Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

migrate from adal to azidentity #83

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

sp98
Copy link

@sp98 sp98 commented Feb 15, 2024

adal is out of support since March 31, 2023.
This PR migrates from adal to azidentity for azure key vault.
Migration guide was used as a reference.

What this PR does / why we need it:

Which issue(s) this PR fixes (optional)
Closes #84

Special notes for your reviewer:

@sp98 sp98 changed the title migrate from adal to azidentity [WIP] migrate from adal to azidentity Feb 15, 2024
@sp98 sp98 force-pushed the use-azidentity branch 2 times, most recently from b0d2f1d to b33f0b1 Compare February 20, 2024 07:24
@sp98 sp98 changed the title [WIP] migrate from adal to azidentity migrate from adal to azidentity Feb 20, 2024
@sp98 sp98 changed the title migrate from adal to azidentity [WIP]migrate from adal to azidentity Feb 20, 2024
@sp98 sp98 force-pushed the use-azidentity branch 3 times, most recently from 3c002ec to a202e93 Compare March 4, 2024 10:59
@sp98 sp98 changed the title [WIP]migrate from adal to azidentity migrate from adal to azidentity Mar 4, 2024
@sp98
Copy link
Author

sp98 commented Mar 4, 2024

@dahuang-purestorage Hi, can you please take a look at this PR. The change to support certificates based auth was very small to included in the same PR. If you want, I can open a different PR for that as well. Thanks.

cc @adityadani

azure/azure_kv.go Outdated Show resolved Hide resolved
Comment on lines 240 to 249
if strings.EqualFold(cloudEnv, "AzureUSGovernment") {
opts.Cloud = cloud.AzureGovernment
} else if strings.EqualFold(cloudEnv, "AzureChinaCloud") {
opts.Cloud = cloud.AzureChina
} else {
opts.Cloud = cloud.AzurePublic
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to do this? Can we not pass a user-defined string to the libopenstorage/secrets lib here so that Rook doesn't need to do custom processing?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current version in the master is using this. So if we don't do this it might be a breaking change for users.

I'll check again if we really need this or not.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can add this logic or these "AzureUSGovernment"/"AzureChinaCloud" strings to the libopenstorage library. But in general, I am concerned about hard coding these values.

It's entirely possible and reasonable that Azure might add other clouds like "AzureEuropeCloud", "AzureRussiaCloud", or any other reasonably big use-case where data security needs to be different from other clouds, and if we force any unrecognized option to use the public cloud, those users might be broken. It seems best to me just to pass in the value given to Rook into the lib without trying to validate it.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was using AzurePublicCloud for any unrecognized option. That's wrong. I've updated to use only AzurePublicCloud only if the user has set it or if user does not provide an option.

Copy link
Author

@sp98 sp98 Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems best to me just to pass in the value given to Rook into the lib without trying to validate it.

I think this would result in breaking changes to the users already using this library. Because they are only expected to provide the AZURE_ENVIRONMENT (string) and then libopenshift/secrets finds out the exact environment based on the AZURE_ENVIRONMENT

@sp98 sp98 force-pushed the use-azidentity branch 3 times, most recently from 8f7772b to 5a08606 Compare March 7, 2024 06:14
@@ -109,7 +132,7 @@ func (az *azureSecrets) GetSecret(
return nil, secrets.NoVersion, err
}

secretResp, ok := resp.(keyvault.SecretBundle)
secretResp, ok := resp.(azsecrets.GetSecretResponse)
Copy link

@iPraveenParihar iPraveenParihar Mar 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Azure now returns secret version.
can we return version as well?

secretResp.ID.Version()

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No other KMS in the library is returning the version currently. So I think for now, we can keep it as it is and revisit this later.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AWS Secrets Manager returns the version.The only reason all providers have not been updated to return the version is lack of bandwidth to check and test if each one of them If we are modifying this provider and you are able to verify its correctness we can modify it

azure/azure_kv.go Outdated Show resolved Hide resolved
adal is is out of support since March 31, 2023.
This PR migrates from adal to azidentity for azure
key vault

Signed-off-by: sp98 <sapillai@redhat.com>
Copy link
Collaborator

@adityadani adityadani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you post the output of your azure_integration_tests.go results here?

// don't retry if the secret key was not found
responseError, ok := err.(*azcore.ResponseError)
if ok && responseError.StatusCode == 404 {
return nil, false, secrets.ErrSecretNotFound
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you return this error instead. - ErrInvalidSecretId since all the other providers are returning it when a secret is not found.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adityadani Sorry for the delay. I'll update the PR this week.

@@ -109,7 +132,7 @@ func (az *azureSecrets) GetSecret(
return nil, secrets.NoVersion, err
}

secretResp, ok := resp.(keyvault.SecretBundle)
secretResp, ok := resp.(azsecrets.GetSecretResponse)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AWS Secrets Manager returns the version.The only reason all providers have not been updated to return the version is lack of bandwidth to check and test if each one of them If we are modifying this provider and you are able to verify its correctness we can modify it

@sp98
Copy link
Author

sp98 commented Sep 3, 2024

@adityadani Hi. This got delayed a bit due to other commitments. I plan to address your review comments this week. Hope we can get this merged soon. Thanks.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

migrate from adal to azidentity for Azure kms
4 participants