Add native Azure Blob support #598
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hiddeco
commented
Mar 1, 2022
pkg/azure/blob.go
Outdated
| // - azblob.SharedKeyCredential when a "accountName" and "accountKey" are | ||
| // found. | ||
| // - Client without credentials. | ||
| func buildServiceClient(obj *sourcev1.Bucket, secret *corev1.Secret) (_ azblob.ServiceClient, err error) { |
There was a problem hiding this comment.
@laozc can you please take a look and see if this does not cover anything your version did?
Reason for this change is that I had a look at the current Azure libraries out there, and this seems to be the one with the brightest future and maintenance expectations. Given this is a new dependency introduction, this has my preference over one we eventually need to replace (or semi-copy/borrow from another project).
There was a problem hiding this comment.
Hi @hiddeco
I'm still verifying this PR in Azure environments.
I think it would be better to use the following order during authentication
- Check for client secret first to use Service Principal password login
- Check for client certificate to use Service Principal certificate login
- Use Client ID with Managed Identity login
- Use Resource ID with Managed Identity login
- Use Storage Account key based auth login
- No auth
This may ensure it works as expected when multiple Managed Identites bound on the same VM node for 3) and 4).
func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
tenantID, hasTenantID := secret.Data[tenantIDField]
clientID, hasClientID := secret.Data[clientIDField]
clientSecret, hasClientSecret := secret.Data[clientSecretField]
clientCertificate, hasClientCertificate := secret.Data[clientCertificateField]
clientCertificatePassword, _ := secret.Data[clientCertificatePasswordField]
resourceID, hasResourceID := secret.Data[resourceIDField]
if hasTenantID && hasClientID {
if hasClientSecret && string(clientSecret) != "" {
return azidentity.NewClientSecretCredential(string(tenantID), string(clientID), string(clientSecret), nil)
}
if hasClientCertificate && string(clientCertificate) != "" {
certs, key, err := azidentity.ParseCertificates(clientCertificate, clientCertificatePassword)
if err != nil {
return nil, fmt.Errorf("failed to parse client certificates: %w", err)
}
return azidentity.NewClientCertificateCredential(string(tenantID), string(clientID), certs, key, nil)
}
}
if hasClientID {
return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ClientID(clientID)})
} else if hasResourceID {
return azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ResourceID(resourceID)})
}
return nil, nil
}Let me get back to you when I have all these scenarios verified.
There was a problem hiding this comment.
Thanks for the heads up, I will take your suggestions into account and document the reasoning in-code. Please let me know if anything else pops up, and I'll try to address it swiftly.
There was a problem hiding this comment.
I have updated the code to your suggestion, you may also want to provide some input on #598 (review) and #598 (comment).
hiddeco
added
area/bucket
laozc
reviewed
Mar 2, 2022
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
13 times, most recently
from
8920396
to
c8f22b4
Compare
Co-authored-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com> Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
3 times, most recently
from
ccfb4db
to
4434365
Compare
This commit introduces an Azure Blob BucketProvider implementation, capable of fetching from objects from public and private "container" buckets. The supported credential types are: - ManagedIdentity with a `resourceId` Secret data field. - ManagedIdentity with a `clientId` Secret data field. - ClientSecret with `tenantId`, `clientId` and `clientSecret` Secret data fields. - SharedKey with `accountKey` Secret data field, the Account Name is extracted from the endpoint URL specified on the object. If no Secret is provided, the Bucket is assumed to be public. Co-authored-by: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com> Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit allows for a Secret to be configured with `tenantId`, `clientId` and `clientCertificate` data fields (with optionally `clientCertificatePassword`) to authenticate using TLS. Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
2 times, most recently
from
179aa95
to
44a166e
Compare
Tests are configured in such a way that they only run for `main`. Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
from
44a166e
to
d55a759
Compare
|
Integration tests have been disabled again for pull requests after confirmed to be working in: |
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
2 times, most recently
from
7940044
to
696dcc7
Compare
|
@laozc please see the current state of the PR and let me know if this is acceptable. I will work on updating the tests in the meantime. |
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
5 times, most recently
from
f3eb2fd
to
166e185
Compare
laozc
reviewed
Mar 8, 2022
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
2 times, most recently
from
eca70e4
to
7bc42a5
Compare
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
2 times, most recently
from
1346696
to
ce4e108
Compare
|
@stefanprodan documented in 687af2f |
darkowlzz
reviewed
Mar 8, 2022
- Use octal syntax for permissions. - Fix typo. Signed-off-by: Hidde Beydals <hello@hidde.co>
Based on recommendations from Microsoft, change the order valid authentication options are taken into account. Mainly to ensure it works as expected when multiple Managed Identities are bound on the same VM node. Signed-off-by: Hidde Beydals <hello@hidde.co>
This supports the fields as documented in the AKS documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
from
ce4e108
to
61f756f
Compare
- `authorityHost` and `clientCertificateSendChain` can now be set where applicable. - AZ CLI fields have been removed. - Fallback to `ChainedTokenCredential` with `EnvironmentCredential` and `ManagedIdentityCredential` with defaults if no Secret is given. Signed-off-by: Hidde Beydals <hello@hidde.co>
This ensures the Managed Identity authentication works with multiple identities assigned to a single node. Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco
force-pushed
the
azure-blob-bucket-provider
branch
from
61f756f
to
ccb65c7
Compare
|
@laozc are you still running tests, or do you think this can be merged as is? |
|
@hiddeco Please go head with the merge. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces an Azure Blob BucketProvider implementation,
capable of fetching objects from public and private "container"
buckets.
The supported credential types are:
tenantId,clientIdandclientSecretSecretdata fields.
tenantId,clientIdandclientSecretSecretdata (with optionally
clientCertificatePassword).clientIdSecret data field.accountKeySecret data field, the account name isextracted from the endpoint URL specified on the object.
AZURE_CLIENT_IDenvironment variable(when available)
If no Secret is provided or the chain can not be established, the
Bucket is assumed to be public.
Successor of #513