mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 12:43:23 +00:00
Merge pull request #85432 from jadarsie/az-dyn-env
Support Azure Stack dynamic environments
This commit is contained in:
commit
9d048f0768
@ -144,7 +144,7 @@ func (a *acrProvider) loadConfig(rdr io.Reader) error {
|
|||||||
klog.Errorf("Failed to load azure credential file: %v", err)
|
klog.Errorf("Failed to load azure credential file: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
a.environment, err = auth.ParseAzureEnvironment(a.config.Cloud)
|
a.environment, err = auth.ParseAzureEnvironment(a.config.Cloud, a.config.ResourceManagerEndpoint, a.config.IdentitySystem)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -30,11 +30,14 @@ import (
|
|||||||
"k8s.io/klog"
|
"k8s.io/klog"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// ADFSIdentitySystem is the override value for tenantID on Azure Stack clouds.
|
||||||
|
ADFSIdentitySystem = "adfs"
|
||||||
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
// ErrorNoAuth indicates that no credentials are provided.
|
// ErrorNoAuth indicates that no credentials are provided.
|
||||||
ErrorNoAuth = fmt.Errorf("no credentials provided for Azure cloud provider")
|
ErrorNoAuth = fmt.Errorf("no credentials provided for Azure cloud provider")
|
||||||
// ADFSIdentitySystem indicates value of tenantId for ADFS on Azure Stack.
|
|
||||||
ADFSIdentitySystem = "ADFS"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// AzureAuthConfig holds auth related part of cloud config
|
// AzureAuthConfig holds auth related part of cloud config
|
||||||
@ -59,15 +62,19 @@ type AzureAuthConfig struct {
|
|||||||
UserAssignedIdentityID string `json:"userAssignedIdentityID,omitempty" yaml:"userAssignedIdentityID,omitempty"`
|
UserAssignedIdentityID string `json:"userAssignedIdentityID,omitempty" yaml:"userAssignedIdentityID,omitempty"`
|
||||||
// The ID of the Azure Subscription that the cluster is deployed in
|
// The ID of the Azure Subscription that the cluster is deployed in
|
||||||
SubscriptionID string `json:"subscriptionId,omitempty" yaml:"subscriptionId,omitempty"`
|
SubscriptionID string `json:"subscriptionId,omitempty" yaml:"subscriptionId,omitempty"`
|
||||||
// Identity system value for the deployment. This gets populate for Azure Stack case.
|
// IdentitySystem indicates the identity provider. Relevant only to hybrid clouds (Azure Stack).
|
||||||
|
// Allowed values are 'azure_ad' (default), 'adfs'.
|
||||||
IdentitySystem string `json:"identitySystem,omitempty" yaml:"identitySystem,omitempty"`
|
IdentitySystem string `json:"identitySystem,omitempty" yaml:"identitySystem,omitempty"`
|
||||||
|
// ResourceManagerEndpoint is the cloud's resource manager endpoint. If set, cloud provider queries this endpoint
|
||||||
|
// in order to generate an autorest.Environment instance instead of using one of the pre-defined Environments.
|
||||||
|
ResourceManagerEndpoint string `json:"resourceManagerEndpoint,omitempty" yaml:"resourceManagerEndpoint,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetServicePrincipalToken creates a new service principal token based on the configuration
|
// GetServicePrincipalToken creates a new service principal token based on the configuration
|
||||||
func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (*adal.ServicePrincipalToken, error) {
|
func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (*adal.ServicePrincipalToken, error) {
|
||||||
var tenantID string
|
var tenantID string
|
||||||
if strings.EqualFold(config.IdentitySystem, ADFSIdentitySystem) {
|
if strings.EqualFold(config.IdentitySystem, ADFSIdentitySystem) {
|
||||||
tenantID = "adfs"
|
tenantID = ADFSIdentitySystem
|
||||||
} else {
|
} else {
|
||||||
tenantID = config.TenantID
|
tenantID = config.TenantID
|
||||||
}
|
}
|
||||||
@ -125,13 +132,24 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (
|
|||||||
return nil, ErrorNoAuth
|
return nil, ErrorNoAuth
|
||||||
}
|
}
|
||||||
|
|
||||||
// ParseAzureEnvironment returns azure environment by name
|
// ParseAzureEnvironment returns the azure environment.
|
||||||
func ParseAzureEnvironment(cloudName string) (*azure.Environment, error) {
|
// If 'resourceManagerEndpoint' is set, the environment is computed by quering the cloud's resource manager endpoint.
|
||||||
|
// Otherwise, a pre-defined Environment is looked up by name.
|
||||||
|
func ParseAzureEnvironment(cloudName, resourceManagerEndpoint, identitySystem string) (*azure.Environment, error) {
|
||||||
var env azure.Environment
|
var env azure.Environment
|
||||||
var err error
|
var err error
|
||||||
if cloudName == "" {
|
if resourceManagerEndpoint != "" {
|
||||||
|
klog.V(4).Infof("Loading environment from resource manager endpoint: %s", resourceManagerEndpoint)
|
||||||
|
nameOverride := azure.OverrideProperty{Key: azure.EnvironmentName, Value: cloudName}
|
||||||
|
env, err = azure.EnvironmentFromURL(resourceManagerEndpoint, nameOverride)
|
||||||
|
if err == nil {
|
||||||
|
azureStackOverrides(&env, resourceManagerEndpoint, identitySystem)
|
||||||
|
}
|
||||||
|
} else if cloudName == "" {
|
||||||
|
klog.V(4).Info("Using public cloud environment")
|
||||||
env = azure.PublicCloud
|
env = azure.PublicCloud
|
||||||
} else {
|
} else {
|
||||||
|
klog.V(4).Infof("Using %s environment", cloudName)
|
||||||
env, err = azure.EnvironmentFromName(cloudName)
|
env, err = azure.EnvironmentFromName(cloudName)
|
||||||
}
|
}
|
||||||
return &env, err
|
return &env, err
|
||||||
@ -151,3 +169,15 @@ func decodePkcs12(pkcs []byte, password string) (*x509.Certificate, *rsa.Private
|
|||||||
|
|
||||||
return certificate, rsaPrivateKey, nil
|
return certificate, rsaPrivateKey, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// azureStackOverrides ensures that the Environment matches what AKSe currently generates for Azure Stack
|
||||||
|
func azureStackOverrides(env *azure.Environment, resourceManagerEndpoint, identitySystem string) {
|
||||||
|
env.ManagementPortalURL = strings.Replace(resourceManagerEndpoint, "https://management.", "https://portal.", -1)
|
||||||
|
env.ServiceManagementEndpoint = env.TokenAudience
|
||||||
|
env.ResourceManagerVMDNSSuffix = strings.Replace(resourceManagerEndpoint, "https://management.", "cloudapp.", -1)
|
||||||
|
env.ResourceManagerVMDNSSuffix = strings.TrimSuffix(env.ResourceManagerVMDNSSuffix, "/")
|
||||||
|
if strings.EqualFold(identitySystem, ADFSIdentitySystem) {
|
||||||
|
env.ActiveDirectoryEndpoint = strings.TrimSuffix(env.ActiveDirectoryEndpoint, "/")
|
||||||
|
env.ActiveDirectoryEndpoint = strings.TrimSuffix(env.ActiveDirectoryEndpoint, "adfs")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -325,7 +325,7 @@ func (az *Cloud) InitializeCloudFromConfig(config *Config, fromSecret bool) erro
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
env, err := auth.ParseAzureEnvironment(config.Cloud)
|
env, err := auth.ParseAzureEnvironment(config.Cloud, config.ResourceManagerEndpoint, config.IdentitySystem)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user