Skip to content

Commit e704b6b

Browse files
bryan-coxbryan-cox
committed
wip
1 parent 5969417 commit e704b6b

File tree

1 file changed

+58
-23
lines changed

1 file changed

+58
-23
lines changed

pkg/storage/azure/azure.go

Lines changed: 58 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -334,7 +334,7 @@ func NewDriver(ctx context.Context, c *imageregistryv1.ImageRegistryConfigStorag
334334
}
335335

336336
func (d *driver) newAzClient(cfg *Azure, environment autorestazure.Environment, tagset map[string]*string) (*azureclient.Client, error) {
337-
client, err := azureclient.New(&azureclient.Options{
337+
clientOptions := &azureclient.Options{
338338
Environment: environment,
339339
TenantID: cfg.TenantID,
340340
ClientID: cfg.ClientID,
@@ -343,10 +343,19 @@ func (d *driver) newAzClient(cfg *Azure, environment autorestazure.Environment,
343343
SubscriptionID: cfg.SubscriptionID,
344344
TagSet: tagset,
345345
Policies: d.policies,
346-
})
346+
}
347+
348+
if cred, ok, err := d.ensureUAMICred(d.Context, environment); err != nil {
349+
return nil, err
350+
} else if ok {
351+
clientOptions.Creds = cred
352+
}
353+
354+
client, err := azureclient.New(clientOptions)
347355
if err != nil {
348356
return nil, err
349357
}
358+
350359
return client, nil
351360
}
352361

@@ -381,25 +390,10 @@ func (d *driver) storageAccountsClient(cfg *Azure, environment autorestazure.Env
381390
// UserAssignedIdentityCredentials is specifically for managed Azure HCP
382391
userAssignedIdentityCredentialsFilePath := os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH")
383392
if userAssignedIdentityCredentialsFilePath != "" {
384-
var ok bool
385-
386-
// We need to only store the Azure credentials once and reuse them after that.
387-
storedCreds, found := d.azureCredentials.Load(azureCredentialsKey)
388-
if !found {
389-
klog.V(2).Info("Using UserAssignedIdentityCredentials for Azure authentication for managed Azure HCP")
390-
clientOptions := azcore.ClientOptions{
391-
Cloud: cloudConfig,
392-
}
393-
cred, err = dataplane.NewUserAssignedIdentityCredential(context.Background(), userAssignedIdentityCredentialsFilePath, dataplane.WithClientOpts(clientOptions))
394-
if err != nil {
395-
return storage.AccountsClient{}, err
396-
}
397-
d.azureCredentials.Store(azureCredentialsKey, cred)
398-
} else {
399-
cred, ok = storedCreds.(azcore.TokenCredential)
400-
if !ok {
401-
return storage.AccountsClient{}, fmt.Errorf("expected %T to be a TokenCredential", storedCreds)
402-
}
393+
if c, ok, err := d.ensureUAMICred(d.Context, environment); err != nil {
394+
return storage.AccountsClient{}, err
395+
} else if ok {
396+
cred = c
403397
}
404398
} else if strings.TrimSpace(cfg.ClientSecret) == "" {
405399
options := azidentity.WorkloadIdentityCredentialOptions{
@@ -1237,14 +1231,22 @@ func (d *driver) RemoveStorage(cr *imageregistryv1.Config) (retry bool, err erro
12371231
}
12381232

12391233
if d.Config.NetworkAccess != nil && d.Config.NetworkAccess.Internal != nil && d.Config.NetworkAccess.Internal.PrivateEndpointName != "" {
1240-
azclient, err := azureclient.New(&azureclient.Options{
1234+
clientOptions := &azureclient.Options{
12411235
Environment: environment,
12421236
TenantID: cfg.TenantID,
12431237
ClientID: cfg.ClientID,
12441238
ClientSecret: cfg.ClientSecret,
12451239
FederatedTokenFile: cfg.FederatedTokenFile,
12461240
SubscriptionID: cfg.SubscriptionID,
1247-
})
1241+
}
1242+
1243+
storedCreds, found := d.azureCredentials.Load(azureCredentialsKey)
1244+
if found {
1245+
klog.V(2).Infof("Using driver cached credential for new Azure client to remove storage")
1246+
clientOptions.Creds = storedCreds.(azcore.TokenCredential)
1247+
}
1248+
1249+
azclient, err := azureclient.New(clientOptions)
12481250
if err != nil {
12491251
util.UpdateCondition(
12501252
cr,
@@ -1320,3 +1322,36 @@ func (d *driver) RemoveStorage(cr *imageregistryv1.Config) (retry bool, err erro
13201322
func (d *driver) ID() string {
13211323
return d.Config.Container
13221324
}
1325+
1326+
func (d *driver) ensureUAMICred(ctx context.Context, env autorestazure.Environment) (azcore.TokenCredential, bool, error) {
1327+
if stored, ok := d.azureCredentials.Load(azureCredentialsKey); ok {
1328+
if cred, ok := stored.(azcore.TokenCredential); ok {
1329+
klog.V(2).Infof("Loaded UAMICred from driver cache")
1330+
return cred, true, nil
1331+
}
1332+
return nil, false, fmt.Errorf("expected cached credential to be azcore.TokenCredential")
1333+
}
1334+
if os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH") == "" {
1335+
return nil, false, nil
1336+
}
1337+
cloudConfig := cloud.Configuration{
1338+
ActiveDirectoryAuthorityHost: env.ActiveDirectoryEndpoint,
1339+
Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
1340+
cloud.ResourceManager: {
1341+
Audience: env.TokenAudience,
1342+
Endpoint: env.ResourceManagerEndpoint,
1343+
},
1344+
},
1345+
}
1346+
cred, err := dataplane.NewUserAssignedIdentityCredential(
1347+
ctx,
1348+
os.Getenv("MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH"),
1349+
dataplane.WithClientOpts(azcore.ClientOptions{Cloud: cloudConfig}),
1350+
)
1351+
if err != nil {
1352+
return nil, false, err
1353+
}
1354+
d.azureCredentials.Store(azureCredentialsKey, cred)
1355+
klog.V(2).Infof("Storing UAMICred for driver")
1356+
return cred, true, nil
1357+
}

0 commit comments

Comments
 (0)