-
Notifications
You must be signed in to change notification settings - Fork 64
/
azure.go
63 lines (55 loc) · 1.89 KB
/
azure.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package azure
import (
"context"
"encoding/json"
"net/http"
"github.com/Azure/kubelogin/pkg/token"
"github.com/pkg/errors"
"github.com/spf13/pflag"
"k8s.io/client-go/rest"
)
// Credentials Secret content is a json whose keys are below.
const (
CredentialsKeyClientID = "clientId"
CredentialsKeyClientSecret = "clientSecret"
CredentialsKeyTenantID = "tenantId"
CredentialsKeyClientCert = "clientCertificate"
CredentialsKeyClientCertPass = "clientCertificatePassword"
)
func WrapRESTConfig(_ context.Context, rc *rest.Config, credentials []byte, _ ...string) error {
m := map[string]string{}
if err := json.Unmarshal(credentials, &m); err != nil {
return err
}
fs := pflag.NewFlagSet("kubelogin", pflag.ContinueOnError)
opts := token.NewOptions()
opts.AddFlags(fs)
// opts are filled according to the provided args in the execProvider section of the kubeconfig
// we are parsing serverID from here
// this will also parse other flags, that will help future integrations with other auth types
// see token.Options struct for options reference
err := fs.Parse(rc.ExecProvider.Args)
if err != nil {
return errors.Wrap(err, "could not parse execProvider arguments in kubeconfig")
}
rc.ExecProvider = nil
// TODO: support other login methods like MSI, Workload Identity in the future
opts.LoginMethod = token.ServicePrincipalLogin
opts.ClientID = m[CredentialsKeyClientID]
opts.ClientSecret = m[CredentialsKeyClientSecret]
opts.TenantID = m[CredentialsKeyTenantID]
if cert, ok := m[CredentialsKeyClientCert]; ok {
opts.ClientCert = cert
if certpass, ok2 := m[CredentialsKeyClientCertPass]; ok2 {
opts.ClientCertPassword = certpass
}
}
p, err := token.NewTokenProvider(&opts)
if err != nil {
return errors.New("cannot build azure token provider")
}
rc.Wrap(func(rt http.RoundTripper) http.RoundTripper {
return &tokenTransport{Provider: p, Base: rt}
})
return nil
}