You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by ac...@apache.org on 2024/03/12 15:24:38 UTC

(camel-k) branch main updated: Azure Key Vault Trait: Support Azure Identity as authentication method (#5244)

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git


The following commit(s) were added to refs/heads/main by this push:
     new 5999bc8d1 Azure Key Vault Trait: Support Azure Identity as authentication method (#5244)
5999bc8d1 is described below

commit 5999bc8d17a384867b87967c9d4d36c58e54e3c7
Author: Andrea Cosentino <an...@gmail.com>
AuthorDate: Tue Mar 12 16:24:32 2024 +0100

    Azure Key Vault Trait: Support Azure Identity as authentication method (#5244)
    
    Signed-off-by: Andrea Cosentino <an...@gmail.com>
---
 addons/vault/azure/azure_key_vault.go          |  9 ++++-
 addons/vault/azure/azure_key_vault_test.go     | 49 ++++++++++++++++++++++++++
 docs/modules/traits/pages/azure-key-vault.adoc |  6 +++-
 3 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/addons/vault/azure/azure_key_vault.go b/addons/vault/azure/azure_key_vault.go
index 6a639442b..a02fd2c17 100644
--- a/addons/vault/azure/azure_key_vault.go
+++ b/addons/vault/azure/azure_key_vault.go
@@ -42,7 +42,7 @@ import (
 //
 // To enable the automatic context reload on secrets updates you should define
 // the following trait options:
-// -t azure-key-vault.enabled=true -t azure-key-vault.tenant-id="tenant-id" -t azure-key-vault.client-id="client-id" -t azure-key-vault.client-secret="client-secret" -t azure-key-vault.vault-name="vault-name" -t azure-key-vault.context-reload-enabled="true" -t azure-key-vault.refresh-enabled="true" -t azure-key-vault.refresh-period="30000" -t azure-key-vault.secrets="test*" -t azure-key-vault.eventhub-connection-string="connection-string" -t azure-key-vault.blob-account-name="account-nam [...]
+// -t azure-key-vault.enabled=true -t azure-key-vault.tenant-id="tenant-id" -t azure-key-vault.client-id="client-id" -t azure-key-vault.client-secret="client-secret" -t azure-key-vault.vault-name="vault-name" -t azure-key-vault.context-reload-enabled="true" -t azure-key-vault.refresh-enabled="true" -t azure-key-vault.refresh-period="30000" -t azure-key-vault.secrets="test*" -t azure-key-vault.eventhub-connection-string="connection-string" -t azure-key-vault.blob-account-name="account-nam [...]
 //
 // +camel-k:trait=azure-key-vault.
 type Trait struct {
@@ -63,6 +63,8 @@ type Trait struct {
 	ContextReloadEnabled *bool `property:"context-reload-enabled" json:"contextReloadEnabled,omitempty"`
 	// Define if we want to use the Refresh Feature for secrets
 	RefreshEnabled *bool `property:"refresh-enabled" json:"refreshEnabled,omitempty"`
+	// Whether the Azure Identity Authentication should be used or not
+	AzureIdentityEnabled *bool `property:"azure-identity-enabled" json:"azureIdentityEnabled,omitempty"`
 	// If Refresh is enabled, this defines the interval to check the refresh event
 	RefreshPeriod string `property:"refresh-period" json:"refreshPeriod,omitempty"`
 	// If Refresh is enabled, the regular expression representing the secrets we want to track
@@ -107,6 +109,10 @@ func (t *azureKeyVaultTrait) Configure(environment *trait.Environment) (bool, *t
 		t.RefreshEnabled = pointer.Bool(false)
 	}
 
+	if t.AzureIdentityEnabled == nil {
+		t.AzureIdentityEnabled = pointer.Bool(false)
+	}
+
 	return true, nil, nil
 }
 
@@ -143,6 +149,7 @@ func (t *azureKeyVaultTrait) Apply(environment *trait.Environment) error {
 		environment.ApplicationProperties["camel.vault.azure.clientId"] = t.ClientID
 		environment.ApplicationProperties["camel.vault.azure.vaultName"] = t.VaultName
 		environment.ApplicationProperties["camel.vault.azure.refreshEnabled"] = strconv.FormatBool(*t.RefreshEnabled)
+		environment.ApplicationProperties["camel.vault.azure.azureIdentityEnabled"] = strconv.FormatBool(*t.AzureIdentityEnabled)
 		environment.ApplicationProperties["camel.main.context-reload-enabled"] = strconv.FormatBool(*t.ContextReloadEnabled)
 		environment.ApplicationProperties["camel.vault.azure.refreshPeriod"] = t.RefreshPeriod
 		if t.Secrets != "" {
diff --git a/addons/vault/azure/azure_key_vault_test.go b/addons/vault/azure/azure_key_vault_test.go
index 202efe9be..cc9c61171 100644
--- a/addons/vault/azure/azure_key_vault_test.go
+++ b/addons/vault/azure/azure_key_vault_test.go
@@ -152,6 +152,55 @@ func TestAzureKeyVaultTraitApplyWithSecretAndRefresh(t *testing.T) {
 	assert.True(t, true, e.ApplicationProperties["camel.vault.azure.refreshEnabled"])
 }
 
+func TestAzureKeyVaultTraitAzureIdentityEnabledApplyWithSecretAndRefresh(t *testing.T) {
+	e := createEnvironment(t, camel.QuarkusCatalog, &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "test",
+			Name:      "my-secret1",
+		},
+		Data: map[string][]byte{
+			"azure-client-secret": []byte("my-secret-key"),
+		},
+	}, &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "test",
+			Name:      "my-secret2",
+		},
+		Data: map[string][]byte{
+			"azure-storage-blob-key": []byte("my-access-key"),
+		},
+	})
+	azure := NewAzureKeyVaultTrait()
+	secrets, _ := azure.(*azureKeyVaultTrait)
+	secrets.Enabled = pointer.Bool(true)
+	secrets.TenantID = "tenant-id"
+	secrets.ClientID = "client-id"
+	secrets.ClientSecret = "secret:my-secret1/azure-client-secret"
+	secrets.VaultName = "my-vault"
+	secrets.RefreshEnabled = pointer.Bool(true)
+	secrets.AzureIdentityEnabled = pointer.Bool(true)
+	secrets.BlobAccessKey = "secret:my-secret2/azure-storage-blob-key"
+	secrets.BlobAccountName = "camel-k"
+	secrets.BlobContainerName = "camel-k-container"
+	ok, condition, err := secrets.Configure(e)
+	require.NoError(t, err)
+	assert.True(t, ok)
+	assert.Nil(t, condition)
+
+	err = secrets.Apply(e)
+	require.NoError(t, err)
+
+	assert.Equal(t, "client-id", e.ApplicationProperties["camel.vault.azure.clientId"])
+	assert.Equal(t, "my-secret-key", e.ApplicationProperties["camel.vault.azure.clientSecret"])
+	assert.Equal(t, "tenant-id", e.ApplicationProperties["camel.vault.azure.tenantId"])
+	assert.Equal(t, "my-vault", e.ApplicationProperties["camel.vault.azure.vaultName"])
+	assert.Equal(t, "camel-k", e.ApplicationProperties["camel.vault.azure.blobAccountName"])
+	assert.Equal(t, "camel-k-container", e.ApplicationProperties["camel.vault.azure.blobContainerName"])
+	assert.Equal(t, "my-access-key", e.ApplicationProperties["camel.vault.azure.blobAccessKey"])
+	assert.True(t, true, e.ApplicationProperties["camel.vault.azure.refreshEnabled"])
+	assert.True(t, true, e.ApplicationProperties["camel.vault.azure.azureIdentityEnabled"])
+}
+
 func createEnvironment(t *testing.T, catalogGen func() (*camel.RuntimeCatalog, error), objects ...runtime.Object) *trait.Environment {
 	t.Helper()
 
diff --git a/docs/modules/traits/pages/azure-key-vault.adoc b/docs/modules/traits/pages/azure-key-vault.adoc
index a5d8ffc69..6ff6e162d 100644
--- a/docs/modules/traits/pages/azure-key-vault.adoc
+++ b/docs/modules/traits/pages/azure-key-vault.adoc
@@ -13,7 +13,7 @@ the following trait options:
 
 To enable the automatic context reload on secrets updates you should define
 the following trait options:
--t azure-key-vault.enabled=true -t azure-key-vault.tenant-id="tenant-id" -t azure-key-vault.client-id="client-id" -t azure-key-vault.client-secret="client-secret" -t azure-key-vault.vault-name="vault-name" -t azure-key-vault.context-reload-enabled="true" -t azure-key-vault.refresh-enabled="true" -t azure-key-vault.refresh-period="30000" -t azure-key-vault.secrets="test*" -t azure-key-vault.eventhub-connection-string="connection-string" -t azure-key-vault.blob-account-name="account-name"  [...]
+-t azure-key-vault.enabled=true -t azure-key-vault.tenant-id="tenant-id" -t azure-key-vault.client-id="client-id" -t azure-key-vault.client-secret="client-secret" -t azure-key-vault.vault-name="vault-name" -t azure-key-vault.context-reload-enabled="true" -t azure-key-vault.refresh-enabled="true" -t azure-key-vault.refresh-period="30000" -t azure-key-vault.secrets="test*" -t azure-key-vault.eventhub-connection-string="connection-string" -t azure-key-vault.blob-account-name="account-name"  [...]
 
 
 This trait is available in the following profiles: **Kubernetes, Knative, OpenShift**.
@@ -67,6 +67,10 @@ Syntax: [configmap\|secret]:name[/key], where name represents the resource name,
 | bool
 | Define if we want to use the Refresh Feature for secrets
 
+| azure-key-vault.azure-identity-enabled
+| bool
+| Whether the Azure Identity Authentication should be used or not
+
 | azure-key-vault.refresh-period
 | string
 | If Refresh is enabled, this defines the interval to check the refresh event