-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Copy pathazure_keyvault_handler.go
135 lines (106 loc) · 4.32 KB
/
azure_keyvault_handler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
/*
Copyright 2022 The KEDA Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package resolver
import (
"context"
"fmt"
"strings"
"github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"
az "github.com/Azure/go-autorest/autorest/azure"
"github.com/Azure/go-autorest/autorest/azure/auth"
"github.com/go-logr/logr"
"sigs.k8s.io/controller-runtime/pkg/client"
kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
"github.com/kedacore/keda/v2/pkg/scalers/azure"
)
type AzureKeyVaultHandler struct {
vault *kedav1alpha1.AzureKeyVault
keyvaultClient *keyvault.BaseClient
podIdentity kedav1alpha1.PodIdentityProvider
}
func NewAzureKeyVaultHandler(v *kedav1alpha1.AzureKeyVault, podIdentity kedav1alpha1.PodIdentityProvider) *AzureKeyVaultHandler {
return &AzureKeyVaultHandler{
vault: v,
podIdentity: podIdentity,
}
}
func (vh *AzureKeyVaultHandler) Initialize(ctx context.Context, client client.Client, logger logr.Logger, triggerNamespace string) error {
keyvaultResourceURL, activeDirectoryEndpoint, err := vh.getPropertiesForCloud()
if err != nil {
return err
}
authConfig, err := vh.getAuthConfig(ctx, client, logger, triggerNamespace, keyvaultResourceURL, activeDirectoryEndpoint)
if err != nil {
return err
}
authorizer, err := authConfig.Authorizer()
if err != nil {
return err
}
keyvaultClient := keyvault.New()
keyvaultClient.Authorizer = authorizer
vh.keyvaultClient = &keyvaultClient
return nil
}
func (vh *AzureKeyVaultHandler) Read(ctx context.Context, secretName string, version string) (string, error) {
result, err := vh.keyvaultClient.GetSecret(ctx, vh.vault.VaultURI, secretName, version)
if err != nil {
return "", err
}
return *result.Value, nil
}
func (vh *AzureKeyVaultHandler) getPropertiesForCloud() (string, string, error) {
cloud := vh.vault.Cloud
if cloud == nil {
return az.PublicCloud.ResourceIdentifiers.KeyVault, az.PublicCloud.ActiveDirectoryEndpoint, nil
}
if strings.EqualFold(cloud.Type, azure.PrivateCloud) {
if cloud.KeyVaultResourceURL == "" || cloud.ActiveDirectoryEndpoint == "" {
err := fmt.Errorf("properties keyVaultResourceURL and activeDirectoryEndpoint must be provided for cloud %s",
azure.PrivateCloud)
return "", "", err
}
return cloud.KeyVaultResourceURL, cloud.ActiveDirectoryEndpoint, nil
}
env, err := az.EnvironmentFromName(cloud.Type)
if err != nil {
return "", "", err
}
return env.ResourceIdentifiers.KeyVault, env.ActiveDirectoryEndpoint, nil
}
func (vh *AzureKeyVaultHandler) getAuthConfig(ctx context.Context, client client.Client, logger logr.Logger,
triggerNamespace, keyVaultResourceURL, activeDirectoryEndpoint string) (auth.AuthorizerConfig, error) {
switch vh.podIdentity {
case "", kedav1alpha1.PodIdentityProviderNone:
clientID := vh.vault.Credentials.ClientID
tenantID := vh.vault.Credentials.TenantID
clientSecretName := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Name
clientSecretKey := vh.vault.Credentials.ClientSecret.ValueFrom.SecretKeyRef.Key
clientSecret := resolveAuthSecret(ctx, client, logger, clientSecretName, triggerNamespace, clientSecretKey)
if clientID == "" || tenantID == "" || clientSecret == "" {
return nil, fmt.Errorf("clientID, tenantID and clientSecret are expected when not using a pod identity provider")
}
config := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
config.Resource = keyVaultResourceURL
config.AADEndpoint = activeDirectoryEndpoint
return config, nil
case kedav1alpha1.PodIdentityProviderAzure:
config := auth.NewMSIConfig()
config.Resource = keyVaultResourceURL
return config, nil
case kedav1alpha1.PodIdentityProviderAzureWorkload:
return azure.NewAzureADWorkloadIdentityConfig(ctx, keyVaultResourceURL), nil
default:
return nil, fmt.Errorf("key vault does not support pod identity provider - %s", vh.podIdentity)
}
}