Merge pull request #72143 from karataliu/kubectl.aad

Fix aad support in kubectl for sovereign cloud Kubernetes-commit: c3e60b6e1c7bc147740800b7ac52712d55579844
2025-06-23 13:47:19 +00:00 · 2018-12-19 22:04:51 -08:00 · 2018-12-19 22:04:51 -08:00 · dbd11fce0f
commit dbd11fce0f
parent 248a9512b9 ba28f5cc8e
3 changed files with 75 additions and 52 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -404,207 +404,207 @@
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/apitesting",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/apitesting/fuzzer",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/apitesting/roundtrip",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/equality",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/errors",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/meta",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/resource",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/fuzzer",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/internalversion",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1beta1",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion/queryparams",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/fields",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/labels",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/schema",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/json",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/protobuf",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/recognizer",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/streaming",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/versioning",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/selection",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/types",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/cache",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/clock",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/diff",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/errors",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/framer",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/intstr",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/json",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/mergepatch",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/naming",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/net",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/remotecommand",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/runtime",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/sets",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/strategicpatch",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation/field",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/wait",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/yaml",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/version",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/watch",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/json",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/netutil",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/reflect",
-			"Rev": "4d029f0333996cf231080e108e0bd1ece2a94d9f"
+			"Rev": "98853ca904e81a25e2000cae7f077dc30f81b85f"
 		},
 		{
 			"ImportPath": "k8s.io/klog",
--- a/plugin/pkg/client/auth/azure/azure.go
+++ b/plugin/pkg/client/auth/azure/azure.go
@ -145,6 +145,7 @@ func (r *azureRoundTripper) WrappedRoundTripper() http.RoundTripper { return r.r

 type azureToken struct {
 	token       adal.Token
+	environment string
 	clientID    string
 	tenantID    string
 	apiserverID string
@ -219,6 +220,10 @@ func (ts *azureTokenSource) retrieveTokenFromCfg() (*azureToken, error) {
 	if refreshToken == "" {
 		return nil, fmt.Errorf("no refresh token in cfg: %s", cfgRefreshToken)
 	}
+	environment := ts.cfg[cfgEnvironment]
+	if environment == "" {
+		return nil, fmt.Errorf("no environment in cfg: %s", cfgEnvironment)
+	}
 	clientID := ts.cfg[cfgClientID]
 	if clientID == "" {
 		return nil, fmt.Errorf("no client ID in cfg: %s", cfgClientID)
@ -250,6 +255,7 @@ func (ts *azureTokenSource) retrieveTokenFromCfg() (*azureToken, error) {
 			Resource:     fmt.Sprintf("spn:%s", apiserverID),
 			Type:         tokenType,
 		},
+		environment: environment,
 		clientID:    clientID,
 		tenantID:    tenantID,
 		apiserverID: apiserverID,
@ -260,6 +266,7 @@ func (ts *azureTokenSource) storeTokenInCfg(token *azureToken) error {
 	newCfg := make(map[string]string)
 	newCfg[cfgAccessToken] = token.token.AccessToken
 	newCfg[cfgRefreshToken] = token.token.RefreshToken
+	newCfg[cfgEnvironment] = token.environment
 	newCfg[cfgClientID] = token.clientID
 	newCfg[cfgTenantID] = token.tenantID
 	newCfg[cfgApiserverID] = token.apiserverID
@ -275,7 +282,12 @@ func (ts *azureTokenSource) storeTokenInCfg(token *azureToken) error {
 }

 func (ts *azureTokenSource) refreshToken(token *azureToken) (*azureToken, error) {
-	oauthConfig, err := adal.NewOAuthConfig(azure.PublicCloud.ActiveDirectoryEndpoint, token.tenantID)
+	env, err := azure.EnvironmentFromName(token.environment)
+	if err != nil {
+		return nil, err
+	}
+
+	oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, token.tenantID)
 	if err != nil {
 		return nil, fmt.Errorf("building the OAuth configuration for token refresh: %v", err)
 	}
@ -299,6 +311,7 @@ func (ts *azureTokenSource) refreshToken(token *azureToken) (*azureToken, error)

 	return &azureToken{
 		token:       spt.Token(),
+		environment: token.environment,
 		clientID:    token.clientID,
 		tenantID:    token.tenantID,
 		apiserverID: token.apiserverID,
@ -353,6 +366,7 @@ func (ts *azureTokenSourceDeviceCode) Token() (*azureToken, error) {

 	return &azureToken{
 		token:       *token,
+		environment: ts.environment.Name,
 		clientID:    ts.clientID,
 		tenantID:    ts.tenantID,
 		apiserverID: ts.apiserverID,
--- a/plugin/pkg/client/auth/azure/azure_test.go
+++ b/plugin/pkg/client/auth/azure/azure_test.go
@ -53,6 +53,13 @@ func TestAzureTokenSource(t *testing.T) {

 	wantCfg := token2Cfg(token)
 	persistedCfg := persiter.Cache()
+
+	wantCfgLen := len(wantCfg)
+	persistedCfgLen := len(persistedCfg)
+	if wantCfgLen != persistedCfgLen {
+		t.Errorf("wantCfgLen and persistedCfgLen do not match, wantCfgLen=%v, persistedCfgLen=%v", wantCfgLen, persistedCfgLen)
+	}
+
 	for k, v := range persistedCfg {
 		if strings.Compare(v, wantCfg[k]) != 0 {
 			t.Errorf("Token() persisted cfg %s: got %v, want %v", k, v, wantCfg[k])
@ -103,6 +110,7 @@ type fakeTokenSource struct {
 func (ts *fakeTokenSource) Token() (*azureToken, error) {
 	return &azureToken{
 		token:       newFackeAzureToken(ts.accessToken, ts.expiresOn),
+		environment: "testenv",
 		clientID:    "fake",
 		tenantID:    "fake",
 		apiserverID: "fake",
@ -113,6 +121,7 @@ func token2Cfg(token *azureToken) map[string]string {
 	cfg := make(map[string]string)
 	cfg[cfgAccessToken] = token.token.AccessToken
 	cfg[cfgRefreshToken] = token.token.RefreshToken
+	cfg[cfgEnvironment] = token.environment
 	cfg[cfgClientID] = token.clientID
 	cfg[cfgTenantID] = token.tenantID
 	cfg[cfgApiserverID] = token.apiserverID