Skip to content

Commit

Permalink
Merge pull request #5071 from nojnhuh/aks-token-kubeconfig
Browse files Browse the repository at this point in the history
use token from AzureClusterIdentity for AAD-enabled AKS clusters
  • Loading branch information
k8s-ci-robot authored Aug 12, 2024
2 parents a69d8d8 + 8d57f48 commit 160a5c8
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 90 deletions.
21 changes: 5 additions & 16 deletions azure/services/managedclusters/managedclusters.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"context"
"fmt"

"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
asocontainerservicev1hub "github.com/Azure/azure-service-operator/v2/api/containerservice/v1api20231001/storage"
"github.com/Azure/azure-service-operator/v2/pkg/genruntime"
"github.com/pkg/errors"
Expand All @@ -29,7 +30,6 @@ import (
infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
"sigs.k8s.io/cluster-api-provider-azure/azure"
"sigs.k8s.io/cluster-api-provider-azure/azure/services/aso"
"sigs.k8s.io/cluster-api-provider-azure/azure/services/token"
clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
"sigs.k8s.io/cluster-api/util/secret"
"sigs.k8s.io/controller-runtime/pkg/client"
Expand Down Expand Up @@ -148,7 +148,7 @@ func reconcileKubeconfig(ctx context.Context, scope ManagedClusterScope, namespa
}

if scope.AreLocalAccountsDisabled() {
userKubeconfigWithToken, err := getUserKubeConfigWithToken(userKubeConfigData, ctx, scope)
userKubeconfigWithToken, err := getUserKubeConfigWithToken(ctx, userKubeConfigData, scope)
if err != nil {
return nil, nil, errors.Wrap(err, "error while trying to get user kubeconfig with token")
}
Expand Down Expand Up @@ -190,28 +190,17 @@ func getUserKubeconfigData(ctx context.Context, scope ManagedClusterScope, names
}

// getUserKubeConfigWithToken returns the kubeconfig with user token, for capz to create the target cluster.
func getUserKubeConfigWithToken(userKubeConfigData []byte, ctx context.Context, scope azure.Authorizer) ([]byte, error) {
tokenClient, err := token.NewClient(scope)
if err != nil {
return nil, errors.Wrap(err, "error while getting aad token client")
}

token, err := tokenClient.GetAzureActiveDirectoryToken(ctx, aadResourceID)
func getUserKubeConfigWithToken(ctx context.Context, userKubeConfigData []byte, auth azure.Authorizer) ([]byte, error) {
token, err := auth.Token().GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{aadResourceID + "/.default"}})
if err != nil {
return nil, errors.Wrap(err, "error while getting aad token for user kubeconfig")
}

return createUserKubeconfigWithToken(token, userKubeConfigData)
}

// createUserKubeconfigWithToken gets the kubeconfig data for authenticating with target cluster.
func createUserKubeconfigWithToken(token string, userKubeConfigData []byte) ([]byte, error) {
config, err := clientcmd.Load(userKubeConfigData)
if err != nil {
return nil, errors.Wrap(err, "error while trying to unmarshal new user kubeconfig with token")
}
for _, auth := range config.AuthInfos {
auth.Token = token
auth.Token = token.Token
auth.Exec = nil
}
kubeconfig, err := clientcmd.Write(*config)
Expand Down
74 changes: 0 additions & 74 deletions azure/services/token/client.go

This file was deleted.

0 comments on commit 160a5c8

Please sign in to comment.