-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: OIDC does not work with sovereign clouds. Client/azure.go is missing environment variable in func oidcAuth #743
Comments
Did that fix work for you? I tried it and it didn't fix the issue |
Hmmm, looking at the provider that should work.... |
It did work for me as it is the match for the other auth types that use the same sdk.
ERIC DEITRICK
Chief Infrastructure Engineer
M: 386.576.3441
***@***.******@***.***>
Arcfield Proprietary E-MAIL CONTENT CLASSIFICATION NOTICE CONFIDENTIAL AND/OR PROPRIETARY INFORMATION OF ARCFIELD. This e-mail message and/or its attachment contains confidential and/or proprietary information of Arcfield that may only be received, disclosed, or used as authorized by Arcfield. The information in this message may be exempt from release under the Freedom of Information Act. If you received this message in error, please delete all copies and promptly notify the sender.
…________________________________
From: Aaron Aichlmayr ***@***.***>
Sent: Wednesday, June 12, 2024 6:01:35 PM
To: crossplane-contrib/provider-upjet-azure ***@***.***>
Cc: Deitrick, Eric (STC) ***@***.***>; Author ***@***.***>
Subject: [EXTERNAL] Re: [crossplane-contrib/provider-upjet-azure] [Bug]: OIDC does not work with sovereign clouds. Client/azure.go is missing environment variable in func oidcAuth (Issue #743)
Hmmm, looking at the provider that should work....
—
Reply to this email directly, view it on GitHub<https://urldefense.us/v2/url?u=https-3A__github.com_crossplane-2Dcontrib_provider-2Dupjet-2Dazure_issues_743-23issuecomment-2D2163973968&d=DwMFaQ&c=L4IogQUxJwxc-F14PJeZBy0aL1nbCId3JgRjMgunPoM&r=BPK4M53lslq4H95CXMHdJHr5QwdWJy-t3oSV0vZLyOE&m=KMasjlnHg-N0lWC9ZHYrRCqTN8tkMt94XyCiMJCjlSMVnYup4MaWd6vGNC-AhzNF&s=Nmz0q1I3R4r9BthF9GeQ5_muu_CwLOl_4RXtnhE9WIM&e=>, or unsubscribe<https://urldefense.us/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_BDXHF56IQJNZZFO5X42IPHDZHDAL7AVCNFSM6AAAAABHZEMLDKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTHE3TGOJWHA&d=DwMFaQ&c=L4IogQUxJwxc-F14PJeZBy0aL1nbCId3JgRjMgunPoM&r=BPK4M53lslq4H95CXMHdJHr5QwdWJy-t3oSV0vZLyOE&m=KMasjlnHg-N0lWC9ZHYrRCqTN8tkMt94XyCiMJCjlSMVnYup4MaWd6vGNC-AhzNF&s=R_TpDef36ckpS80qLAGDpbJ8kDKXe4-GSrTlc8XF5ZY&e=>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Looks like my first attempt didn't apply correctly. The fix works |
This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as |
Is there an existing issue for this?
Affected Resource(s)
internal/clients/azure.go ProviderConfig
Resource MRs required to reproduce the bug
--- apiVersion: azure.upbound.io/v1beta1 kind: ProviderConfig metadata: name: default spec: credentials: source: OIDCTokenFile msiEndpoint: https://login.microsoftonline.us/<mytenant>/v2.0/.well-known/openid-configuration oidcTokenFilePath: /var/run/secrets/azure/tokens/azure-identity-token environment: usgovernment subscriptionID: <mysubscription> tenantID: <mytenant> clientID: <myclient>
Steps to Reproduce
I have tried using the OIDC token provided by Azure Workload Identity.
What happened?
My resource-group import failed and the provider-family-azure put out a log saying
AADSTS900382: Confidential Client is not supported in Cross Cloud request
. I looked at the code and I noticed that in the func oidcAuth section that it was missing the if statement to check the environment to use the right endpoint as you are already doing in func spAuth and func msiAuth.Relevant Error Output Snippet
Crossplane Version
1.15.2
Provider Version
1.1.0
Kubernetes Version
1.28.9
Kubernetes Distribution
AKS US Gov GCC-High
Additional Info
func oidcAuth should look like this: (see added if statement just before return nil)
`func oidcAuth(pc *v1beta1.ProviderConfig, ps *terraform.Setup) error {
if pc.Spec.SubscriptionID == nil || len(*pc.Spec.SubscriptionID) == 0 {
return errors.New(errSubscriptionIDNotSet)
}
if pc.Spec.TenantID == nil || len(*pc.Spec.TenantID) == 0 {
return errors.New(errTenantIDNotSet)
}
if pc.Spec.ClientID == nil || len(*pc.Spec.ClientID) == 0 {
return errors.New(errClientIDNotSet)
}
// OIDC Token File Path defaults to a projected-volume path mounted in the pod running in the AKS cluster, when workload identity is enabled on the pod.
ps.Configuration[keyOidcTokenFilePath] = defaultOidcTokenFilePath
if pc.Spec.OidcTokenFilePath != nil {
ps.Configuration[keyOidcTokenFilePath] = *pc.Spec.OidcTokenFilePath
}
ps.Configuration[keySubscriptionID] = *pc.Spec.SubscriptionID
ps.Configuration[keyTenantID] = *pc.Spec.TenantID
ps.Configuration[keyClientID] = *pc.Spec.ClientID
ps.Configuration[keyUseOIDC] = "true"
if pc.Spec.Environment != nil {
ps.Configuration[keyEnvironment] = *pc.Spec.Environment
}
return nil
}`
Because of environment restrictions I have an issue trying to test this minor change and I also cannot GPG sign my commits from my work system. Even if I make the change and sign it from my personal computer I don't have a good way to test. This should be a non-breaking change as the constructs are already there.
The text was updated successfully, but these errors were encountered: