- 
                Notifications
    You must be signed in to change notification settings 
- Fork 217
Add native Azure Blob support #598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
        
          
                pkg/azure/blob.go
              
                Outdated
          
        
      | // - azblob.SharedKeyCredential when a "accountName" and "accountKey" are | ||
| // found. | ||
| // - Client without credentials. | ||
| func buildServiceClient(obj *sourcev1.Bucket, secret *corev1.Secret) (_ azblob.ServiceClient, err error) { | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@laozc can you please take a look and see if this does not cover anything your version did?
Reason for this change is that I had a look at the current Azure libraries out there, and this seems to be the one with the brightest future and maintenance expectations. Given this is a new dependency introduction, this has my preference over one we eventually need to replace (or semi-copy/borrow from another project).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @hiddeco
I'm still verifying this PR in Azure environments.
I think it would be better to use the following order during authentication
- Check for client secret first to use Service Principal password login
- Check for client certificate to use Service Principal certificate login
- Use Client ID with Managed Identity login
- Use Resource ID with Managed Identity login
- Use Storage Account key based auth login
- No auth
This may ensure it works as expected when multiple Managed Identites bound on the same VM node for 3) and 4).
func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
	tenantID, hasTenantID := secret.Data[tenantIDField]
	clientID, hasClientID := secret.Data[clientIDField]
	clientSecret, hasClientSecret := secret.Data[clientSecretField]
	clientCertificate, hasClientCertificate := secret.Data[clientCertificateField]
	clientCertificatePassword, _ := secret.Data[clientCertificatePasswordField]
	resourceID, hasResourceID := secret.Data[resourceIDField]
	if hasTenantID && hasClientID {
		if hasClientSecret && string(clientSecret) != "" {
			return azidentity.NewClientSecretCredential(string(tenantID), string(clientID), string(clientSecret), nil)
		}
		if hasClientCertificate && string(clientCertificate) != "" {
			certs, key, err := azidentity.ParseCertificates(clientCertificate, clientCertificatePassword)
			if err != nil {
				return nil, fmt.Errorf("failed to parse client certificates: %w", err)
			}
			return azidentity.NewClientCertificateCredential(string(tenantID), string(clientID), certs, key, nil)
		}
	}
	if hasClientID {
		return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
			ID: azidentity.ClientID(clientID)})
	} else if hasResourceID {
		return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
			ID: azidentity.ResourceID(resourceID)})
	}
	return nil, nil
}Let me get back to you when I have all these scenarios verified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the heads up, I will take your suggestions into account and document the reasoning in-code. Please let me know if anything else pops up, and I'll try to address it swiftly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have updated the code to your suggestion, you may also want to provide some input on #598 (review) and #598 (comment).
8920396    to
    c8f22b4      
    Compare
  
    Co-authored-by: Zhongcheng Lao <[email protected]> Signed-off-by: Hidde Beydals <[email protected]>
ccfb4db    to
    4434365      
    Compare
  
    This commit introduces an Azure Blob BucketProvider implementation, capable of fetching from objects from public and private "container" buckets. The supported credential types are: - ManagedIdentity with a `resourceId` Secret data field. - ManagedIdentity with a `clientId` Secret data field. - ClientSecret with `tenantId`, `clientId` and `clientSecret` Secret data fields. - SharedKey with `accountKey` Secret data field, the Account Name is extracted from the endpoint URL specified on the object. If no Secret is provided, the Bucket is assumed to be public. Co-authored-by: Zhongcheng Lao <[email protected]> Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
This commit allows for a Secret to be configured with `tenantId`, `clientId` and `clientCertificate` data fields (with optionally `clientCertificatePassword`) to authenticate using TLS. Signed-off-by: Hidde Beydals <[email protected]>
179aa95    to
    44a166e      
    Compare
  
    Tests are configured in such a way that they only run for `main`. Signed-off-by: Hidde Beydals <[email protected]>
44a166e    to
    d55a759      
    Compare
  
    | Integration tests have been disabled again for pull requests after confirmed to be working in: | 
7940044    to
    696dcc7      
    Compare
  
    | @laozc please see the current state of the PR and let me know if this is acceptable. I will work on updating the tests in the meantime. | 
f3eb2fd    to
    166e185      
    Compare
  
    eca70e4    to
    7bc42a5      
    Compare
  
    1346696    to
    ce4e108      
    Compare
  
    There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| @stefanprodan documented in 687af2f | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
- Use octal syntax for permissions. - Fix typo. Signed-off-by: Hidde Beydals <[email protected]>
Based on recommendations from Microsoft, change the order valid authentication options are taken into account. Mainly to ensure it works as expected when multiple Managed Identities are bound on the same VM node. Signed-off-by: Hidde Beydals <[email protected]>
This supports the fields as documented in the AKS documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal Signed-off-by: Hidde Beydals <[email protected]>
ce4e108    to
    61f756f      
    Compare
  
    - `authorityHost` and `clientCertificateSendChain` can now be set where applicable. - AZ CLI fields have been removed. - Fallback to `ChainedTokenCredential` with `EnvironmentCredential` and `ManagedIdentityCredential` with defaults if no Secret is given. Signed-off-by: Hidde Beydals <[email protected]>
This ensures the Managed Identity authentication works with multiple identities assigned to a single node. Signed-off-by: Hidde Beydals <[email protected]>
61f756f    to
    ccb65c7      
    Compare
  
    | @laozc are you still running tests, or do you think this can be merged as is? | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| @hiddeco Please go head with the merge. | 
This PR introduces an Azure Blob BucketProvider implementation,
capable of fetching objects from public and private "container"
buckets.
The supported credential types are:
tenantId,clientIdandclientSecretSecretdata fields.
tenantId,clientIdandclientSecretSecretdata (with optionally
clientCertificatePassword).clientIdSecret data field.accountKeySecret data field, the account name isextracted from the endpoint URL specified on the object.
AZURE_CLIENT_IDenvironment variable(when available)
If no Secret is provided or the chain can not be established, the
Bucket is assumed to be public.
Successor of #513