Skip to content

Commit 9c356ad

Browse files
author
hkatepa1
committed
adding support for azure china vault backend
Signed-off-by: hkatepa1 <hkatepa1@ford.com>
1 parent b046a7d commit 9c356ad

File tree

3 files changed

+99
-185
lines changed

3 files changed

+99
-185
lines changed

docs/backends.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -449,6 +449,12 @@ These are the parameters for Azure:
449449
```
450450
AVP_TYPE: azurekeyvault
451451
```
452+
**Note**: If you are using Azure China, set the following environment variable:
453+
454+
```
455+
export AVP_AZ_CLOUD_NAME=azurechina
456+
```
457+
452458
453459
##### Examples
454460

pkg/backends/azurekeyvault.go

Lines changed: 29 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,13 @@ package backends
33
import (
44
"context"
55
"fmt"
6+
"os" // Import the os package to access environment variables
7+
"time"
8+
69
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
710
"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
811
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
912
"github.com/argoproj-labs/argocd-vault-plugin/pkg/utils"
10-
"time"
1113
)
1214

1315
// AzureKeyVault is a struct for working with an Azure Key Vault backend
@@ -37,17 +39,23 @@ func (a *AzureKeyVault) Login() error {
3739
}
3840

3941
// GetSecrets gets secrets from Azure Key Vault and returns the formatted data
40-
// For Azure Key Vault, `kvpath` is the unique name of your vault
41-
// For Azure use the version here not make really sens as each secret have a different version but let support it
4242
func (a *AzureKeyVault) GetSecrets(kvpath string, version string, _ map[string]string) (map[string]interface{}, error) {
43-
kvpath = fmt.Sprintf("https://%s.vault.azure.net", kvpath)
43+
// Check for the cloud environment variable
44+
cloud := os.Getenv("AVP_AZ_CLOUD_NAME")
45+
var vaultURL string
46+
47+
if cloud == "azurechina" {
48+
vaultURL = fmt.Sprintf("https://%s.vault.azure.cn", kvpath)
49+
} else {
50+
vaultURL = fmt.Sprintf("https://%s.vault.azure.net", kvpath)
51+
}
4452

4553
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
4654
defer cancel()
4755

48-
verboseOptionalVersion("Azure Key Vault list all secrets from vault %s", version, kvpath)
56+
verboseOptionalVersion("Azure Key Vault list all secrets from vault %s", version, vaultURL)
4957

50-
client, err := a.ClientBuilder(kvpath, a.Credential, nil)
58+
client, err := a.ClientBuilder(vaultURL, a.Credential, nil)
5159
if err != nil {
5260
return nil, err
5361
}
@@ -61,22 +69,20 @@ func (a *AzureKeyVault) GetSecrets(kvpath string, version string, _ map[string]s
6169
return nil, err
6270
}
6371
for _, secretVersion := range page.Value {
64-
// Azure Key Vault has ability to enable/disable a secret, so lets honour that
6572
if !*secretVersion.Attributes.Enabled {
6673
continue
6774
}
6875
name := secretVersion.ID.Name()
69-
// Secret version matched given version ?
7076
if version == "" || secretVersion.ID.Version() == version {
71-
verboseOptionalVersion("Azure Key Vault getting secret %s from vault %s", version, name, kvpath)
77+
verboseOptionalVersion("Azure Key Vault getting secret %s from vault %s", version, name, vaultURL)
7278
secret, err := client.GetSecret(ctx, name, version, nil)
7379
if err != nil {
7480
return nil, err
7581
}
7682
utils.VerboseToStdErr("Azure Key Vault get secret response %v", secret)
7783
data[name] = *secret.Value
7884
} else {
79-
verboseOptionalVersion("Azure Key Vault getting secret %s from vault %s", version, name, kvpath)
85+
verboseOptionalVersion("Azure Key Vault getting secret %s from vault %s", version, name, vaultURL)
8086
secret, err := client.GetSecret(ctx, name, version, nil)
8187
if err != nil || !*secretVersion.Attributes.Enabled {
8288
utils.VerboseToStdErr("Azure Key Vault get versioned secret not found %s", err)
@@ -90,17 +96,24 @@ func (a *AzureKeyVault) GetSecrets(kvpath string, version string, _ map[string]s
9096
return data, nil
9197
}
9298

93-
// GetIndividualSecret will get the specific secret (placeholder) from the SM backend
94-
// For Azure Key Vault, `kvpath` is the unique name of your vault
95-
// Secrets (placeholders) are directly addressable via the API, so only one call is needed here
99+
// GetIndividualSecret will get the specific secret from the SM backend
96100
func (a *AzureKeyVault) GetIndividualSecret(kvpath, secret, version string, annotations map[string]string) (interface{}, error) {
97101
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
98102
defer cancel()
99103

100104
verboseOptionalVersion("Azure Key Vault getting individual secret %s from vault %s", version, secret, kvpath)
101105

102-
kvpath = fmt.Sprintf("https://%s.vault.azure.net", kvpath)
103-
client, err := a.ClientBuilder(kvpath, a.Credential, nil)
106+
// Check for the cloud environment variable
107+
cloud := os.Getenv("cloud")
108+
var vaultURL string
109+
110+
if cloud == "azurechina" {
111+
vaultURL = fmt.Sprintf("https://%s.vault.azure.cn", kvpath)
112+
} else {
113+
vaultURL = fmt.Sprintf("https://%s.vault.azure.net", kvpath)
114+
}
115+
116+
client, err := a.ClientBuilder(vaultURL, a.Credential, nil)
104117
if err != nil {
105118
return nil, err
106119
}
@@ -121,4 +134,4 @@ func verboseOptionalVersion(format string, version string, message ...interface{
121134
} else {
122135
utils.VerboseToStdErr(format+" at version %s", append(message, version)...)
123136
}
124-
}
137+
}

0 commit comments

Comments
 (0)