptions) {
+			option.Cloud = *cloudConfig
+		}),
+	}
+
+	authProvider, err := azclient.NewAuthProvider(&armConfig, &config.AzureAuthConfig, authProviderOptions...)
 	if err != nil {
 		return nil, fmt.Errorf("error creating azure auth provider: %w", err)
 	}
 
+	// GetAzIdentity may return nil in test environments without actual credentials
 	return authProvider.GetAzIdentity(), nil
 }
 
diff --git a/storage_drivers/azure/api/azure_test.go b/storage_drivers/azure/api/azure_test.go
@@ -10,8 +10,8 @@ import (
 	"testing"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
-
 	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/cloud-provider-azure/pkg/azclient"
 
 	"github.com/netapp/trident/utils/errors"
 )
@@ -1324,3 +1324,153 @@ func TestValidateCloudConfiguration_InvalidURL(t *testing.T) {
 		})
 	}
 }
+
+// ////////////////////////////////////////////////////////////////////////////
+// Tests for GetAzureCredential
+// ////////////////////////////////////////////////////////////////////////////
+
+// Helper function to create a test ClientConfig
+func createTestClientConfig(cloudConfig *CloudConfiguration) ClientConfig {
+	return ClientConfig{
+		TenantID:        "test-tenant-id",
+		CloudConfig:     cloudConfig,
+		AzureAuthConfig: azclient.AzureAuthConfig{},
+	}
+}
+
+func TestGetAzureCredential_NoCloudConfig(t *testing.T) {
+	// Test with nil cloud config - should default to AzurePublic
+	config := createTestClientConfig(nil)
+
+	// Validate cloud configuration
+	cloudConfig, err := ValidateCloudConfiguration(config.CloudConfig)
+	assert.NoError(t, err, "ValidateCloudConfiguration should not error with nil config")
+
+	_, err = GetAzureCredential(config, cloudConfig)
+	// Since we don't have actual Azure credentials, we expect this to succeed in creating
+	// the auth provider structure, even though it won't return a valid credential
+	// The important thing is it doesn't error on cloud configuration validation
+	assert.NoError(t, err, "GetAzureCredential should not error with nil cloud config")
+}
+
+func TestGetAzureCredential_EmptyCloudConfig(t *testing.T) {
+	// Test with empty cloud config - should default to AzurePublic
+	config := createTestClientConfig(&CloudConfiguration{})
+
+	// Validate cloud configuration
+	cloudConfig, err := ValidateCloudConfiguration(config.CloudConfig)
+	assert.NoError(t, err, "ValidateCloudConfiguration should not error with empty config")
+
+	_, err = GetAzureCredential(config, cloudConfig)
+	assert.NoError(t, err, "GetAzureCredential should not error with empty cloud config")
+}
+
+func TestGetAzureCredential_NamedClouds(t *testing.T) {
+	tests := []struct {
+		name      string
+		cloudName string
+	}{
+		{
+			name:      "AzurePublic",
+			cloudName: "AzurePublic",
+		},
+		{
+			name:      "AzureChina",
+			cloudName: "AzureChina",
+		},
+		{
+			name:      "AzureGovernment",
+			cloudName: "AzureGovernment",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			config := createTestClientConfig(&CloudConfiguration{
+				CloudName: tt.cloudName,
+			})
+
+			// Validate cloud configuration
+			cloudConfig, err := ValidateCloudConfiguration(config.CloudConfig)
+			assert.NoError(t, err, "ValidateCloudConfiguration should not error with valid cloud name: %s", tt.cloudName)
+
+			_, err = GetAzureCredential(config, cloudConfig)
+			assert.NoError(t, err, "GetAzureCredential should not error with valid named cloud: %s", tt.cloudName)
+		})
+	}
+}
+
+func TestGetAzureCredential_CustomCloud(t *testing.T) {
+	config := createTestClientConfig(&CloudConfiguration{
+		ADAuthorityHost: "https://login.custom.cloud/",
+		Audience:        "https://management.custom.cloud",
+		Endpoint:        "https://management.custom.cloud",
+	})
+
+	// Validate cloud configuration
+	cloudConfig, err := ValidateCloudConfiguration(config.CloudConfig)
+	assert.NoError(t, err, "ValidateCloudConfiguration should not error with valid custom config")
+
+	// Note: This test will fail with a network error because the custom cloud URL is fake.
+	// This is expected behavior - validation of custom cloud URLs happens when the auth
+	// provider attempts to connect to the endpoint.
+	_, err = GetAzureCredential(config, cloudConfig)
+	// We expect an error due to network failure, not a validation error
+	assert.Error(t, err, "GetAzureCredential should error when custom cloud endpoint is unreachable")
+	assert.Contains(t, err.Error(), "error creating azure auth provider")
+}
+
+func TestGetAzureCredential_InvalidCloudName(t *testing.T) {
+	config := createTestClientConfig(&CloudConfiguration{
+		CloudName: "InvalidCloudName",
+	})
+
+	// Validate cloud configuration - should fail for invalid cloud name
+	_, err := ValidateCloudConfiguration(config.CloudConfig)
+	assert.Error(t, err, "ValidateCloudConfiguration should error with invalid cloud name")
+	assert.Contains(t, err.Error(), "unknown cloudName")
+}
+
+func TestGetAzureCredential_IncompleteCustomConfig(t *testing.T) {
+	config := createTestClientConfig(&CloudConfiguration{
+		ADAuthorityHost: "https://login.custom.cloud/",
+		Audience:        "https://management.custom.cloud",
+		// Missing Endpoint - should cause validation error
+	})
+
+	// Validate cloud configuration - should fail for incomplete custom config
+	_, err := ValidateCloudConfiguration(config.CloudConfig)
+	assert.Error(t, err, "ValidateCloudConfiguration should error with incomplete custom config")
+	assert.Contains(t, err.Error(), "adAuthorityHost, audience, and endpoint are all required")
+}
+
+func TestGetAzureCredential_MutuallyExclusiveConfig(t *testing.T) {
+	config := createTestClientConfig(&CloudConfiguration{
+		CloudName:       "AzurePublic",
+		ADAuthorityHost: "https://login.custom.cloud/",
+		Audience:        "https://management.custom.cloud",
+		Endpoint:        "https://management.custom.cloud",
+	})
+
+	// Validate cloud configuration - should fail for mutually exclusive config
+	_, err := ValidateCloudConfiguration(config.CloudConfig)
+	assert.Error(t, err, "ValidateCloudConfiguration should error with mutually exclusive config")
+	assert.Contains(t, err.Error(), "mutually exclusive")
+}
+
+func TestGetAzureCredential_InvalidURLInCustomConfig(t *testing.T) {
+	config := createTestClientConfig(&CloudConfiguration{
+		ADAuthorityHost: "https://login.custom.cloud/",
+		Audience:        "https://management.custom.cloud",
+		Endpoint:        "https://management.custom.cloud",
+	})
+
+	// Validate cloud configuration - should succeed (url.Parse is permissive)
+	cloudConfig, err := ValidateCloudConfiguration(config.CloudConfig)
+	assert.NoError(t, err, "ValidateCloudConfiguration accepts syntactically valid URLs")
+
+	// The actual network error will occur when trying to use the credential
+	_, err = GetAzureCredential(config, cloudConfig)
+	assert.Error(t, err, "GetAzureCredential should error when custom cloud endpoint is unreachable")
+	assert.Contains(t, err.Error(), "error creating azure auth provider")
+}
diff --git a/storage_drivers/azure/azure_anf_test.go b/storage_drivers/azure/azure_anf_test.go
@@ -1190,9 +1190,9 @@ func TestInitialize_WithCloudConfigurationCustom(t *testing.T) {
         "clientID": "deadbeef-784c-4b35-8329-460f52a3ad50",
         "clientSecret": "myClientSecret",
         "cloudConfiguration": {
-            "adAuthorityHost": "https://login.microsoftonline.azurestack.contoso.com/",
-            "audience": "https://management.azurestack.contoso.com",
-            "endpoint": "https://management.azurestack.contoso.com"
+            "adAuthorityHost": "https://login.microsoftonline.com/",
+            "audience": "https://management.core.windows.net/",
+            "endpoint": "https://management.azure.com"
         },
         "serviceLevel": "Premium",
         "debugTraceFlags": {"method": true, "api": true, "discovery": true},
@@ -1217,9 +1217,9 @@ func TestInitialize_WithCloudConfigurationCustom(t *testing.T) {
 
 	assert.NoError(t, result, "initialize failed")
 	assert.NotNil(t, driver.Config.CloudConfiguration, "cloud configuration is nil")
-	assert.Equal(t, "https://login.microsoftonline.azurestack.contoso.com/", driver.Config.CloudConfiguration.ADAuthorityHost)
-	assert.Equal(t, "https://management.azurestack.contoso.com", driver.Config.CloudConfiguration.Audience)
-	assert.Equal(t, "https://management.azurestack.contoso.com", driver.Config.CloudConfiguration.Endpoint)
+	assert.Equal(t, "https://login.microsoftonline.com/", driver.Config.CloudConfiguration.ADAuthorityHost)
+	assert.Equal(t, "https://management.core.windows.net/", driver.Config.CloudConfiguration.Audience)
+	assert.Equal(t, "https://management.azure.com", driver.Config.CloudConfiguration.Endpoint)
 }
 
 func TestInitialize_WithCloudConfigurationInvalid(t *testing.T) {
