-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: migrate from autorest/adal
to azidentity
#195
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Anish Ramasekar <[email protected]>
e05a0b5
to
b245b07
Compare
// { | ||
// desc: "no error with proxy mode", | ||
// config: &config.AzureConfig{ClientID: "clientid", ClientSecret: "clientsecret", TenantID: "tenantid"}, | ||
// vaultName: "testkv", | ||
// keyName: "key1", | ||
// keyVersion: "262067a9e8ba401aa8a746c5f1a7e147", | ||
// proxyMode: true, | ||
// proxyAddress: "localhost", | ||
// proxyPort: 7788, | ||
// expectedVaultURL: "http://localhost:7788/testkv.vault.azure.net/", | ||
// }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bingosummer It looks azidentity
expects the authority host to be https. I had to comment this out because it failed the unit test
=== RUN TestNewKeyVaultClient/no_error_with_proxy_mode
/go/src/github.com/Azure/kubernetes-kms/pkg/plugin/keyvault_test.go:135: newKeyVaultClient() failed with error: failed to get key vault token, error: cannot use an authority host without https
I assume it'll fail when proxy is used but let's test this. The test image is aramase/keyvault:azkeys.00
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't hit the error cannot use an authority host without https
, but I hit the following error.
I0109 08:06:14.823988 1 server.go:77] encrypt request started
E0109 08:06:15.063933 1 server.go:80] "failed to encrypt" err="failed to encrypt, error: challenge resource \"https://vault.azure.net\" doesn't match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information"
E0109 08:06:15.064069 1 grpc.go:45] "GRPC request error" err="failed to encrypt, error: challenge resource \"https://vault.azure.net\" doesn't match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information"
Will test again later about the error cannot use an authority host without https
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I use SP instead of managed identity, I hit an error:
E0109 11:06:13.954338 1 grpc.go:45] "GRPC request error" err=<
failed to encrypt, error: ClientSecretCredential authentication failed
POST https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
"error": "invalid_scope",
"error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://vault.azure.net openid offline_access profile is not valid.\r\nTrace ID: 75447226-d7f4-45c3-a56c-b844c719ea04\r\nCorrelation ID: 44d79503-6a49-49fc-9efb-ab6bc481c0e9\r\nTimestamp: 2023-01-09 11:06:13Z",
"error_codes": [
70011
],
"timestamp": "2023-01-09 11:06:13Z",
"trace_id": "75447226-d7f4-45c3-a56c-b844c719ea04",
"correlation_id": "44d79503-6a49-49fc-9efb-ab6bc481c0e9"
}
--------------------------------------------------------------------------------
To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#client-secret
>
Signed-off-by: Anish Ramasekar [email protected]
Reason for Change:
autorest/adal
toazidentity
github.com/Azure/azure-sdk-for-go/services/keyvault
tosdk/keyvault
Issue Fixed:
fixes #179
fixes #180
Notes for Reviewers: