Skip to content

Commit

Permalink
add support for Upbound auth
Browse files Browse the repository at this point in the history
Signed-off-by: Erhan Cagirici <[email protected]>
  • Loading branch information
erhancagirici committed Nov 1, 2024
1 parent d04c5d6 commit 33d60a7
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 1 deletion.
2 changes: 1 addition & 1 deletion apis/v1beta1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ type ProviderConfigSpec struct {
// ProviderCredentials required to authenticate.
type ProviderCredentials struct {
// Source of the provider credentials.
// +kubebuilder:validation:Enum=None;Secret;InjectedIdentity;Environment;Filesystem;UserAssignedManagedIdentity;SystemAssignedManagedIdentity;OIDCTokenFile
// +kubebuilder:validation:Enum=None;Secret;InjectedIdentity;Environment;Filesystem;UserAssignedManagedIdentity;SystemAssignedManagedIdentity;OIDCTokenFile;Upbound
Source xpv1.CredentialsSource `json:"source"`

xpv1.CommonCredentialSelectors `json:",inline"`
Expand Down
18 changes: 18 additions & 0 deletions internal/clients/azuread.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,15 @@ const (
keyUseOIDC = "use_oidc"
// Default OidcTokenFilePath
defaultOidcTokenFilePath = "/var/run/secrets/azure/tokens/azure-identity-token"
// Upbound Auth OidcTokenFilePath
upboundProviderIdentityTokenFile = "/var/run/secrets/upbound.io/provider/token"
)

var (
credentialsSourceUserAssignedManagedIdentity xpv1.CredentialsSource = "UserAssignedManagedIdentity"
credentialsSourceSystemAssignedManagedIdentity xpv1.CredentialsSource = "SystemAssignedManagedIdentity"
credentialsSourceOIDCTokenFile xpv1.CredentialsSource = "OIDCTokenFile"
credentialsSourceUpbound xpv1.CredentialsSource = "Upbound"
)

// TerraformSetupBuilder returns Terraform setup with provider specific
Expand Down Expand Up @@ -91,6 +94,8 @@ func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn { //no
err = msiAuth(pc, &ps)
case credentialsSourceOIDCTokenFile:
err = oidcAuth(pc, &ps)
case credentialsSourceUpbound:
err = upboundAuth(pc, &ps)
default:
err = spAuth(ctx, pc, &ps, client)
}
Expand Down Expand Up @@ -179,5 +184,18 @@ func oidcAuth(pc *v1beta1.ProviderConfig, ps *terraform.Setup) error {
ps.Configuration[keyClientID] = *pc.Spec.ClientID
ps.Configuration[keyUseOIDC] = "true"
return nil
}

func upboundAuth(pc *v1beta1.ProviderConfig, ps *terraform.Setup) error {
if pc.Spec.TenantID == nil || len(*pc.Spec.TenantID) == 0 {
return errors.New(errTenantIDNotSet)
}
if pc.Spec.ClientID == nil || len(*pc.Spec.ClientID) == 0 {
return errors.New(errClientIDNotSet)
}
ps.Configuration[keyOidcTokenFilePath] = upboundProviderIdentityTokenFile
ps.Configuration[keyTenantID] = *pc.Spec.TenantID
ps.Configuration[keyClientID] = *pc.Spec.ClientID
ps.Configuration[keyUseOIDC] = "true"
return nil
}
1 change: 1 addition & 0 deletions package/crds/azuread.upbound.io_providerconfigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ spec:
- UserAssignedManagedIdentity
- SystemAssignedManagedIdentity
- OIDCTokenFile
- Upbound
type: string
required:
- source
Expand Down

0 comments on commit 33d60a7

Please sign in to comment.