Merge pull request #8836 from mainred/ksa-token-credential-provider

mainred · web-flow · commit 384d7c0db387 · 2025-10-17T17:16:53.000+11:00
feat(credential-provider): support k8s service account token
diff --git a/cmd/acr-credential-provider/main.go b/cmd/acr-credential-provider/main.go
@@ -31,7 +31,6 @@ import (
 	"k8s.io/component-base/logs"
 	"k8s.io/klog/v2"
 
-	"sigs.k8s.io/cloud-provider-azure/pkg/credentialprovider"
 	"sigs.k8s.io/cloud-provider-azure/pkg/version"
 )
 
@@ -54,14 +53,8 @@ func main() {
 			return nil
 		},
 		Version: version.Get().GitVersion,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			acrProvider, err := credentialprovider.NewAcrProviderFromConfig(args[0], RegistryMirrorStr)
-			if err != nil {
-				klog.Errorf("Failed to initialize ACR provider: %v", err)
-				return err
-			}
-
-			if err := NewCredentialProvider(acrProvider).Run(cmd.Context()); err != nil {
+		RunE: func(_ *cobra.Command, args []string) error {
+			if err := NewCredentialProvider(args[0], RegistryMirrorStr).Run(context.TODO()); err != nil {
 				klog.Errorf("Error running acr credential provider: %v", err)
 				return err
 			}
diff --git a/cmd/acr-credential-provider/plugin.go b/cmd/acr-credential-provider/plugin.go
@@ -44,13 +44,18 @@ func init() {
 
 // ExecPlugin implements the exec-based plugin for fetching credentials that is invoked by the kubelet.
 type ExecPlugin struct {
-	plugin credentialprovider.CredentialProvider
+	configFile        string
+	RegistryMirrorStr string
+	plugin            credentialprovider.CredentialProvider
 }
 
 // NewCredentialProvider returns an instance of execPlugin that fetches
 // credentials based on the provided plugin implementing the CredentialProvider interface.
-func NewCredentialProvider(plugin credentialprovider.CredentialProvider) *ExecPlugin {
-	return &ExecPlugin{plugin}
+func NewCredentialProvider(configFile string, registryMirrorStr string) *ExecPlugin {
+	return &ExecPlugin{
+		configFile:        configFile,
+		RegistryMirrorStr: registryMirrorStr,
+	}
 }
 
 // Run executes the credential provider plugin. Required information for the plugin request (in
@@ -85,6 +90,14 @@ func (e *ExecPlugin) runPlugin(ctx context.Context, r io.Reader, w io.Writer, ar
 		return errors.New("image in plugin request was empty")
 	}
 
+	if e.plugin == nil {
+		// acr provider plugin are decided at runtime by the request information.
+		e.plugin, err = credentialprovider.NewAcrProvider(request, e.RegistryMirrorStr, e.configFile)
+		if err != nil {
+			return err
+		}
+	}
+
 	response, err := e.plugin.GetCredentials(ctx, request.Image, args)
 	if err != nil {
 		return err
diff --git a/cmd/acr-credential-provider/plugin_test.go b/cmd/acr-credential-provider/plugin_test.go
@@ -19,6 +19,7 @@ package main
 import (
 	"bytes"
 	"context"
+	"os"
 	"reflect"
 	"testing"
 	"time"
@@ -79,10 +80,25 @@ func Test_runPlugin(t *testing.T) {
 
 	for _, testcase := range testcases {
 		t.Run(testcase.name, func(t *testing.T) {
-			p := NewCredentialProvider(&fakePlugin{})
+			configFile, err := os.CreateTemp(".", "config.json")
+			if err != nil {
+				t.Fatalf("Unexpected error when creating temp file: %v", err)
+			}
+			defer os.Remove(configFile.Name())
 
+			_, err = configFile.WriteString(`
+			{
+				"aadClientId": "foo",
+				"aadClientSecret": "bar"
+			}`)
+			if err != nil {
+				t.Fatalf("Unexpected error when writing to temp file: %v", err)
+			}
+			p := NewCredentialProvider(configFile.Name(), "mcr.microsoft.com:fakeacrname.azurecr.io")
+			p.plugin = &fakePlugin{}
 			out := &bytes.Buffer{}
-			err := p.runPlugin(context.TODO(), testcase.in, out, nil)
+
+			err = p.runPlugin(context.TODO(), testcase.in, out, []string{configFile.Name(), "--registry-mirror=mcr.microsoft.com:fakeacrname.azurecr.io"})
 			if err != nil && !testcase.expectErr {
 				t.Fatal(err)
 			}
diff --git a/pkg/credentialprovider/azure_credentials.go b/pkg/credentialprovider/azure_credentials.go
@@ -18,7 +18,6 @@ package credentialprovider
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"regexp"
 	"strings"
@@ -67,29 +66,56 @@ type acrProvider struct {
 	registryMirror map[string]string // Registry mirror relation: source registry -> target registry
 }
 
-func NewAcrProvider(config *providerconfig.AzureClientConfig, environment *azclient.Environment, credential azcore.TokenCredential) CredentialProvider {
-	return &acrProvider{
-		config:      config,
-		credential:  credential,
-		environment: environment,
-	}
-}
+type getTokenCredentialFunc func(req *v1.CredentialProviderRequest, config *providerconfig.AzureClientConfig) (azcore.TokenCredential, error)
 
-// NewAcrProvider creates a new instance of the ACR provider.
-func NewAcrProviderFromConfig(configFile string, registryMirrorStr string) (CredentialProvider, error) {
-	if len(configFile) == 0 {
-		return nil, errors.New("no azure credential file is provided")
-	}
+func NewAcrProvider(req *v1.CredentialProviderRequest, registryMirrorStr string, configFile string) (CredentialProvider, error) {
 	config, err := configloader.Load[providerconfig.AzureClientConfig](context.Background(), nil, &configloader.FileLoaderConfig{FilePath: configFile})
 	if err != nil {
 		return nil, fmt.Errorf("failed to load config: %w", err)
 	}
 
+	_, env, err := azclient.GetAzCoreClientOption(&config.ARMClientConfig)
+	if err != nil {
+		return nil, err
+	}
+	clientOption, _, err := azclient.GetAzCoreClientOption(&config.ARMClientConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	var getTokenCredential getTokenCredentialFunc
+
+	// kubelet is responsible for checking the service account token emptiness when service account token is enabled, and only when service account token provide is enabled,
+	// service account token is set in the request, so we can safely check the service account token emptiness to decide which credential to use.
+	if len(req.ServiceAccountToken) != 0 {
+		klog.V(2).Infof("Using service account token to authenticate ACR for image %s", req.Image)
+		getTokenCredential = getServiceAccountTokenCredential
+	} else {
+		klog.V(2).Infof("Using managed identity to authenticate ACR for image %s", req.Image)
+		getTokenCredential = getManagedIdentityCredential
+	}
+	credential, err := getTokenCredential(req, config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get token credential for image %s: %w", req.Image, err)
+	}
+
+	return &acrProvider{
+		config:         config,
+		credential:     credential,
+		environment:    env,
+		cloudConfig:    clientOption.Cloud,
+		registryMirror: parseRegistryMirror(registryMirrorStr),
+	}, nil
+}
+
+// getManagedIdentityCredential creates a new instance of the ACR provider.
+func getManagedIdentityCredential(_ *v1.CredentialProviderRequest, config *providerconfig.AzureClientConfig) (azcore.TokenCredential, error) {
+
 	var managedIdentityCredential azcore.TokenCredential
 
-	clientOption, env, err := azclient.GetAzCoreClientOption(&config.ARMClientConfig)
+	clientOption, _, err := azclient.GetAzCoreClientOption(&config.ARMClientConfig)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Failed to get Azure client options: %w", err)
 	}
 	if config.UseManagedIdentityExtension {
 		credOptions := &azidentity.ManagedIdentityCredentialOptions{
@@ -108,13 +134,45 @@ func NewAcrProviderFromConfig(configFile string, registryMirrorStr string) (Cred
 		}
 	}
 
-	return &acrProvider{
-		config:         config,
-		credential:     managedIdentityCredential,
-		environment:    env,
-		cloudConfig:    clientOption.Cloud,
-		registryMirror: parseRegistryMirror(registryMirrorStr),
-	}, nil
+	return managedIdentityCredential, nil
+}
+
+func getServiceAccountTokenCredential(req *v1.CredentialProviderRequest, config *providerconfig.AzureClientConfig) (azcore.TokenCredential, error) {
+	if len(req.ServiceAccountToken) == 0 {
+		return nil, fmt.Errorf("kubernetes Service account token is not provided for image %s", req.Image)
+	}
+	klog.V(2).Infof("Kubernetes Service account token is provided for image %s", req.Image)
+
+	clientOption, _, err := azclient.GetAzCoreClientOption(&config.ARMClientConfig)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to get Azure client options for image %s: %w", req.Image, err)
+	}
+
+	// check required annotations
+	clientID, ok := req.ServiceAccountAnnotations[clientIDAnnotation]
+	if !ok || len(clientID) == 0 {
+		return nil, fmt.Errorf("client id annotation %s is not found or the value is empty", clientIDAnnotation)
+	}
+
+	// check required annotations
+	tenantID, ok := req.ServiceAccountAnnotations[tenantIDAnnotation]
+	if !ok || len(tenantID) == 0 {
+		return nil, fmt.Errorf("tenant id annotation %s is not found or the value is empty", tenantIDAnnotation)
+	}
+
+	// Create getAssertion callback that returns the service account token
+	getAssertion := func(_ context.Context) (string, error) {
+		return req.ServiceAccountToken, nil
+	}
+
+	clientAssertCredential, err := azidentity.NewClientAssertionCredential(tenantID, clientID, getAssertion, &azidentity.ClientAssertionCredentialOptions{
+		ClientOptions: *clientOption,
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize client assertion credential: %w", err)
+	}
+	return clientAssertCredential, nil
 }
 
 func (a *acrProvider) GetCredentials(ctx context.Context, image string, _ []string) (*v1.CredentialProviderResponse, error) {
diff --git a/pkg/credentialprovider/azure_credentials_test.go b/pkg/credentialprovider/azure_credentials_test.go
diff --git a/pkg/credentialprovider/consts.go b/pkg/credentialprovider/consts.go
