Merge pull request #385 from sunzhaohua2/41827-1

openshift-merge-bot[bot] · web-flow · commit e938398a5373 · 2025-02-26T10:47:26.000Z
OCPBUGS-41827: update injector to support secret as well
diff --git a/cmd/azure-config-credentials-injector/credentials_injector_test.go b/cmd/azure-config-credentials-injector/credentials_injector_test.go
@@ -72,13 +72,13 @@ func Test_mergeCloudConfig(t *testing.T) {
 		{
 			name:           "AZURE_CLIENT_ID not set",
 			args:           []string{"--cloud-config-file-path", inputFile.Name(), "--output-file-path", outputFile.Name()},
-			expectedErrMsg: "AZURE_CLIENT_ID env variable should be set up",
+			expectedErrMsg: "azure_client_id should be set up",
 		},
 		{
 			name:           "AZURE_CLIENT_SECRET not set",
 			args:           []string{"--cloud-config-file-path", inputFile.Name(), "--output-file-path", outputFile.Name()},
 			envVars:        map[string]string{"AZURE_CLIENT_ID": "foo"},
-			expectedErrMsg: "AZURE_CLIENT_SECRET env variable should be set up",
+			expectedErrMsg: "azure_client_secret should be set up",
 		},
 		{
 			name:           "input file content is not a valid json",
@@ -161,19 +161,19 @@ func Test_mergeCloudConfig(t *testing.T) {
 			name:           "should fail, client secret is present while federated token file is present",
 			args:           []string{"--cloud-config-file-path", inputFile.Name(), "--output-file-path", outputFile.Name(), "--disable-identity-extension-auth", "--enable-azure-workload-identity=true"},
 			envVars:        map[string]string{"AZURE_TENANT_ID": "baz", "AZURE_CLIENT_ID": "foo", "AZURE_CLIENT_SECRET": "bar", "AZURE_FEDERATED_TOKEN_FILE": "baz"},
-			expectedErrMsg: "AZURE_CLIENT_SECRET env variable is set while workload identity is enabled using AZURE_FEDERATED_TOKEN_FILE env variable, this should never happen.\nPlease consider reporting a bug: https://issues.redhat.com",
+			expectedErrMsg: "azure_client_secret is set while workload identity is enabled using azure_federated_token_file, this should never happen.\nPlease consider reporting a bug: https://issues.redhat.com",
 		},
 		{
 			name:           "should fail, tenant id missing while federated token file is present",
 			args:           []string{"--cloud-config-file-path", inputFile.Name(), "--output-file-path", outputFile.Name(), "--disable-identity-extension-auth", "--enable-azure-workload-identity=true"},
 			envVars:        map[string]string{"AZURE_CLIENT_ID": "buzz", "AZURE_FEDERATED_TOKEN_FILE": "baz"},
-			expectedErrMsg: "AZURE_TENANT_ID env variable should be set up while workload identity is enabled using AZURE_FEDERATED_TOKEN_FILE env variable, this should never happen.\nPlease consider reporting a bug: https://issues.redhat.com",
+			expectedErrMsg: "azure_tenant_id should be set up while workload identity is enabled using azure_federated_token_file, this should never happen.\nPlease consider reporting a bug: https://issues.redhat.com",
 		},
 		{
 			name:           "should fail, workload identity can't be enabled because federated token missing, expect secret provided",
 			args:           []string{"--cloud-config-file-path", inputFile.Name(), "--output-file-path", outputFile.Name(), "--disable-identity-extension-auth", "--enable-azure-workload-identity=true"},
 			envVars:        map[string]string{"AZURE_TENANT_ID": "bar", "AZURE_CLIENT_ID": "buzz"},
-			expectedErrMsg: "AZURE_CLIENT_SECRET env variable should be set up",
+			expectedErrMsg: "azure_client_secret should be set up",
 		},
 	}
 
diff --git a/cmd/azure-config-credentials-injector/main.go b/cmd/azure-config-credentials-injector/main.go
@@ -37,6 +37,7 @@ var (
 		outputFilePath               string
 		enableWorkloadIdentity       string
 		disableIdentityExtensionAuth bool
+		credentialsPath              string
 	}
 )
 
@@ -47,6 +48,7 @@ func init() {
 	injectorCmd.PersistentFlags().StringVar(&injectorOpts.outputFilePath, "output-file-path", "/tmp/merged-cloud-config/cloud.conf", "Location of the generated cloud config file with injected credentials.")
 	injectorCmd.PersistentFlags().BoolVar(&injectorOpts.disableIdentityExtensionAuth, "disable-identity-extension-auth", false, "Disable managed identity authentication, if it's set in cloudConfig.")
 	injectorCmd.PersistentFlags().StringVar(&injectorOpts.enableWorkloadIdentity, "enable-azure-workload-identity", "false", "Enable workload identity authentication.")
+	injectorCmd.PersistentFlags().StringVar(&injectorOpts.credentialsPath, "creds-path", "/etc/azure/credentials", "Path of the credential file.")
 }
 
 func main() {
@@ -58,6 +60,7 @@ func main() {
 func mergeCloudConfig(_ *cobra.Command, args []string) error {
 	var (
 		azureClientId           string
+		azureClientIdFound      bool
 		tenantId                string
 		tenantIdFound           bool
 		federatedTokenFile      string
@@ -71,30 +74,70 @@ func mergeCloudConfig(_ *cobra.Command, args []string) error {
 		return err
 	}
 
-	azureClientId, found := mustLookupEnvValue(clientIDEnvKey)
-	if !found {
-		return fmt.Errorf("%s env variable should be set up", clientIDEnvKey)
+	// Read credentials from mounted Secret files or environment variables
+	azureClientId, err = readSecretFile(fmt.Sprintf("%s/azure_client_id", injectorOpts.credentialsPath))
+	if err != nil {
+		if os.IsNotExist(err) {
+			// Fallback to environment variable if secret file does not exist
+			azureClientId, azureClientIdFound = mustLookupEnvValue(clientIDEnvKey)
+			if !azureClientIdFound {
+				return fmt.Errorf("azure_client_id should be set up")
+			}
+		} else {
+			return fmt.Errorf("failed to read azure_client_id from secret: %w", err)
+		}
 	}
 
-	// Check for environment variables
-	azureClientSecret, secretFound = mustLookupEnvValue(clientSecretEnvKey)
-	federatedTokenFile, federatedTokenFileFound = mustLookupEnvValue(federatedTokenEnvKey)
-	tenantId, tenantIdFound = mustLookupEnvValue(tenantIDEnvKey)
+	azureClientSecret, err = readSecretFile(fmt.Sprintf("%s/azure_client_secret", injectorOpts.credentialsPath))
+	if err != nil {
+		if os.IsNotExist(err) {
+			// Fallback to environment variable if secret file does not exist
+			azureClientSecret, secretFound = mustLookupEnvValue(clientSecretEnvKey)
+		} else {
+			return fmt.Errorf("failed to read azure_client_secret from secret: %w", err)
+		}
+	} else {
+		secretFound = true
+	}
+
+	tenantId, err = readSecretFile(fmt.Sprintf("%s/azure_tenant_id", injectorOpts.credentialsPath))
+	if err != nil {
+		if os.IsNotExist(err) {
+			// Fallback to environment variable if secret file does not exist
+			tenantId, tenantIdFound = mustLookupEnvValue(tenantIDEnvKey)
+		} else {
+			return fmt.Errorf("failed to read azure_tenant_id from secret: %w", err)
+		}
+	} else {
+		tenantIdFound = true
+	}
+
+	federatedTokenFile, err = readSecretFile(fmt.Sprintf("%s/azure_federated_token_file", injectorOpts.credentialsPath))
+	if err != nil {
+		if os.IsNotExist(err) {
+			// Fallback to environment variable if secret file does not exist
+			federatedTokenFile, federatedTokenFileFound = mustLookupEnvValue(federatedTokenEnvKey)
+		} else {
+			return fmt.Errorf("failed to read azure_federated_token_file from secret: %w", err)
+		}
+	} else {
+		federatedTokenFileFound = true
+	}
 
 	// If federatedTokenFile found, workload identity should be used
 	if federatedTokenFileFound {
 		// azureClientSecret should not be set for workload identity auth, report error when secretFound
 		if secretFound {
-			return fmt.Errorf("%s env variable is set while workload identity is enabled using %s env variable, this should never happen.\nPlease consider reporting a bug: https://issues.redhat.com", clientSecretEnvKey, federatedTokenEnvKey)
+			return fmt.Errorf("azure_client_secret is set while workload identity is enabled using azure_federated_token_file, this should never happen.\nPlease consider reporting a bug: https://issues.redhat.com")
 		}
 		// tenantId is required for workload identity auth, report error when !tenantIdFound
 		if !tenantIdFound {
-			return fmt.Errorf("%s env variable should be set up while workload identity is enabled using %s env variable, this should never happen.\nPlease consider reporting a bug: https://issues.redhat.com", tenantIDEnvKey, federatedTokenEnvKey)
+			return fmt.Errorf("azure_tenant_id should be set up while workload identity is enabled using azure_federated_token_file, this should never happen.\nPlease consider reporting a bug: https://issues.redhat.com")
 		}
 	} else {
 		// federatedTokenFile not found, secret will be required
 		if !secretFound {
-			return fmt.Errorf("%s env variable should be set up", clientSecretEnvKey)
+			return fmt.Errorf("azure_client_secret should be set up")
 		}
 	}
 
@@ -115,6 +158,15 @@ func mergeCloudConfig(_ *cobra.Command, args []string) error {
 	return nil
 }
 
+// Helper function to read a file and return its content as a string
+func readSecretFile(filePath string) (string, error) {
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		return "", err
+	}
+	return string(data), nil
+}
+
 func readCloudConfig(path string) (map[string]interface{}, error) {
 	var data map[string]interface{}
 
diff --git a/pkg/cloud/azure/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/azure/assets/cloud-controller-manager-deployment.yaml
@@ -69,7 +69,8 @@ spec:
                 --cloud-config-file-path=/etc/cloud-config/cloud.conf \
                 --output-file-path=/etc/merged-cloud-config/cloud.conf \
                 --disable-identity-extension-auth \
-                --enable-azure-workload-identity=true
+                --enable-azure-workload-identity=true \
+                --creds-path=/etc/azure/credentials
           env:
             - name: AZURE_CLIENT_ID
               valueFrom:
@@ -101,6 +102,9 @@ spec:
               readOnly: true
             - name: merged-cloud-config
               mountPath: /etc/merged-cloud-config
+            - name: cloud-sa-volume
+              mountPath: /etc/azure/credentials
+              readOnly: true
       containers:
         - name: cloud-controller-manager
           image: {{ .images.CloudControllerManager }}
@@ -156,6 +160,9 @@ spec:
             - name: merged-cloud-config
               mountPath: /etc/kubernetes-cloud-config
               readOnly: true
+            - name: cloud-sa-volume
+              readOnly: true
+              mountPath: /etc/azure/credentials
             - name: trusted-ca
               mountPath: /etc/pki/ca-trust/extracted/pem
               readOnly: true
@@ -169,6 +176,9 @@ spec:
             items:
               - key: cloud.conf
                 path: cloud.conf
+        - name: cloud-sa-volume
+          secret:
+            secretName: azure-cloud-credentials
         - name: trusted-ca
           configMap:
             name: ccm-trusted-ca
diff --git a/pkg/cloud/azure/assets/cloud-node-manager-daemonset.yaml b/pkg/cloud/azure/assets/cloud-node-manager-daemonset.yaml
@@ -61,7 +61,8 @@ spec:
                 --cloud-config-file-path=/etc/cloud-config/cloud.conf \
                 --output-file-path=/etc/merged-cloud-config/cloud.conf \
                 --disable-identity-extension-auth \
-                --enable-azure-workload-identity=true
+                --enable-azure-workload-identity=true \
+                --creds-path=/etc/azure/credentials
           env:
             - name: AZURE_CLIENT_ID
               valueFrom:
@@ -93,6 +94,9 @@ spec:
               readOnly: true
             - name: merged-cloud-config
               mountPath: /etc/merged-cloud-config
+            - name: cloud-sa-volume
+              mountPath: /etc/azure/credentials
+              readOnly: true
       containers:
         - name: cloud-node-manager
           image: {{ .images.CloudNodeManager }}
@@ -135,6 +139,9 @@ spec:
               cpu: 50m
               memory: 50Mi
       volumes:
+        - name: cloud-sa-volume
+          secret:
+            secretName: azure-cloud-credentials
         - name: trusted-ca
           configMap:
             name: ccm-trusted-ca
diff --git a/pkg/cloud/azurestack/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/azurestack/assets/cloud-controller-manager-deployment.yaml
@@ -61,6 +61,7 @@ spec:
           args:
             - --cloud-config-file-path=/tmp/cloud-config/cloud.conf
             - --output-file-path=/tmp/merged-cloud-config/cloud.conf
+            - --creds-path=/etc/azure/credentials
           env:
             - name: AZURE_CLIENT_ID
               valueFrom:
@@ -79,6 +80,9 @@ spec:
               readOnly: true
             - name: cloud-config
               mountPath: /tmp/merged-cloud-config
+            - name: cloud-sa-volume
+              mountPath: /etc/azure/credentials
+              readOnly: true
       containers:
         - name: cloud-controller-manager
           image: {{ .images.CloudControllerManager }}
@@ -148,6 +152,9 @@ spec:
           hostPath:
             path: /etc/kubernetes
             type: Directory
+        - name: cloud-sa-volume
+          secret:
+            secretName: azure-cloud-credentials
         - name: trusted-ca
           configMap:
             name: ccm-trusted-ca
diff --git a/pkg/cloud/azurestack/assets/cloud-node-manager-daemonset.yaml b/pkg/cloud/azurestack/assets/cloud-node-manager-daemonset.yaml
@@ -53,6 +53,7 @@ spec:
           args:
             - --cloud-config-file-path=/tmp/cloud-config/cloud.conf
             - --output-file-path=/tmp/merged-cloud-config/cloud.conf
+            - --creds-path=/etc/azure/credentials
           env:
             - name: AZURE_CLIENT_ID
               valueFrom:
@@ -71,6 +72,9 @@ spec:
               readOnly: true
             - name: cloud-config
               mountPath: /tmp/merged-cloud-config
+            - name: cloud-sa-volume
+              mountPath: /etc/azure/credentials
+              readOnly: true
       containers:
         - name: cloud-node-manager
           image: {{ .images.CloudNodeManager }}
@@ -134,6 +138,9 @@ spec:
                 path: cloud.conf
               - key: endpoints
                 path: endpoints.conf
+        - name: cloud-sa-volume
+          secret:
+            secretName: azure-cloud-credentials
         - name: trusted-ca
           configMap:
             name: ccm-trusted-ca
