feat(azure): Support Azure sovereign cloud environments (#871)

* Support Azure sovereign cloud environments

Support providing Azure Environment-oriented KeyVault endpoints

* Fix style issues

* fix: js types

Signed-off-by: Markus Maga <[email protected]>

* refactor: one liners🤷

Signed-off-by: Markus Maga <[email protected]>

Co-authored-by: Markus Maga <[email protected]>

Author: ericabramov

charts/kubernetes-external-secrets/values.yaml

@@ -32,6 +32,10 @@ env:
   # AWS_SSM_ENDPOINT: http://ssm-fips.us-east-1.amazonaws.com
   # AWS_SM_ENDPOINT: http://secretsmanager-fips.us-east-1.amazonaws.com
 
+  # Use Azure Environment-oriented KeyVault endpoints
+  # AZURE_ENVIRONMENT: AzureUSGovernment
+  # AZURE_KEY_VAULT_DNS_SUFFIX: vault.usgovcloudapi.net
+
 # Create environment variables from existing k8s secrets
 envVarsFromSecret: {}
 #  AWS_ACCESS_KEY_ID:

config/azure-config.js

@@ -1,14 +1,23 @@
 'use strict'
 
-const { DefaultAzureCredential } = require('@azure/identity')
+const { DefaultAzureCredential, AzureAuthorityHosts } = require('@azure/identity')
 // DefaultAzureCredential expects the following three environment variables:
 // - AZURE_TENANT_ID: The tenant ID in Azure Active Directory
 // - AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant
 // - AZURE_CLIENT_SECRET: The client secret for the registered application
+// An optional environment variable AZURE_ENVIRONMENT may be provided to specify cloud environment
+
+const authorityHostMap = new Map()
+authorityHostMap.set('AzureCloud', AzureAuthorityHosts.AzurePublicCloud)
+authorityHostMap.set('AzureChinaCloud', AzureAuthorityHosts.AzureChina)
+authorityHostMap.set('AzureGermanCloud', AzureAuthorityHosts.AzureGermany)
+authorityHostMap.set('AzureUSGovernment', AzureAuthorityHosts.AzureGovernment)
 
 module.exports = {
   azureKeyVault: () => {
-    const credential = new DefaultAzureCredential()
+    const env = process.env.AZURE_ENVIRONMENT || 'AzureCloud'
+    const host = authorityHostMap.get(env)
+    const credential = new DefaultAzureCredential({ authorityHost: host })
     return credential
   }
 }

lib/backends/azure-keyvault-backend.js

@@ -14,10 +14,11 @@ class AzureKeyVaultBackend extends KVBackend {
   constructor ({ credential, logger }) {
     super({ logger })
     this._credential = credential
+    this._endpointSuffix = process.env.AZURE_KEY_VAULT_DNS_SUFFIX || 'vault.azure.net'
   }
 
   _keyvaultClient ({ keyVaultName }) {
-    const url = `https://${keyVaultName}.vault.azure.net`
+    const url = `https://${keyVaultName}.${this._endpointSuffix}`
     const client = new SecretClient(url, this._credential)
     return client
   }