-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Azure AD Workload Identity support for Azure Scalers and Key Va…
…ult (#2907) * Azure AD Workload Identity Support - Azure Service Bus Scaler. Signed-off-by: Vighnesh Shenoy <vshenoy@microsoft.com>
- Loading branch information
Showing
46 changed files
with
942 additions
and
196 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -116,7 +116,6 @@ spec: | |
vaultUri: | ||
type: string | ||
required: | ||
- credentials | ||
- secrets | ||
- vaultUri | ||
type: object | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -115,7 +115,6 @@ spec: | |
vaultUri: | ||
type: string | ||
required: | ||
- credentials | ||
- secrets | ||
- vaultUri | ||
type: object | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,3 +28,4 @@ resources: | |
- ../rbac | ||
- ../manager | ||
- ../metrics-server | ||
- ../service_account |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,2 @@ | ||
resources: | ||
- namespace.yaml | ||
- service_account.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
resources: | ||
- service_account.yaml | ||
|
||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
/* | ||
Copyright 2022 The KEDA Authors | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package azure | ||
|
||
import "time" | ||
|
||
// AADToken is the token from Azure AD | ||
type AADToken struct { | ||
AccessToken string `json:"access_token"` | ||
RefreshToken string `json:"refresh_token"` | ||
ExpiresIn string `json:"expires_in"` | ||
ExpiresOn string `json:"expires_on"` | ||
ExpiresOnTimeObject time.Time `json:"expires_on_object"` | ||
NotBefore string `json:"not_before"` | ||
Resource string `json:"resource"` | ||
TokenType string `json:"token_type"` | ||
GrantedScopes []string `json:"grantedScopes"` | ||
DeclinedScopes []string `json:"DeclinedScopes"` | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,171 @@ | ||
/* | ||
Copyright 2022 The KEDA Authors | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package azure | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"os" | ||
"strconv" | ||
"strings" | ||
"time" | ||
|
||
amqpAuth "github.com/Azure/azure-amqp-common-go/v3/auth" | ||
"github.com/Azure/go-autorest/autorest" | ||
"github.com/Azure/go-autorest/autorest/azure/auth" | ||
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential" | ||
) | ||
|
||
// Azure AD Workload Identity Webhook will inject the following environment variables. | ||
// * AZURE_CLIENT_ID - Client id set in the service account annotation | ||
// * AZURE_TENANT_ID - Tenant id set in the service account annotation. If not defined, then tenant id provided via | ||
// azure-wi-webhook-config will be used. | ||
// * AZURE_FEDERATED_TOKEN_FILE - Service account token file path | ||
// * AZURE_AUTHORITY_HOST - Azure Active Directory (AAD) endpoint. | ||
const ( | ||
azureClientIDEnv = "AZURE_CLIENT_ID" | ||
azureTenantIDEnv = "AZURE_TENANT_ID" | ||
azureFederatedTokenFileEnv = "AZURE_FEDERATED_TOKEN_FILE" | ||
azureAuthrityHostEnv = "AZURE_AUTHORITY_HOST" | ||
) | ||
|
||
// GetAzureADWorkloadIdentityToken returns the AADToken for resource | ||
func GetAzureADWorkloadIdentityToken(ctx context.Context, resource string) (AADToken, error) { | ||
clientID := os.Getenv(azureClientIDEnv) | ||
tenantID := os.Getenv(azureTenantIDEnv) | ||
tokenFilePath := os.Getenv(azureFederatedTokenFileEnv) | ||
authorityHost := os.Getenv(azureAuthrityHostEnv) | ||
|
||
signedAssertion, err := readJWTFromFileSystem(tokenFilePath) | ||
if err != nil { | ||
return AADToken{}, fmt.Errorf("error reading service account token - %w", err) | ||
} | ||
|
||
cred, err := confidential.NewCredFromAssertion(signedAssertion) | ||
if err != nil { | ||
return AADToken{}, fmt.Errorf("error getting credentials from service account token - %w", err) | ||
} | ||
|
||
authorityOption := confidential.WithAuthority(fmt.Sprintf("%s%s/oauth2/token", authorityHost, tenantID)) | ||
confidentialClient, err := confidential.New( | ||
clientID, | ||
cred, | ||
authorityOption, | ||
) | ||
if err != nil { | ||
return AADToken{}, fmt.Errorf("error creating confidential client - %w", err) | ||
} | ||
|
||
result, err := confidentialClient.AcquireTokenByCredential(ctx, []string{getScopedResource(resource)}) | ||
if err != nil { | ||
return AADToken{}, fmt.Errorf("error acquiring aad token - %w", err) | ||
} | ||
|
||
return AADToken{ | ||
AccessToken: result.AccessToken, | ||
ExpiresOn: strconv.FormatInt(result.ExpiresOn.Unix(), 10), | ||
ExpiresOnTimeObject: result.ExpiresOn, | ||
GrantedScopes: result.GrantedScopes, | ||
DeclinedScopes: result.DeclinedScopes, | ||
}, nil | ||
} | ||
|
||
func readJWTFromFileSystem(tokenFilePath string) (string, error) { | ||
token, err := os.ReadFile(tokenFilePath) | ||
if err != nil { | ||
return "", err | ||
} | ||
return string(token), nil | ||
} | ||
|
||
func getScopedResource(resource string) string { | ||
resource = strings.TrimSuffix(resource, "/") | ||
if !strings.HasSuffix(resource, ".default") { | ||
resource += "/.default" | ||
} | ||
|
||
return resource | ||
} | ||
|
||
type ADWorkloadIdentityConfig struct { | ||
ctx context.Context | ||
Resource string | ||
} | ||
|
||
func NewAzureADWorkloadIdentityConfig(ctx context.Context, resource string) auth.AuthorizerConfig { | ||
return ADWorkloadIdentityConfig{ctx: ctx, Resource: resource} | ||
} | ||
|
||
// Authorizer implements the auth.AuthorizerConfig interface | ||
func (aadWiConfig ADWorkloadIdentityConfig) Authorizer() (autorest.Authorizer, error) { | ||
return autorest.NewBearerAuthorizer(&ADWorkloadIdentityTokenProvider{ctx: aadWiConfig.ctx, Resource: aadWiConfig.Resource}), nil | ||
} | ||
|
||
// ADWorkloadIdentityTokenProvider is a type that implements the adal.OAuthTokenProvider and adal.Refresher interfaces. | ||
// The OAuthTokenProvider interface is used by the BearerAuthorizer to get the token when preparing the HTTP Header. | ||
// The Refresher interface is used by the BearerAuthorizer to refresh the token. | ||
type ADWorkloadIdentityTokenProvider struct { | ||
ctx context.Context | ||
Resource string | ||
aadToken AADToken | ||
} | ||
|
||
func NewADWorkloadIdentityTokenProvider(ctx context.Context, resource string) *ADWorkloadIdentityTokenProvider { | ||
return &ADWorkloadIdentityTokenProvider{ctx: ctx, Resource: resource} | ||
} | ||
|
||
// OAuthToken is for implementing the adal.OAuthTokenProvider interface. It returns the current access token. | ||
func (wiTokenProvider *ADWorkloadIdentityTokenProvider) OAuthToken() string { | ||
return wiTokenProvider.aadToken.AccessToken | ||
} | ||
|
||
// Refresh is for implementing the adal.Refresher interface | ||
func (wiTokenProvider *ADWorkloadIdentityTokenProvider) Refresh() error { | ||
if time.Now().Before(wiTokenProvider.aadToken.ExpiresOnTimeObject) { | ||
return nil | ||
} | ||
|
||
aadToken, err := GetAzureADWorkloadIdentityToken(wiTokenProvider.ctx, wiTokenProvider.Resource) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
wiTokenProvider.aadToken = aadToken | ||
return nil | ||
} | ||
|
||
// RefreshExchange is for implementing the adal.Refresher interface | ||
func (wiTokenProvider *ADWorkloadIdentityTokenProvider) RefreshExchange(resource string) error { | ||
wiTokenProvider.Resource = resource | ||
return wiTokenProvider.Refresh() | ||
} | ||
|
||
// EnsureFresh is for implementing the adal.Refresher interface | ||
func (wiTokenProvider *ADWorkloadIdentityTokenProvider) EnsureFresh() error { | ||
return wiTokenProvider.Refresh() | ||
} | ||
|
||
// GetToken is for implementing the auth.TokenProvider interface | ||
func (wiTokenProvider *ADWorkloadIdentityTokenProvider) GetToken(uri string) (*amqpAuth.Token, error) { | ||
err := wiTokenProvider.Refresh() | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
return amqpAuth.NewToken(amqpAuth.CBSTokenTypeJWT, wiTokenProvider.aadToken.AccessToken, | ||
wiTokenProvider.aadToken.ExpiresOn), nil | ||
} |
Oops, something went wrong.