Skip to content

Commit 369c766

Browse files
committed
Support certificate-based authentication for Azure
Support certificate-based authentication for Azure Fixes vmware-tanzu#6735 Signed-off-by: Wenkai Yin(尹文开) <[email protected]>
1 parent 6ec1701 commit 369c766

File tree

2 files changed

+14
-8
lines changed

2 files changed

+14
-8
lines changed

pkg/util/azure/credential.go

+13-8
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ type configCredentialOptions struct {
8181
AdditionallyAllowedTenants []string
8282
}
8383

84-
// newConfigCredential works same as the azidentity.EnvironmentCredential but reads the credentials from a map
84+
// newConfigCredential works similar as the azidentity.EnvironmentCredential but reads the credentials from a map
8585
// rather than environment variables. This is required for Velero to run B/R concurrently
8686
// https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.3.0/sdk/azidentity/environment_credential.go#L80
8787
func newConfigCredential(creds map[string]string, options configCredentialOptions) (azcore.TokenCredential, error) {
@@ -102,19 +102,24 @@ func newConfigCredential(creds map[string]string, options configCredentialOption
102102
})
103103
}
104104

105-
// certificate
106-
if certPath := creds[CredentialKeyClientCertificatePath]; certPath != "" {
107-
certData, err := os.ReadFile(certPath)
108-
if err != nil {
109-
return nil, errors.Wrapf(err, "failed to read certificate file %s", certPath)
105+
// raw certificate or certificate file
106+
if rawCerts, certsPath := []byte(creds[CredentialKeyClientCertificate]), creds[CredentialKeyClientCertificatePath]; len(rawCerts) > 0 || len(certsPath) > 0 {
107+
var err error
108+
// raw certificate isn't specified while certificate path is specified
109+
if len(rawCerts) == 0 {
110+
rawCerts, err = os.ReadFile(certsPath)
111+
if err != nil {
112+
return nil, errors.Wrapf(err, "failed to read certificate file %s", certsPath)
113+
}
110114
}
115+
111116
var password []byte
112117
if v := creds[CredentialKeyClientCertificatePassword]; v != "" {
113118
password = []byte(v)
114119
}
115-
certs, key, err := azidentity.ParseCertificates(certData, password)
120+
certs, key, err := azidentity.ParseCertificates(rawCerts, password)
116121
if err != nil {
117-
return nil, errors.Wrapf(err, "failed to load certificate from %s", certPath)
122+
return nil, errors.Wrap(err, "failed to parse certificate")
118123
}
119124
o := &azidentity.ClientCertificateCredentialOptions{
120125
AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,

pkg/util/azure/util.go

+1
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ const (
4343
CredentialKeyTenantID = "AZURE_TENANT_ID" // #nosec
4444
CredentialKeyClientID = "AZURE_CLIENT_ID" // #nosec
4545
CredentialKeyClientSecret = "AZURE_CLIENT_SECRET" // #nosec
46+
CredentialKeyClientCertificate = "AZURE_CLIENT_CERTIFICATE" // #nosec
4647
CredentialKeyClientCertificatePath = "AZURE_CLIENT_CERTIFICATE_PATH" // #nosec
4748
CredentialKeyClientCertificatePassword = "AZURE_CLIENT_CERTIFICATE_PASSWORD" // #nosec
4849
CredentialKeySendCertChain = "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN" // #nosec

0 commit comments

Comments
 (0)