Почетна Преглед Помоћ
Пријавите се
tzeneto
/
custom-kube-scheduler
Прати 1
Волим 0
Креирај огранак 0
Датотеке Дискусије 0 Захтеви за спајање 0 Вики
Дрво: cb14858ef6
Гране Ознаке
custom-kube-...
/
kubernetes
/
pkg
/
credentialprovider
/
azure
/
azure_credentials.go

azure_credentials.go 7.6 KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262 
  1. /*
    2. 

  2. Copyright 2016 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package azure
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"errors"
    22. 

  22. 	"io"
    23. 

  23. 	"io/ioutil"
    24. 

  24. 	"os"
    25. 

  25. 	"regexp"
    26. 

  26. 	"time"
    27. 

  27. 

  28. 	"github.com/Azure/azure-sdk-for-go/services/containerregistry/mgmt/2019-05-01/containerregistry"
    29. 

  29. 	"github.com/Azure/go-autorest/autorest"
    30. 

  30. 	"github.com/Azure/go-autorest/autorest/adal"
    31. 

  31. 	"github.com/Azure/go-autorest/autorest/azure"
    32. 

  32. 	"github.com/spf13/pflag"
    33. 

  33. 

  34. 	"k8s.io/klog"
    35. 

  35. 	"k8s.io/kubernetes/pkg/credentialprovider"
    36. 

  36. 	"k8s.io/legacy-cloud-providers/azure/auth"
    37. 

  37. 	"sigs.k8s.io/yaml"
    38. 

  38. )
    39. 

  39. 

  40. var flagConfigFile = pflag.String("azure-container-registry-config", "",
    41. 

  41. 	"Path to the file containing Azure container registry configuration information.")
    42. 

  42. 

  43. const (
    44. 

  44. 	dummyRegistryEmail = "name@contoso.com"
    45. 

  45. 	maxReadLength      = 10 * 1 << 20 // 10MB
    46. 

  46. )
    47. 

  47. 

  48. var (
    49. 

  49. 	containerRegistryUrls = []string{"*.azurecr.io", "*.azurecr.cn", "*.azurecr.de", "*.azurecr.us"}
    50. 

  50. 	acrRE                 = regexp.MustCompile(`.*\.azurecr\.io|.*\.azurecr\.cn|.*\.azurecr\.de|.*\.azurecr\.us`)
    51. 

  51. )
    52. 

  52. 

  53. // init registers the various means by which credentials may
    54. 

  54. // be resolved on Azure.
    55. 

  55. func init() {
    56. 

  56. 	credentialprovider.RegisterCredentialProvider("azure",
    57. 

  57. 		&credentialprovider.CachingDockerConfigProvider{
    58. 

  58. 			Provider: NewACRProvider(flagConfigFile),
    59. 

  59. 			Lifetime: 1 * time.Minute,
    60. 

  60. 		})
    61. 

  61. }
    62. 

  62. 

  63. // RegistriesClient is a testable interface for the ACR client List operation.
    64. 

  64. type RegistriesClient interface {
    65. 

  65. 	List(ctx context.Context) ([]containerregistry.Registry, error)
    66. 

  66. }
    67. 

  67. 

  68. // azRegistriesClient implements RegistriesClient.
    69. 

  69. type azRegistriesClient struct {
    70. 

  70. 	client containerregistry.RegistriesClient
    71. 

  71. }
    72. 

  72. 

  73. func newAzRegistriesClient(subscriptionID, endpoint string, token *adal.ServicePrincipalToken) *azRegistriesClient {
    74. 

  74. 	registryClient := containerregistry.NewRegistriesClient(subscriptionID)
    75. 

  75. 	registryClient.BaseURI = endpoint
    76. 

  76. 	registryClient.Authorizer = autorest.NewBearerAuthorizer(token)
    77. 

  77. 

  78. 	return &azRegistriesClient{
    79. 

  79. 		client: registryClient,
    80. 

  80. 	}
    81. 

  81. }
    82. 

  82. 

  83. func (az *azRegistriesClient) List(ctx context.Context) ([]containerregistry.Registry, error) {
    84. 

  84. 	iterator, err := az.client.ListComplete(ctx)
    85. 

  85. 	if err != nil {
    86. 

  86. 		return nil, err
    87. 

  87. 	}
    88. 

  88. 

  89. 	result := make([]containerregistry.Registry, 0)
    90. 

  90. 	for ; iterator.NotDone(); err = iterator.Next() {
    91. 

  91. 		if err != nil {
    92. 

  92. 			return nil, err
    93. 

  93. 		}
    94. 

  94. 

  95. 		result = append(result, iterator.Value())
    96. 

  96. 	}
    97. 

  97. 

  98. 	return result, nil
    99. 

  99. }
    100. 

  100. 

  101. // NewACRProvider parses the specified configFile and returns a DockerConfigProvider
    102. 

  102. func NewACRProvider(configFile *string) credentialprovider.DockerConfigProvider {
    103. 

  103. 	return &acrProvider{
    104. 

  104. 		file: configFile,
    105. 

  105. 	}
    106. 

  106. }
    107. 

  107. 

  108. type acrProvider struct {
    109. 

  109. 	file                  *string
    110. 

  110. 	config                *auth.AzureAuthConfig
    111. 

  111. 	environment           *azure.Environment
    112. 

  112. 	registryClient        RegistriesClient
    113. 

  113. 	servicePrincipalToken *adal.ServicePrincipalToken
    114. 

  114. }
    115. 

  115. 

  116. // ParseConfig returns a parsed configuration for an Azure cloudprovider config file
    117. 

  117. func parseConfig(configReader io.Reader) (*auth.AzureAuthConfig, error) {
    118. 

  118. 	var config auth.AzureAuthConfig
    119. 

  119. 

  120. 	if configReader == nil {
    121. 

  121. 		return &config, nil
    122. 

  122. 	}
    123. 

  123. 

  124. 	limitedReader := &io.LimitedReader{R: configReader, N: maxReadLength}
    125. 

  125. 	configContents, err := ioutil.ReadAll(limitedReader)
    126. 

  126. 	if err != nil {
    127. 

  127. 		return nil, err
    128. 

  128. 	}
    129. 

  129. 	if limitedReader.N <= 0 {
    130. 

  130. 		return nil, errors.New("the read limit is reached")
    131. 

  131. 	}
    132. 

  132. 	err = yaml.Unmarshal(configContents, &config)
    133. 

  133. 	if err != nil {
    134. 

  134. 		return nil, err
    135. 

  135. 	}
    136. 

  136. 

  137. 	return &config, nil
    138. 

  138. }
    139. 

  139. 

  140. func (a *acrProvider) loadConfig(rdr io.Reader) error {
    141. 

  141. 	var err error
    142. 

  142. 	a.config, err = parseConfig(rdr)
    143. 

  143. 	if err != nil {
    144. 

  144. 		klog.Errorf("Failed to load azure credential file: %v", err)
    145. 

  145. 	}
    146. 

  146. 

  147. 	a.environment, err = auth.ParseAzureEnvironment(a.config.Cloud, a.config.ResourceManagerEndpoint, a.config.IdentitySystem)
    148. 

  148. 	if err != nil {
    149. 

  149. 		return err
    150. 

  150. 	}
    151. 

  151. 

  152. 	return nil
    153. 

  153. }
    154. 

  154. 

  155. func (a *acrProvider) Enabled() bool {
    156. 

  156. 	if a.file == nil || len(*a.file) == 0 {
    157. 

  157. 		klog.V(5).Infof("Azure config unspecified, disabling")
    158. 

  158. 		return false
    159. 

  159. 	}
    160. 

  160. 

  161. 	f, err := os.Open(*a.file)
    162. 

  162. 	if err != nil {
    163. 

  163. 		klog.Errorf("Failed to load config from file: %s", *a.file)
    164. 

  164. 		return false
    165. 

  165. 	}
    166. 

  166. 	defer f.Close()
    167. 

  167. 

  168. 	err = a.loadConfig(f)
    169. 

  169. 	if err != nil {
    170. 

  170. 		klog.Errorf("Failed to load config from file: %s", *a.file)
    171. 

  171. 		return false
    172. 

  172. 	}
    173. 

  173. 

  174. 	a.servicePrincipalToken, err = auth.GetServicePrincipalToken(a.config, a.environment)
    175. 

  175. 	if err != nil {
    176. 

  176. 		klog.Errorf("Failed to create service principal token: %v", err)
    177. 

  177. 		return false
    178. 

  178. 	}
    179. 

  179. 

  180. 	a.registryClient = newAzRegistriesClient(a.config.SubscriptionID, a.environment.ResourceManagerEndpoint, a.servicePrincipalToken)
    181. 

  181. 	return true
    182. 

  182. }
    183. 

  183. 

  184. func (a *acrProvider) Provide(image string) credentialprovider.DockerConfig {
    185. 

  185. 	klog.V(4).Infof("try to provide secret for image %s", image)
    186. 

  186. 	cfg := credentialprovider.DockerConfig{}
    187. 

  187. 

  188. 	if a.config.UseManagedIdentityExtension {
    189. 

  189. 		if loginServer := parseACRLoginServerFromImage(image); loginServer == "" {
    190. 

  190. 			klog.V(4).Infof("image(%s) is not from ACR, skip MSI authentication", image)
    191. 

  191. 		} else {
    192. 

  192. 			if cred, err := getACRDockerEntryFromARMToken(a, loginServer); err == nil {
    193. 

  193. 				cfg[loginServer] = *cred
    194. 

  194. 			}
    195. 

  195. 		}
    196. 

  196. 	} else {
    197. 

  197. 		// Add our entry for each of the supported container registry URLs
    198. 

  198. 		for _, url := range containerRegistryUrls {
    199. 

  199. 			cred := &credentialprovider.DockerConfigEntry{
    200. 

  200. 				Username: a.config.AADClientID,
    201. 

  201. 				Password: a.config.AADClientSecret,
    202. 

  202. 				Email:    dummyRegistryEmail,
    203. 

  203. 			}
    204. 

  204. 			cfg[url] = *cred
    205. 

  205. 		}
    206. 

  206. 	}
    207. 

  207. 

  208. 	// add ACR anonymous repo support: use empty username and password for anonymous access
    209. 

  209. 	cfg["*.azurecr.*"] = credentialprovider.DockerConfigEntry{
    210. 

  210. 		Username: "",
    211. 

  211. 		Password: "",
    212. 

  212. 		Email:    dummyRegistryEmail,
    213. 

  213. 	}
    214. 

  214. 	return cfg
    215. 

  215. }
    216. 

  216. 

  217. func getLoginServer(registry containerregistry.Registry) string {
    218. 

  218. 	return *(*registry.RegistryProperties).LoginServer
    219. 

  219. }
    220. 

  220. 

  221. func getACRDockerEntryFromARMToken(a *acrProvider, loginServer string) (*credentialprovider.DockerConfigEntry, error) {
    222. 

  222. 	// Run EnsureFresh to make sure the token is valid and does not expire
    223. 

  223. 	if err := a.servicePrincipalToken.EnsureFresh(); err != nil {
    224. 

  224. 		klog.Errorf("Failed to ensure fresh service principal token: %v", err)
    225. 

  225. 		return nil, err
    226. 

  226. 	}
    227. 

  227. 	armAccessToken := a.servicePrincipalToken.OAuthToken()
    228. 

  228. 

  229. 	klog.V(4).Infof("discovering auth redirects for: %s", loginServer)
    230. 

  230. 	directive, err := receiveChallengeFromLoginServer(loginServer)
    231. 

  231. 	if err != nil {
    232. 

  232. 		klog.Errorf("failed to receive challenge: %s", err)
    233. 

  233. 		return nil, err
    234. 

  234. 	}
    235. 

  235. 

  236. 	klog.V(4).Infof("exchanging an acr refresh_token")
    237. 

  237. 	registryRefreshToken, err := performTokenExchange(
    238. 

  238. 		loginServer, directive, a.config.TenantID, armAccessToken)
    239. 

  239. 	if err != nil {
    240. 

  240. 		klog.Errorf("failed to perform token exchange: %s", err)
    241. 

  241. 		return nil, err
    242. 

  242. 	}
    243. 

  243. 

  244. 	klog.V(4).Infof("adding ACR docker config entry for: %s", loginServer)
    245. 

  245. 	return &credentialprovider.DockerConfigEntry{
    246. 

  246. 		Username: dockerTokenLoginUsernameGUID,
    247. 

  247. 		Password: registryRefreshToken,
    248. 

  248. 		Email:    dummyRegistryEmail,
    249. 

  249. 	}, nil
    250. 

  250. }
    251. 

  251. 

  252. // parseACRLoginServerFromImage takes image as parameter and returns login server of it.
    253. 

  253. // Parameter `image` is expected in following format: foo.azurecr.io/bar/imageName:version
    254. 

  254. // If the provided image is not an acr image, this function will return an empty string.
    255. 

  255. func parseACRLoginServerFromImage(image string) string {
    256. 

  256. 	match := acrRE.FindAllString(image, -1)
    257. 

  257. 	if len(match) == 1 {
    258. 

  258. 		return match[0]
    259. 

  259. 	}
    260. 

  260. 	return ""
    261. 

  261. }
    262. 

  262.