diff --git a/go.mod b/go.mod index ece3636c56..7dffe0fdb7 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( k8s.io/klog/v2 v2.130.1 k8s.io/kubelet v0.30.10 k8s.io/utils v0.0.0-20241210054802-24370beab758 - sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.3 + sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.4 sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.4.0 sigs.k8s.io/yaml v1.4.0 ) @@ -72,7 +72,7 @@ require ( github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/msi-dataplane v0.4.1 // indirect + github.com/Azure/msi-dataplane v0.4.2 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.4.0 // indirect github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect diff --git a/go.sum b/go.sum index 8290c87af3..1f41c250d8 100644 --- a/go.sum +++ b/go.sum @@ -76,8 +76,8 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/Azure/go-autorest/tracing v0.6.1 h1:YUMSrC/CeD1ZnnXcNYU4a/fzsO35u2Fsful9L/2nyR0= github.com/Azure/go-autorest/tracing v0.6.1/go.mod h1:/3EgjbsjraOqiicERAeu3m7/z0x1TzjQGAwDrJrXGkc= -github.com/Azure/msi-dataplane v0.4.1 h1:nKTPIyNbNHljQGobHm5BX/nnTmFSe56wxGIykdlZK1g= -github.com/Azure/msi-dataplane v0.4.1/go.mod h1:yAfxdJyvcnvSDfSyOFV9qm4fReEQDl+nZLGeH2ZWSmw= +github.com/Azure/msi-dataplane v0.4.2 h1:4V44wRZ+sKmKgj64SKN5lMskt1qQBQSUiy6kazWvwKU= +github.com/Azure/msi-dataplane v0.4.2/go.mod h1:yAfxdJyvcnvSDfSyOFV9qm4fReEQDl+nZLGeH2ZWSmw= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= github.com/AzureAD/microsoft-authentication-library-for-go v1.4.0 h1:MUkXAnvvDHgvPItl0nBj0hgk0f7hnnQbGm0h0+YxbN4= @@ -463,8 +463,8 @@ k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJ k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 h1:/U5vjBbQn3RChhv7P11uhYvCSm5G2GaIi5AIGBS6r4c= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4= -sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.3 h1:bFkLaehTS9c2qw3ujvPdEsa2z3X82OCGGRgAmzEdxK4= -sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.3/go.mod h1:1VEz2aRXDiGDLjbwcI2Zu3Tk43MZ4fFsGNFhsgU+9q8= +sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.4 h1:qxBak/m6Rj2xYo7faBKsCdU4xbPXsa+MwnX4ymTxEhQ= +sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.4/go.mod h1:EiBF+gLie9K19GaYbmGEIpT4s+WCpMFXLmjlu3hGEmY= sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.4.0 h1:n6NEFrYsUKuoaujmyddxS2ztXrIsbMwwcU9W3xbhjf4= sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.4.0/go.mod h1:8ajMCBBJb9AjA2UCsDk8QyvWcuXDW8KEjJpKJHibLKc= sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= diff --git a/vendor/github.com/Azure/msi-dataplane/pkg/dataplane/keyvault.go b/vendor/github.com/Azure/msi-dataplane/pkg/dataplane/keyvault.go index 54fae4d408..20aacef546 100644 --- a/vendor/github.com/Azure/msi-dataplane/pkg/dataplane/keyvault.go +++ b/vendor/github.com/Azure/msi-dataplane/pkg/dataplane/keyvault.go @@ -12,6 +12,18 @@ func ptrTo[o any](s o) *o { return &s } +// IdentifierForManagedIdentityCredentials creates a canonical identifier for a KeyVault item, labelling the +// item as storing managed identity credentials. +func IdentifierForManagedIdentityCredentials(identifier string) string { + return ManagedIdentityCredentialsStoragePrefix + identifier +} + +// IdentifierForUserAssignedIdentityCredentials creates a canonical identifier for a KeyVault item, labelling the +// item as storing user-assigned managed identity credentials. +func IdentifierForUserAssignedIdentityCredentials(identifier string) string { + return UserAssignedIdentityCredentialsStoragePrefix + identifier +} + // FormatManagedIdentityCredentialsForStorage provides the canonical KeyVault secret parameters for storing // managed identity credentials, ensuring that appropriate times are recorded for the expiry and notBefore, // as well as that renewal times are recorded in tags. @@ -32,6 +44,15 @@ func FormatManagedIdentityCredentialsForStorage(identifier string, credentials M return "", azsecrets.SetSecretParameters{}, fmt.Errorf("assumption violated, found %d explicit identities, expected none, or one", len(credentials.ExplicitIdentities)) } + parameters, err := keyVaultParameters(credentials, rawNotAfter, rawNotBefore, rawRenewAfter, rawCannotRenewAfter) + if err != nil { + return "", azsecrets.SetSecretParameters{}, err + } + + return IdentifierForManagedIdentityCredentials(identifier), parameters, nil +} + +func keyVaultParameters(credentials any, rawNotAfter, rawNotBefore, rawRenewAfter, rawCannotRenewAfter *string) (azsecrets.SetSecretParameters, error) { for key, value := range map[string]*string{ "NotAfter": rawNotAfter, "NotBefore": rawNotBefore, @@ -39,7 +60,7 @@ func FormatManagedIdentityCredentialsForStorage(identifier string, credentials M "CannotRenewAfter": rawCannotRenewAfter, } { if value == nil { - return "", azsecrets.SetSecretParameters{}, fmt.Errorf("assumption violated, %q was nil", key) + return azsecrets.SetSecretParameters{}, fmt.Errorf("assumption violated, %q was nil", key) } } @@ -50,17 +71,17 @@ func FormatManagedIdentityCredentialsForStorage(identifier string, credentials M } { value, err := time.Parse(time.RFC3339, *from) if err != nil { - return "", azsecrets.SetSecretParameters{}, err + return azsecrets.SetSecretParameters{}, err } *to = value } raw, err := json.Marshal(credentials) if err != nil { - return "", azsecrets.SetSecretParameters{}, fmt.Errorf("failed to marshal credentials: %v", err) + return azsecrets.SetSecretParameters{}, fmt.Errorf("failed to marshal credentials: %v", err) } - return ManagedIdentityCredentialsStoragePrefix + identifier, azsecrets.SetSecretParameters{ + return azsecrets.SetSecretParameters{ Value: ptrTo(string(raw)), SecretAttributes: &azsecrets.SecretAttributes{ Enabled: ptrTo(true), @@ -73,3 +94,15 @@ func FormatManagedIdentityCredentialsForStorage(identifier string, credentials M }, }, nil } + +// FormatUserAssignedIdentityCredentialsForStorage provides the canonical KeyVault secret parameters for storing +// user-assigned managed identity credentials, ensuring that appropriate times are recorded for the expiry and +// notBefore, as well as that renewal times are recorded in tags. +func FormatUserAssignedIdentityCredentialsForStorage(identifier string, credentials UserAssignedIdentityCredentials) (string, azsecrets.SetSecretParameters, error) { + parameters, err := keyVaultParameters(credentials, credentials.NotAfter, credentials.NotBefore, credentials.RenewAfter, credentials.CannotRenewAfter) + if err != nil { + return "", azsecrets.SetSecretParameters{}, err + } + + return IdentifierForUserAssignedIdentityCredentials(identifier), parameters, nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index f54100914a..85a61a5751 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -161,7 +161,7 @@ github.com/Azure/go-autorest/logger # github.com/Azure/go-autorest/tracing v0.6.1 ## explicit; go 1.15 github.com/Azure/go-autorest/tracing -# github.com/Azure/msi-dataplane v0.4.1 +# github.com/Azure/msi-dataplane v0.4.2 ## explicit; go 1.22 github.com/Azure/msi-dataplane/pkg/dataplane github.com/Azure/msi-dataplane/pkg/dataplane/internal/challenge @@ -1518,7 +1518,7 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/metrics sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/common/metrics sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client -# sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.3 +# sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.4 ## explicit; go 1.23.1 sigs.k8s.io/cloud-provider-azure/pkg/azclient sigs.k8s.io/cloud-provider-azure/pkg/azclient/accountclient