acr.go 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package acr
  13. import (
  14. "context"
  15. "errors"
  16. "fmt"
  17. "io/ioutil"
  18. "net/http"
  19. "net/url"
  20. "os"
  21. "strings"
  22. "github.com/Azure/azure-sdk-for-go/sdk/azcore"
  23. "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
  24. "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
  25. "github.com/Azure/go-autorest/autorest/azure"
  26. "k8s.io/client-go/kubernetes"
  27. kcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
  28. ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
  29. "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  30. genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
  31. smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
  32. "github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault"
  33. corev1 "k8s.io/api/core/v1"
  34. apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
  35. "k8s.io/apimachinery/pkg/types"
  36. "k8s.io/apimachinery/pkg/util/json"
  37. "sigs.k8s.io/controller-runtime/pkg/client"
  38. )
  39. type Generator struct{}
  40. type TokenGetter interface {
  41. GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)
  42. }
  43. const (
  44. defaultLoginUsername = "00000000-0000-0000-0000-000000000000"
  45. errNoSpec = "no config spec provided"
  46. errParseSpec = "unable to parse spec: %w"
  47. errCreateSess = "unable to create aws session: %w"
  48. errGetToken = "unable to get authorization token: %w"
  49. )
  50. // Generate generates a token that can be used to authenticate against Azure Container Registry.
  51. // First, an Azure Active Directory access token is obtained with the desired authentication method.
  52. // This AAD access token will be used to authenticate against ACR.
  53. // Depending on the generator spec it generates an ACR access token or an ACR refresh token.
  54. // * access tokens are scoped to a specific repository or action (pull,push)
  55. // * refresh tokens can are scoped to whatever policy is attached to the identity that creates the acr refresh token
  56. // details can be found here: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  57. func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, crClient client.Client, namespace string) (map[string][]byte, error) {
  58. if jsonSpec == nil {
  59. return nil, fmt.Errorf(errNoSpec)
  60. }
  61. res, err := parseSpec(jsonSpec.Raw)
  62. if err != nil {
  63. return nil, fmt.Errorf(errParseSpec, err)
  64. }
  65. cfg, err := ctrlcfg.GetConfig()
  66. if err != nil {
  67. return nil, err
  68. }
  69. kubeClient, err := kubernetes.NewForConfig(cfg)
  70. if err != nil {
  71. return nil, err
  72. }
  73. var accessToken string
  74. // pick authentication strategy to create an AAD access token
  75. if res.Spec.Auth.ServicePrincipal != nil {
  76. accessToken, err = accessTokenForServicePrincipal(
  77. ctx,
  78. crClient,
  79. namespace,
  80. res.Spec.EnvironmentType,
  81. res.Spec.TenantID,
  82. res.Spec.Auth.ServicePrincipal.SecretRef.ClientID,
  83. res.Spec.Auth.ServicePrincipal.SecretRef.ClientSecret,
  84. )
  85. } else if res.Spec.Auth.ManagedIdentity != nil {
  86. accessToken, err = accessTokenForManagedIdentity(
  87. ctx,
  88. res.Spec.EnvironmentType,
  89. res.Spec.Auth.ManagedIdentity.IdentityID,
  90. )
  91. } else if res.Spec.Auth.WorkloadIdentity != nil {
  92. accessToken, err = accessTokenForWorkloadIdentity(
  93. ctx,
  94. crClient,
  95. kubeClient.CoreV1(),
  96. res.Spec.ACRRegistry,
  97. res.Spec.EnvironmentType,
  98. res.Spec.Auth.WorkloadIdentity.ServiceAccountRef,
  99. namespace,
  100. )
  101. }
  102. if err != nil {
  103. return nil, err
  104. }
  105. var acrToken string
  106. acrToken, err = fetchACRRefreshToken(accessToken, res.Spec.TenantID, res.Spec.ACRRegistry)
  107. if err != nil {
  108. return nil, err
  109. }
  110. if res.Spec.Scope != "" {
  111. acrToken, err = fetchACRAccessToken(acrToken, res.Spec.TenantID, res.Spec.ACRRegistry, res.Spec.Scope)
  112. if err != nil {
  113. return nil, err
  114. }
  115. }
  116. return map[string][]byte{
  117. "username": []byte(defaultLoginUsername),
  118. "password": []byte(acrToken),
  119. }, nil
  120. }
  121. func fetchACRAccessToken(acrRefreshToken, tenantID, registryURL, scope string) (string, error) {
  122. formData := url.Values{
  123. "grant_type": {"refresh_token"},
  124. "service": {registryURL},
  125. "scope": {scope},
  126. "refresh_token": {acrRefreshToken},
  127. }
  128. res, err := http.PostForm(fmt.Sprintf("https://%s/oauth2/token", registryURL), formData)
  129. if err != nil {
  130. return "", err
  131. }
  132. if res.StatusCode != http.StatusOK {
  133. return "", fmt.Errorf("unexpected status code: %d", res.StatusCode)
  134. }
  135. body, err := ioutil.ReadAll(res.Body)
  136. if err != nil {
  137. return "", err
  138. }
  139. var payload map[string]string
  140. err = json.Unmarshal(body, &payload)
  141. if err != nil {
  142. return "", err
  143. }
  144. accessToken, ok := payload["access_token"]
  145. if !ok {
  146. return "", fmt.Errorf("unable to get token")
  147. }
  148. return accessToken, nil
  149. }
  150. func fetchACRRefreshToken(aadAccessToken, tenantID, registryURL string) (string, error) {
  151. // https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  152. // https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli
  153. formData := url.Values{
  154. "grant_type": {"access_token"},
  155. "service": {registryURL},
  156. "tenant": {tenantID},
  157. "access_token": {aadAccessToken},
  158. }
  159. res, err := http.PostForm(fmt.Sprintf("https://%s/oauth2/exchange", registryURL), formData)
  160. if err != nil {
  161. return "", err
  162. }
  163. if res.StatusCode != http.StatusOK {
  164. return "", fmt.Errorf("unexpected status code %d, expected %d", res.StatusCode, http.StatusOK)
  165. }
  166. body, err := ioutil.ReadAll(res.Body)
  167. if err != nil {
  168. return "", err
  169. }
  170. var payload map[string]string
  171. err = json.Unmarshal(body, &payload)
  172. if err != nil {
  173. return "", err
  174. }
  175. refreshToken, ok := payload["refresh_token"]
  176. if !ok {
  177. return "", fmt.Errorf("unable to get token")
  178. }
  179. return refreshToken, nil
  180. }
  181. func accessTokenForWorkloadIdentity(ctx context.Context, crClient client.Client, kubeClient kcorev1.CoreV1Interface, acrRegistry string, envType v1beta1.AzureEnvironmentType, serviceAccountRef *smmeta.ServiceAccountSelector, namespace string) (string, error) {
  182. aadEndpoint := keyvault.AadEndpointForType(envType)
  183. if !strings.HasSuffix(acrRegistry, "/") {
  184. acrRegistry += "/"
  185. }
  186. acrResource := fmt.Sprintf("https://%s/.default", acrRegistry)
  187. // if no serviceAccountRef was provided
  188. // we expect certain env vars to be present.
  189. // They are set by the azure workload identity webhook.
  190. if serviceAccountRef == nil {
  191. clientID := os.Getenv("AZURE_CLIENT_ID")
  192. tenantID := os.Getenv("AZURE_TENANT_ID")
  193. tokenFilePath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")
  194. if clientID == "" || tenantID == "" || tokenFilePath == "" {
  195. return "", errors.New("missing environment variables")
  196. }
  197. token, err := os.ReadFile(tokenFilePath)
  198. if err != nil {
  199. return "", fmt.Errorf("unable to read token file %s: %w", tokenFilePath, err)
  200. }
  201. tp, err := keyvault.NewTokenProvider(ctx, string(token), clientID, tenantID, aadEndpoint, acrResource)
  202. if err != nil {
  203. return "", err
  204. }
  205. return tp.OAuthToken(), nil
  206. }
  207. var sa corev1.ServiceAccount
  208. err := crClient.Get(ctx, types.NamespacedName{
  209. Name: serviceAccountRef.Name,
  210. Namespace: namespace,
  211. }, &sa)
  212. if err != nil {
  213. return "", err
  214. }
  215. clientID, ok := sa.ObjectMeta.Annotations[keyvault.AnnotationClientID]
  216. if !ok {
  217. return "", fmt.Errorf("service account is missing annoation: %s", keyvault.AnnotationClientID)
  218. }
  219. tenantID, ok := sa.ObjectMeta.Annotations[keyvault.AnnotationTenantID]
  220. if !ok {
  221. return "", fmt.Errorf("service account is missing annotation: %s", keyvault.AnnotationTenantID)
  222. }
  223. audiences := []string{keyvault.AzureDefaultAudience}
  224. if len(serviceAccountRef.Audiences) > 0 {
  225. audiences = append(audiences, serviceAccountRef.Audiences...)
  226. }
  227. token, err := keyvault.FetchSAToken(ctx, namespace, serviceAccountRef.Name, audiences, kubeClient)
  228. if err != nil {
  229. return "", err
  230. }
  231. tp, err := keyvault.NewTokenProvider(ctx, token, clientID, tenantID, aadEndpoint, acrResource)
  232. if err != nil {
  233. return "", err
  234. }
  235. return tp.OAuthToken(), nil
  236. }
  237. func accessTokenForManagedIdentity(ctx context.Context, envType v1beta1.AzureEnvironmentType, identityID string) (string, error) {
  238. // handle workload identity
  239. creds, err := azidentity.NewManagedIdentityCredential(
  240. &azidentity.ManagedIdentityCredentialOptions{
  241. ID: azidentity.ResourceID(identityID),
  242. },
  243. )
  244. if err != nil {
  245. return "", err
  246. }
  247. aud := audienceForType(envType)
  248. accessToken, err := creds.GetToken(ctx, policy.TokenRequestOptions{
  249. Scopes: []string{aud},
  250. })
  251. if err != nil {
  252. return "", err
  253. }
  254. return accessToken.Token, nil
  255. }
  256. func accessTokenForServicePrincipal(ctx context.Context, crClient client.Client, namespace string, envType v1beta1.AzureEnvironmentType, tenantID string, idRef, secretRef smmeta.SecretKeySelector) (string, error) {
  257. cid, err := secretKeyRef(ctx, crClient, namespace, idRef)
  258. if err != nil {
  259. return "", err
  260. }
  261. csec, err := secretKeyRef(ctx, crClient, namespace, secretRef)
  262. if err != nil {
  263. return "", err
  264. }
  265. aadEndpoint := keyvault.AadEndpointForType(envType)
  266. creds, err := azidentity.NewClientSecretCredential(
  267. tenantID,
  268. cid,
  269. csec,
  270. &azidentity.ClientSecretCredentialOptions{
  271. AuthorityHost: azidentity.AuthorityHost(aadEndpoint),
  272. })
  273. if err != nil {
  274. return "", err
  275. }
  276. aud := audienceForType(envType)
  277. accessToken, err := creds.GetToken(ctx, policy.TokenRequestOptions{
  278. Scopes: []string{aud},
  279. })
  280. if err != nil {
  281. return "", err
  282. }
  283. return accessToken.Token, nil
  284. }
  285. // secretKeyRef fetches a secret key.
  286. func secretKeyRef(ctx context.Context, crClient client.Client, namespace string, secretRef smmeta.SecretKeySelector) (string, error) {
  287. var secret corev1.Secret
  288. ref := types.NamespacedName{
  289. Namespace: namespace,
  290. Name: secretRef.Name,
  291. }
  292. err := crClient.Get(ctx, ref, &secret)
  293. if err != nil {
  294. return "", fmt.Errorf("unable to find namespace=%q secret=%q %w", ref.Namespace, ref.Name, err)
  295. }
  296. keyBytes, ok := secret.Data[secretRef.Key]
  297. if !ok {
  298. return "", fmt.Errorf("unable to find key=%q secret=%q namespace=%q", secretRef.Key, secretRef.Name, namespace)
  299. }
  300. value := strings.TrimSpace(string(keyBytes))
  301. return value, nil
  302. }
  303. func audienceForType(t v1beta1.AzureEnvironmentType) string {
  304. suffix := ".default"
  305. switch t {
  306. case v1beta1.AzureEnvironmentChinaCloud:
  307. return azure.ChinaCloud.TokenAudience + suffix
  308. case v1beta1.AzureEnvironmentGermanCloud:
  309. return azure.GermanCloud.TokenAudience + suffix
  310. case v1beta1.AzureEnvironmentUSGovernmentCloud:
  311. return azure.USGovernmentCloud.TokenAudience + suffix
  312. }
  313. return azure.PublicCloud.TokenAudience + suffix
  314. }
  315. func parseSpec(data []byte) (*genv1alpha1.ACRAccessToken, error) {
  316. var spec genv1alpha1.ACRAccessToken
  317. err := json.Unmarshal(data, &spec)
  318. return &spec, err
  319. }
  320. func init() {
  321. genv1alpha1.Register(genv1alpha1.ACRAccessTokenKind, &Generator{})
  322. }