Skip to content

Commit 2abed34

Browse files
bryan-coxbryan-cox
committed
Add new authentication type for managed Azure HCP
This commit adds a new authentication type for managed Azure HCP called UserAssignedIdentityCredentials. This new authentication type replaces the previous authentication method for managed Azure HCP. Signed-off-by: Bryan Cox <[email protected]>
1 parent 43c3c42 commit 2abed34

File tree

2 files changed

+28
-5
lines changed

2 files changed

+28
-5
lines changed

pkg/storage/azure/azure.go

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ import (
2222
"github.com/Azure/go-autorest/autorest"
2323
autorestazure "github.com/Azure/go-autorest/autorest/azure"
2424
"github.com/Azure/go-autorest/autorest/to"
25+
"github.com/Azure/msi-dataplane/pkg/dataplane"
2526
"github.com/jongio/azidext/go/azidext"
2627

2728
corev1 "k8s.io/api/core/v1"
@@ -371,9 +372,20 @@ func (d *driver) storageAccountsClient(cfg *Azure, environment autorestazure.Env
371372
cred azcore.TokenCredential
372373
err error
373374
)
374-
// Managed Identity Override for ARO HCP
375375
managedIdentityClientID := os.Getenv("ARO_HCP_MI_CLIENT_ID")
376-
if managedIdentityClientID != "" {
376+
userAssignedIdentityCredentialsFilePath := os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH")
377+
if userAssignedIdentityCredentialsFilePath != "" {
378+
// UserAssignedIdentityCredentials for managed Azure HCP
379+
klog.V(2).Info("Using UserAssignedIdentityCredentials for Azure authentication for managed Azure HCP")
380+
clientOptions := azcore.ClientOptions{
381+
Cloud: cloudConfig,
382+
}
383+
cred, err = dataplane.NewUserAssignedIdentityCredential(context.Background(), userAssignedIdentityCredentialsFilePath, dataplane.WithClientOpts(clientOptions))
384+
if err != nil {
385+
return storage.AccountsClient{}, err
386+
}
387+
} else if managedIdentityClientID != "" {
388+
// Managed Identity Override for ARO HCP
377389
klog.V(2).Info("Using client certification Azure authentication for ARO HCP")
378390
options := &azidentity.ClientCertificateCredentialOptions{
379391
ClientOptions: azcore.ClientOptions{

pkg/storage/azure/azureclient/azureclient.go

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import (
2121
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
2222
autorestazure "github.com/Azure/go-autorest/autorest/azure"
2323
"github.com/Azure/go-autorest/autorest/to"
24+
"github.com/Azure/msi-dataplane/pkg/dataplane"
2425
"github.com/openshift/cluster-image-registry-operator/pkg/filewatcher"
2526
"k8s.io/klog/v2"
2627
)
@@ -103,10 +104,20 @@ func (c *Client) getCreds(ctx context.Context) (azcore.TokenCredential, error) {
103104
err error
104105
creds azcore.TokenCredential
105106
)
106-
107-
// Managed Identity Override for ARO HCP
108107
managedIdentityClientID := os.Getenv("ARO_HCP_MI_CLIENT_ID")
109-
if managedIdentityClientID != "" {
108+
userAssignedIdentityCredentialsFilePath := os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH")
109+
if userAssignedIdentityCredentialsFilePath != "" {
110+
// UserAssignedIdentityCredentials for managed Azure HCP
111+
klog.V(2).Info("Using UserAssignedIdentityCredentials for Azure authentication for managed Azure HCP")
112+
clientOptions := azcore.ClientOptions{
113+
Cloud: c.clientOpts.Cloud,
114+
}
115+
creds, err = dataplane.NewUserAssignedIdentityCredential(ctx, userAssignedIdentityCredentialsFilePath, dataplane.WithClientOpts(clientOptions))
116+
if err != nil {
117+
return nil, err
118+
}
119+
} else if managedIdentityClientID != "" {
120+
// Managed Identity Override for ARO HCP
110121
klog.V(2).Info("Using client certification Azure authentication for ARO HCP")
111122
options := &azidentity.ClientCertificateCredentialOptions{
112123
ClientOptions: azcore.ClientOptions{

0 commit comments

Comments
 (0)