From 806ec9531fba618c9a9f11c398d18386a7951668 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 16:34:35 +0000 Subject: [PATCH] chore(deps): bump sigs.k8s.io/cloud-provider-azure/pkg/azclient Bumps [sigs.k8s.io/cloud-provider-azure/pkg/azclient](https://github.com/kubernetes-sigs/cloud-provider-azure) from 0.0.19 to 0.0.21. - [Release notes](https://github.com/kubernetes-sigs/cloud-provider-azure/releases) - [Changelog](https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/docs/release-versioning.md) - [Commits](https://github.com/kubernetes-sigs/cloud-provider-azure/compare/pkg/azclient/v0.0.19...pkg/azclient/v0.0.21) --- updated-dependencies: - dependency-name: sigs.k8s.io/cloud-provider-azure/pkg/azclient dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 +- vendor/modules.txt | 2 +- .../azclient/armauth/keyvault_credential.go | 123 +++++++++++++----- .../cloud-provider-azure/pkg/azclient/auth.go | 13 +- .../pkg/azclient/auth_conf.go | 16 ++- 6 files changed, 122 insertions(+), 38 deletions(-) diff --git a/go.mod b/go.mod index ad917d878..4a18a0d14 100644 --- a/go.mod +++ b/go.mod @@ -155,7 +155,7 @@ require ( k8s.io/kubelet v0.29.3 // indirect k8s.io/pod-security-admission v0.29.4 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 // indirect - sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.19 + sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.21 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index 6595aee12..785d8ebbb 100644 --- a/go.sum +++ b/go.sum @@ -467,8 +467,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 h1:TgtAeesdhpm2S sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y= sigs.k8s.io/cloud-provider-azure v1.27.1-0.20240418020948-86cfc443b48c h1:jiFjp43Ayaz78K+yK0bVrOVMvQ6QrIW/XTi0r3uAA5g= sigs.k8s.io/cloud-provider-azure v1.27.1-0.20240418020948-86cfc443b48c/go.mod h1:1vNSbzbKZwTZFc/kcVGFpcTjcys3qcRtPT3ZZtmg2WA= -sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.19 h1:G0PillnfWBYB26Yqa50ce0oU29aUkP95c3g3kis3CRk= -sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.19/go.mod h1:d5hbS2VV55CcaYd2WTKNjpRFgURgjNR18hkxXyo13OQ= +sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.21 h1:At0mwzuQFt99g6ZQS9W1ZE6IlkbDTKxhVxZv+IL8qVw= +sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.21/go.mod h1:d5hbS2VV55CcaYd2WTKNjpRFgURgjNR18hkxXyo13OQ= sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.0.11 h1:go/utmfXRoIoj1UXk1PWztK3d0q2P1wOmVpxq/9/62g= sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.0.11/go.mod h1:e/uOdKMWxnqs6OotausM//0RSoer8kXzy8YI3yVV0mA= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/vendor/modules.txt b/vendor/modules.txt index f47e3287f..b85273b7e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1620,7 +1620,7 @@ sigs.k8s.io/cloud-provider-azure/pkg/util/string sigs.k8s.io/cloud-provider-azure/pkg/util/taints sigs.k8s.io/cloud-provider-azure/pkg/util/vm sigs.k8s.io/cloud-provider-azure/pkg/version -# sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.19 +# sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.21 ## explicit; go 1.20 sigs.k8s.io/cloud-provider-azure/pkg/azclient sigs.k8s.io/cloud-provider-azure/pkg/azclient/accountclient diff --git a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/armauth/keyvault_credential.go b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/armauth/keyvault_credential.go index 13352d729..5e9ab48fa 100644 --- a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/armauth/keyvault_credential.go +++ b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/armauth/keyvault_credential.go @@ -20,17 +20,34 @@ import ( "context" "encoding/json" "fmt" + "sync" "time" "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" + + "sigs.k8s.io/cloud-provider-azure/pkg/azclient/utils" + "sigs.k8s.io/cloud-provider-azure/pkg/azclient/vaultclient" ) +type SecretResourceID struct { + SubscriptionID string + ResourceGroup string + VaultName string + SecretName string +} + +func (s SecretResourceID) String() string { + return fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.KeyVault/vaults/%s/secrets/%s", s.SubscriptionID, s.ResourceGroup, s.VaultName, s.SecretName) +} + type KeyVaultCredential struct { - secretClient *azsecrets.Client - secretPath string + secretClient *azsecrets.Client + vaultURI string + secretResourceID SecretResourceID + mtx sync.RWMutex token *azcore.AccessToken } @@ -41,42 +58,92 @@ type KeyVaultCredentialSecret struct { func NewKeyVaultCredential( msiCredential azcore.TokenCredential, - keyVaultURL string, - secretName string, + secretResourceID SecretResourceID, ) (*KeyVaultCredential, error) { - cli, err := azsecrets.NewClient(keyVaultURL, msiCredential, nil) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + + // Get KeyVault URI + var vaultURI string + { + vaultCli, err := vaultclient.New(secretResourceID.SubscriptionID, msiCredential, utils.GetDefaultOption()) + if err != nil { + return nil, fmt.Errorf("create KeyVault client: %w", err) + } + + vault, err := vaultCli.Get(ctx, secretResourceID.ResourceGroup, secretResourceID.VaultName) + if err != nil { + return nil, fmt.Errorf("get vault %s: %w", secretResourceID.VaultName, err) + } + + if vault.Properties == nil || vault.Properties.VaultURI == nil { + return nil, fmt.Errorf("vault uri is nil") + } + vaultURI = *vault.Properties.VaultURI + } + + cli, err := azsecrets.NewClient(vaultURI, msiCredential, nil) if err != nil { - return nil, fmt.Errorf("create KeyVault client: %w", err) + return nil, fmt.Errorf("create secret client: %w", err) } rv := &KeyVaultCredential{ - secretClient: cli, - secretPath: secretName, + secretClient: cli, + mtx: sync.RWMutex{}, + secretResourceID: secretResourceID, } - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) - defer cancel() - if err := rv.refreshToken(ctx); err != nil { - return nil, fmt.Errorf("refresh token: %w", err) + if _, err := rv.refreshToken(ctx); err != nil { + return nil, fmt.Errorf("refresh token from %s: %w", secretResourceID, err) } return rv, nil } -func (c *KeyVaultCredential) refreshToken(ctx context.Context) error { - const LatestVersion = "" +func (c *KeyVaultCredential) refreshToken(ctx context.Context) (*azcore.AccessToken, error) { + const ( + LatestVersion = "" + RefreshTokenOffset = 5 * time.Minute + ) + + cloneAccessToken := func(token *azcore.AccessToken) *azcore.AccessToken { + return &azcore.AccessToken{ + Token: token.Token, + ExpiresOn: token.ExpiresOn, + } + } - resp, err := c.secretClient.GetSecret(ctx, c.secretPath, LatestVersion, nil) - if err != nil { - return err + { + c.mtx.RLock() + if c.token != nil && c.token.ExpiresOn.Add(RefreshTokenOffset).Before(time.Now()) { + c.mtx.RUnlock() + return cloneAccessToken(c.token), nil + } + c.mtx.RUnlock() } - if resp.Value == nil { - return fmt.Errorf("secret value is nil") + + c.mtx.Lock() + defer c.mtx.Unlock() + + if c.token != nil && c.token.ExpiresOn.Add(RefreshTokenOffset).Before(time.Now()) { + return cloneAccessToken(c.token), nil } var secret KeyVaultCredentialSecret - if err := json.Unmarshal([]byte(*resp.Value), &secret); err != nil { - return fmt.Errorf("unmarshal secret value `%s`: %w", *resp.Value, err) + { + resp, err := c.secretClient.GetSecret(ctx, c.secretResourceID.SecretName, LatestVersion, nil) + if err != nil { + return nil, err + } else if resp.Value == nil { + return nil, fmt.Errorf("secret value is nil") + } + + // Parse secret value + if err := json.Unmarshal([]byte(*resp.Value), &secret); err != nil { + return nil, fmt.Errorf("unmarshal secret value `%s`: %w", *resp.Value, err) + } else if secret.AccessToken == "" { + return nil, fmt.Errorf("access token is empty") + } } c.token = &azcore.AccessToken{ @@ -84,19 +151,15 @@ func (c *KeyVaultCredential) refreshToken(ctx context.Context) error { ExpiresOn: secret.ExpiresOn, } - return nil + // Return a copy of the token to avoid concurrent modification + return cloneAccessToken(c.token), nil } func (c *KeyVaultCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { - const RefreshTokenOffset = 5 * time.Minute - - if c.token != nil && c.token.ExpiresOn.Add(RefreshTokenOffset).Before(time.Now()) { - return *c.token, nil - } - - if err := c.refreshToken(ctx); err != nil { + token, err := c.refreshToken(ctx) + if err != nil { return azcore.AccessToken{}, fmt.Errorf("refresh token: %w", err) } - return *c.token, nil + return *token, nil } diff --git a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/auth.go b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/auth.go index df6316a16..f95464ab2 100644 --- a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/auth.go +++ b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/auth.go @@ -22,6 +22,7 @@ import ( "strings" "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" @@ -39,6 +40,8 @@ type AuthProvider struct { NetworkClientSecretCredential azcore.TokenCredential MultiTenantCredential azcore.TokenCredential + + ClientOptions *policy.ClientOptions } func NewAuthProvider(armConfig *ARMClientConfig, config *AzureAuthConfig, clientOptionsMutFn ...func(option *policy.ClientOptions)) (*AuthProvider, error) { @@ -88,8 +91,7 @@ func NewAuthProvider(armConfig *ARMClientConfig, config *AzureAuthConfig, client if config.UseManagedIdentityExtension && config.AuxiliaryTokenProvider != nil && IsMultiTenant(armConfig) { networkTokenCredential, err = armauth.NewKeyVaultCredential( managedIdentityCredential, - config.AuxiliaryTokenProvider.KeyVaultURL, - config.AuxiliaryTokenProvider.SecretName, + config.AuxiliaryTokenProvider.SecretResourceID(), ) if err != nil { return nil, fmt.Errorf("create KeyVaultCredential for auxiliary token provider: %w", err) @@ -172,6 +174,8 @@ func NewAuthProvider(armConfig *ARMClientConfig, config *AzureAuthConfig, client NetworkClientSecretCredential: networkClientSecretCredential, NetworkTokenCredential: networkTokenCredential, MultiTenantCredential: multiTenantCredential, + + ClientOptions: clientOption, }, nil } @@ -210,3 +214,8 @@ func (factory *AuthProvider) GetMultiTenantIdentity() azcore.TokenCredential { func (factory *AuthProvider) IsMultiTenantModeEnabled() bool { return factory.MultiTenantCredential != nil } + +func (factory *AuthProvider) TokenScope() string { + audience := factory.ClientOptions.Cloud.Services[cloud.ResourceManager].Audience + return fmt.Sprintf("https://%s/.default", audience) +} diff --git a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/auth_conf.go b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/auth_conf.go index aa7e464f2..09979f4c4 100644 --- a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/auth_conf.go +++ b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/auth_conf.go @@ -19,6 +19,7 @@ package azclient import ( "os" + "sigs.k8s.io/cloud-provider-azure/pkg/azclient/armauth" "sigs.k8s.io/cloud-provider-azure/pkg/azclient/utils" ) @@ -48,8 +49,10 @@ type AzureAuthConfig struct { } type AzureAuthAuxiliaryTokenProvider struct { - KeyVaultURL string `json:"keyVaultURL,omitempty" yaml:"keyVaultURL,omitempty"` - SecretName string `json:"secretName" yaml:"secretName"` + SubscriptionID string `json:"subscriptionID,omitempty"` + ResourceGroup string `json:"resourceGroup,omitempty"` + VaultName string `json:"vaultName,omitempty"` + SecretName string `json:"secretName,omitempty"` } func (config *AzureAuthConfig) GetAADClientID() string { @@ -75,3 +78,12 @@ func (config *AzureAuthConfig) GetAzureFederatedTokenFile() (string, bool) { } return config.AADFederatedTokenFile, config.UseFederatedWorkloadIdentityExtension } + +func (config *AzureAuthAuxiliaryTokenProvider) SecretResourceID() armauth.SecretResourceID { + return armauth.SecretResourceID{ + SubscriptionID: config.SubscriptionID, + ResourceGroup: config.ResourceGroup, + VaultName: config.VaultName, + SecretName: config.SecretName, + } +}