Merge pull request #5211 from nojnhuh/asoapi-aad

handle Entra auth for ASO API managed clusters

Author: k8s-ci-robot

azure/credential_cache.go

@@ -0,0 +1,162 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"sync"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+)
+
+type credentialCache struct {
+	mut         *sync.Mutex
+	cache       map[credentialCacheKey]azcore.TokenCredential
+	credFactory credentialFactory
+}
+
+type credentialFactory interface {
+	newClientSecretCredential(tenantID string, clientID string, clientSecret string, opts *azidentity.ClientSecretCredentialOptions) (azcore.TokenCredential, error)
+	newClientCertificateCredential(tenantID string, clientID string, clientCertificate []byte, clientCertificatePassword []byte, opts *azidentity.ClientCertificateCredentialOptions) (azcore.TokenCredential, error)
+	newManagedIdentityCredential(opts *azidentity.ManagedIdentityCredentialOptions) (azcore.TokenCredential, error)
+	newWorkloadIdentityCredential(opts *azidentity.WorkloadIdentityCredentialOptions) (azcore.TokenCredential, error)
+}
+
+// CredentialType represents the auth mechanism in use.
+type CredentialType int
+
+const (
+	// CredentialTypeClientSecret is for Service Principals with Client Secrets.
+	CredentialTypeClientSecret CredentialType = iota
+	// CredentialTypeClientCert is for Service Principals with Client certificates.
+	CredentialTypeClientCert
+	// CredentialTypeManagedIdentity is for Managed Identities.
+	CredentialTypeManagedIdentity
+	// CredentialTypeWorkloadIdentity is for Workload Identity.
+	CredentialTypeWorkloadIdentity
+)
+
+type credentialCacheKey struct {
+	authorityHost  string
+	credentialType CredentialType
+	tenantID       string
+	clientID       string
+	secret         string
+}
+
+// NewCredentialCache creates a new, empty CredentialCache.
+func NewCredentialCache() CredentialCache {
+	return &credentialCache{
+		mut:         new(sync.Mutex),
+		cache:       make(map[credentialCacheKey]azcore.TokenCredential),
+		credFactory: azureCredentialFactory{},
+	}
+}
+
+func (c *credentialCache) GetOrStoreClientSecret(tenantID, clientID, clientSecret string, opts *azidentity.ClientSecretCredentialOptions) (azcore.TokenCredential, error) {
+	return c.getOrStore(
+		credentialCacheKey{
+			authorityHost:  opts.Cloud.ActiveDirectoryAuthorityHost,
+			credentialType: CredentialTypeClientSecret,
+			tenantID:       tenantID,
+			clientID:       clientID,
+			secret:         clientSecret,
+		},
+		func() (azcore.TokenCredential, error) {
+			return c.credFactory.newClientSecretCredential(tenantID, clientID, clientSecret, opts)
+		},
+	)
+}
+
+func (c *credentialCache) GetOrStoreClientCert(tenantID, clientID string, cert, certPassword []byte, opts *azidentity.ClientCertificateCredentialOptions) (azcore.TokenCredential, error) {
+	return c.getOrStore(
+		credentialCacheKey{
+			authorityHost:  opts.Cloud.ActiveDirectoryAuthorityHost,
+			credentialType: CredentialTypeClientCert,
+			tenantID:       tenantID,
+			clientID:       clientID,
+			secret:         string(append(cert, certPassword...)),
+		},
+		func() (azcore.TokenCredential, error) {
+			return c.credFactory.newClientCertificateCredential(tenantID, clientID, cert, certPassword, opts)
+		},
+	)
+}
+
+func (c *credentialCache) GetOrStoreManagedIdentity(opts *azidentity.ManagedIdentityCredentialOptions) (azcore.TokenCredential, error) {
+	return c.getOrStore(
+		credentialCacheKey{
+			authorityHost:  opts.Cloud.ActiveDirectoryAuthorityHost,
+			credentialType: CredentialTypeManagedIdentity,
+			// tenantID not used for managed identity
+			clientID: opts.ID.String(),
+		},
+		func() (azcore.TokenCredential, error) {
+			return c.credFactory.newManagedIdentityCredential(opts)
+		},
+	)
+}
+
+func (c *credentialCache) GetOrStoreWorkloadIdentity(opts *azidentity.WorkloadIdentityCredentialOptions) (azcore.TokenCredential, error) {
+	return c.getOrStore(
+		credentialCacheKey{
+			authorityHost:  opts.Cloud.ActiveDirectoryAuthorityHost,
+			credentialType: CredentialTypeWorkloadIdentity,
+			tenantID:       opts.TenantID,
+			clientID:       opts.ClientID,
+		},
+		func() (azcore.TokenCredential, error) {
+			return c.credFactory.newWorkloadIdentityCredential(opts)
+		},
+	)
+}
+
+func (c *credentialCache) getOrStore(key credentialCacheKey, newCredFunc func() (azcore.TokenCredential, error)) (azcore.TokenCredential, error) {
+	c.mut.Lock()
+	defer c.mut.Unlock()
+	if cred, exists := c.cache[key]; exists {
+		return cred, nil
+	}
+	cred, err := newCredFunc()
+	if err != nil {
+		return nil, err
+	}
+	c.cache[key] = cred
+	return cred, nil
+}
+
+type azureCredentialFactory struct{}
+
+func (azureCredentialFactory) newClientSecretCredential(tenantID string, clientID string, clientSecret string, opts *azidentity.ClientSecretCredentialOptions) (azcore.TokenCredential, error) {
+	return azidentity.NewClientSecretCredential(tenantID, clientID, clientSecret, opts)
+}
+
+func (azureCredentialFactory) newClientCertificateCredential(tenantID string, clientID string, clientCertificate []byte, clientCertificatePassword []byte, opts *azidentity.ClientCertificateCredentialOptions) (azcore.TokenCredential, error) {
+	certs, certKey, err := azidentity.ParseCertificates(clientCertificate, clientCertificatePassword)
+	if err != nil {
+		return nil, err
+	}
+	return azidentity.NewClientCertificateCredential(tenantID, clientID, certs, certKey, opts)
+}
+
+func (azureCredentialFactory) newManagedIdentityCredential(opts *azidentity.ManagedIdentityCredentialOptions) (azcore.TokenCredential, error) {
+	return azidentity.NewManagedIdentityCredential(opts)
+}
+
+func (azureCredentialFactory) newWorkloadIdentityCredential(opts *azidentity.WorkloadIdentityCredentialOptions) (azcore.TokenCredential, error) {
+	return azidentity.NewWorkloadIdentityCredential(opts)
+}

azure/credential_cache_test.go

@@ -0,0 +1,101 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"context"
+	"strconv"
+	"sync"
+	"testing"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	. "github.com/onsi/gomega"
+	"github.com/pkg/errors"
+)
+
+type fakeTokenCredential struct {
+	tenantID string
+}
+
+func (t fakeTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	return azcore.AccessToken{}, nil
+}
+
+func TestGetOrStore(t *testing.T) {
+	g := NewGomegaWithT(t)
+
+	credCache := &credentialCache{
+		mut:   new(sync.Mutex),
+		cache: make(map[credentialCacheKey]azcore.TokenCredential),
+	}
+
+	newCredCount := 0
+	newCredFunc := func(cred fakeTokenCredential, err error) func() (azcore.TokenCredential, error) {
+		return func() (azcore.TokenCredential, error) {
+			newCredCount++
+			return cred, err
+		}
+	}
+
+	// the first call for a new key should invoke newCredFunc
+	cred, err := credCache.getOrStore(credentialCacheKey{tenantID: "1"}, newCredFunc(fakeTokenCredential{tenantID: "1"}, nil))
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(cred).To(Equal(fakeTokenCredential{tenantID: "1"}))
+	g.Expect(newCredCount).To(Equal(1))
+
+	// subsequent calls for the same key should not create a new credential
+	cred, err = credCache.getOrStore(credentialCacheKey{tenantID: "1"}, newCredFunc(fakeTokenCredential{tenantID: "1"}, nil))
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(cred).To(Equal(fakeTokenCredential{tenantID: "1"}))
+	g.Expect(newCredCount).To(Equal(1))
+	cred, err = credCache.getOrStore(credentialCacheKey{tenantID: "1"}, newCredFunc(fakeTokenCredential{tenantID: "1"}, nil))
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(cred).To(Equal(fakeTokenCredential{tenantID: "1"}))
+	g.Expect(newCredCount).To(Equal(1))
+
+	expectedErr := errors.New("an error")
+	cred, err = credCache.getOrStore(credentialCacheKey{tenantID: "2"}, newCredFunc(fakeTokenCredential{tenantID: "2"}, expectedErr))
+	g.Expect(err).To(MatchError(expectedErr))
+	g.Expect(cred).To(BeNil())
+	g.Expect(newCredCount).To(Equal(2))
+}
+
+func TestGetOrStoreRace(t *testing.T) {
+	// This test makes no assertions, it only fails when the race detector finds race conditions.
+
+	credCache := &credentialCache{
+		mut:   new(sync.Mutex),
+		cache: make(map[credentialCacheKey]azcore.TokenCredential),
+	}
+	newCredFunc := func(cred fakeTokenCredential, err error) func() (azcore.TokenCredential, error) {
+		return func() (azcore.TokenCredential, error) {
+			return cred, err
+		}
+	}
+
+	wg := new(sync.WaitGroup)
+	n := 1000
+	for i := 0; i < n; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			_, _ = credCache.getOrStore(credentialCacheKey{tenantID: strconv.Itoa(i % 100)}, newCredFunc(fakeTokenCredential{}, nil))
+		}()
+	}
+	wg.Wait()
+}

azure/interfaces.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-service-operator/v2/pkg/genruntime"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
@@ -164,3 +165,11 @@ type ASOResourceSpecGetter[T genruntime.MetaObject] interface {
 	// non-ASO-backed CAPZ and should be considered eligible for adoption.
 	WasManaged(T) bool
 }
+
+// CredentialCache caches azcore.TokenCredentials.
+type CredentialCache interface {
+	GetOrStoreClientSecret(tenantID, clientID, clientSecret string, opts *azidentity.ClientSecretCredentialOptions) (azcore.TokenCredential, error)
+	GetOrStoreClientCert(tenantID, clientID string, cert, certPassword []byte, opts *azidentity.ClientCertificateCredentialOptions) (azcore.TokenCredential, error)
+	GetOrStoreManagedIdentity(opts *azidentity.ManagedIdentityCredentialOptions) (azcore.TokenCredential, error)
+	GetOrStoreWorkloadIdentity(opts *azidentity.WorkloadIdentityCredentialOptions) (azcore.TokenCredential, error)
+}