diff --git a/go.mod b/go.mod index b3b24a151a..86ff2f3886 100644 --- a/go.mod +++ b/go.mod @@ -48,7 +48,7 @@ require ( k8s.io/klog/v2 v2.130.1 k8s.io/kubelet v0.32.2 k8s.io/utils v0.0.0-20241210054802-24370beab758 - sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.3 + sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.4 sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.4.0 sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.4.0 sigs.k8s.io/yaml v1.4.0 @@ -73,7 +73,7 @@ require ( github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/Azure/msi-dataplane v0.4.1 // indirect + github.com/Azure/msi-dataplane v0.4.2 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.4.0 // indirect github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect diff --git a/go.sum b/go.sum index 4225daf489..148aaa01f0 100644 --- a/go.sum +++ b/go.sum @@ -72,8 +72,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/Azure/msi-dataplane v0.4.1 h1:nKTPIyNbNHljQGobHm5BX/nnTmFSe56wxGIykdlZK1g= -github.com/Azure/msi-dataplane v0.4.1/go.mod h1:yAfxdJyvcnvSDfSyOFV9qm4fReEQDl+nZLGeH2ZWSmw= +github.com/Azure/msi-dataplane v0.4.2 h1:4V44wRZ+sKmKgj64SKN5lMskt1qQBQSUiy6kazWvwKU= +github.com/Azure/msi-dataplane v0.4.2/go.mod h1:yAfxdJyvcnvSDfSyOFV9qm4fReEQDl+nZLGeH2ZWSmw= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= github.com/AzureAD/microsoft-authentication-library-for-go v1.4.0 h1:MUkXAnvvDHgvPItl0nBj0hgk0f7hnnQbGm0h0+YxbN4= @@ -445,8 +445,8 @@ k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJ k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.3 h1:bFkLaehTS9c2qw3ujvPdEsa2z3X82OCGGRgAmzEdxK4= -sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.3/go.mod h1:1VEz2aRXDiGDLjbwcI2Zu3Tk43MZ4fFsGNFhsgU+9q8= +sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.4 h1:qxBak/m6Rj2xYo7faBKsCdU4xbPXsa+MwnX4ymTxEhQ= +sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.4/go.mod h1:EiBF+gLie9K19GaYbmGEIpT4s+WCpMFXLmjlu3hGEmY= sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.4.0 h1:GXoTCq+8rdxmvijCDDd6c0Q+/SvOpyYG5q5miOq/ORM= sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.4.0/go.mod h1:iNQqb27/oAxOw0Mvsn9iXF0AjAwqC2uA2QdXjtgZVfo= sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.4.0 h1:n6NEFrYsUKuoaujmyddxS2ztXrIsbMwwcU9W3xbhjf4= diff --git a/vendor/github.com/Azure/msi-dataplane/pkg/dataplane/keyvault.go b/vendor/github.com/Azure/msi-dataplane/pkg/dataplane/keyvault.go index 54fae4d408..20aacef546 100644 --- a/vendor/github.com/Azure/msi-dataplane/pkg/dataplane/keyvault.go +++ b/vendor/github.com/Azure/msi-dataplane/pkg/dataplane/keyvault.go @@ -12,6 +12,18 @@ func ptrTo[o any](s o) *o { return &s } +// IdentifierForManagedIdentityCredentials creates a canonical identifier for a KeyVault item, labelling the +// item as storing managed identity credentials. +func IdentifierForManagedIdentityCredentials(identifier string) string { + return ManagedIdentityCredentialsStoragePrefix + identifier +} + +// IdentifierForUserAssignedIdentityCredentials creates a canonical identifier for a KeyVault item, labelling the +// item as storing user-assigned managed identity credentials. +func IdentifierForUserAssignedIdentityCredentials(identifier string) string { + return UserAssignedIdentityCredentialsStoragePrefix + identifier +} + // FormatManagedIdentityCredentialsForStorage provides the canonical KeyVault secret parameters for storing // managed identity credentials, ensuring that appropriate times are recorded for the expiry and notBefore, // as well as that renewal times are recorded in tags. @@ -32,6 +44,15 @@ func FormatManagedIdentityCredentialsForStorage(identifier string, credentials M return "", azsecrets.SetSecretParameters{}, fmt.Errorf("assumption violated, found %d explicit identities, expected none, or one", len(credentials.ExplicitIdentities)) } + parameters, err := keyVaultParameters(credentials, rawNotAfter, rawNotBefore, rawRenewAfter, rawCannotRenewAfter) + if err != nil { + return "", azsecrets.SetSecretParameters{}, err + } + + return IdentifierForManagedIdentityCredentials(identifier), parameters, nil +} + +func keyVaultParameters(credentials any, rawNotAfter, rawNotBefore, rawRenewAfter, rawCannotRenewAfter *string) (azsecrets.SetSecretParameters, error) { for key, value := range map[string]*string{ "NotAfter": rawNotAfter, "NotBefore": rawNotBefore, @@ -39,7 +60,7 @@ func FormatManagedIdentityCredentialsForStorage(identifier string, credentials M "CannotRenewAfter": rawCannotRenewAfter, } { if value == nil { - return "", azsecrets.SetSecretParameters{}, fmt.Errorf("assumption violated, %q was nil", key) + return azsecrets.SetSecretParameters{}, fmt.Errorf("assumption violated, %q was nil", key) } } @@ -50,17 +71,17 @@ func FormatManagedIdentityCredentialsForStorage(identifier string, credentials M } { value, err := time.Parse(time.RFC3339, *from) if err != nil { - return "", azsecrets.SetSecretParameters{}, err + return azsecrets.SetSecretParameters{}, err } *to = value } raw, err := json.Marshal(credentials) if err != nil { - return "", azsecrets.SetSecretParameters{}, fmt.Errorf("failed to marshal credentials: %v", err) + return azsecrets.SetSecretParameters{}, fmt.Errorf("failed to marshal credentials: %v", err) } - return ManagedIdentityCredentialsStoragePrefix + identifier, azsecrets.SetSecretParameters{ + return azsecrets.SetSecretParameters{ Value: ptrTo(string(raw)), SecretAttributes: &azsecrets.SecretAttributes{ Enabled: ptrTo(true), @@ -73,3 +94,15 @@ func FormatManagedIdentityCredentialsForStorage(identifier string, credentials M }, }, nil } + +// FormatUserAssignedIdentityCredentialsForStorage provides the canonical KeyVault secret parameters for storing +// user-assigned managed identity credentials, ensuring that appropriate times are recorded for the expiry and +// notBefore, as well as that renewal times are recorded in tags. +func FormatUserAssignedIdentityCredentialsForStorage(identifier string, credentials UserAssignedIdentityCredentials) (string, azsecrets.SetSecretParameters, error) { + parameters, err := keyVaultParameters(credentials, credentials.NotAfter, credentials.NotBefore, credentials.RenewAfter, credentials.CannotRenewAfter) + if err != nil { + return "", azsecrets.SetSecretParameters{}, err + } + + return IdentifierForUserAssignedIdentityCredentials(identifier), parameters, nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 3d5d2cc791..5e21ef7799 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -151,7 +151,7 @@ github.com/Azure/go-autorest/logger # github.com/Azure/go-autorest/tracing v0.6.0 ## explicit; go 1.12 github.com/Azure/go-autorest/tracing -# github.com/Azure/msi-dataplane v0.4.1 +# github.com/Azure/msi-dataplane v0.4.2 ## explicit; go 1.22 github.com/Azure/msi-dataplane/pkg/dataplane github.com/Azure/msi-dataplane/pkg/dataplane/internal/challenge @@ -1541,7 +1541,7 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/metrics sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/common/metrics sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client -# sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.3 +# sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.4 ## explicit; go 1.23.1 sigs.k8s.io/cloud-provider-azure/pkg/azclient sigs.k8s.io/cloud-provider-azure/pkg/azclient/accountclient