You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by ac...@apache.org on 2024/03/12 15:24:38 UTC
(camel-k) branch main updated: Azure Key Vault Trait: Support Azure Identity as authentication method (#5244)
This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/main by this push:
new 5999bc8d1 Azure Key Vault Trait: Support Azure Identity as authentication method (#5244)
5999bc8d1 is described below
commit 5999bc8d17a384867b87967c9d4d36c58e54e3c7
Author: Andrea Cosentino <an...@gmail.com>
AuthorDate: Tue Mar 12 16:24:32 2024 +0100
Azure Key Vault Trait: Support Azure Identity as authentication method (#5244)
Signed-off-by: Andrea Cosentino <an...@gmail.com>
---
addons/vault/azure/azure_key_vault.go | 9 ++++-
addons/vault/azure/azure_key_vault_test.go | 49 ++++++++++++++++++++++++++
docs/modules/traits/pages/azure-key-vault.adoc | 6 +++-
3 files changed, 62 insertions(+), 2 deletions(-)
diff --git a/addons/vault/azure/azure_key_vault.go b/addons/vault/azure/azure_key_vault.go
index 6a639442b..a02fd2c17 100644
--- a/addons/vault/azure/azure_key_vault.go
+++ b/addons/vault/azure/azure_key_vault.go
@@ -42,7 +42,7 @@ import (
//
// To enable the automatic context reload on secrets updates you should define
// the following trait options:
-// -t azure-key-vault.enabled=true -t azure-key-vault.tenant-id="tenant-id" -t azure-key-vault.client-id="client-id" -t azure-key-vault.client-secret="client-secret" -t azure-key-vault.vault-name="vault-name" -t azure-key-vault.context-reload-enabled="true" -t azure-key-vault.refresh-enabled="true" -t azure-key-vault.refresh-period="30000" -t azure-key-vault.secrets="test*" -t azure-key-vault.eventhub-connection-string="connection-string" -t azure-key-vault.blob-account-name="account-nam [...]
+// -t azure-key-vault.enabled=true -t azure-key-vault.tenant-id="tenant-id" -t azure-key-vault.client-id="client-id" -t azure-key-vault.client-secret="client-secret" -t azure-key-vault.vault-name="vault-name" -t azure-key-vault.context-reload-enabled="true" -t azure-key-vault.refresh-enabled="true" -t azure-key-vault.refresh-period="30000" -t azure-key-vault.secrets="test*" -t azure-key-vault.eventhub-connection-string="connection-string" -t azure-key-vault.blob-account-name="account-nam [...]
//
// +camel-k:trait=azure-key-vault.
type Trait struct {
@@ -63,6 +63,8 @@ type Trait struct {
ContextReloadEnabled *bool `property:"context-reload-enabled" json:"contextReloadEnabled,omitempty"`
// Define if we want to use the Refresh Feature for secrets
RefreshEnabled *bool `property:"refresh-enabled" json:"refreshEnabled,omitempty"`
+ // Whether the Azure Identity Authentication should be used or not
+ AzureIdentityEnabled *bool `property:"azure-identity-enabled" json:"azureIdentityEnabled,omitempty"`
// If Refresh is enabled, this defines the interval to check the refresh event
RefreshPeriod string `property:"refresh-period" json:"refreshPeriod,omitempty"`
// If Refresh is enabled, the regular expression representing the secrets we want to track
@@ -107,6 +109,10 @@ func (t *azureKeyVaultTrait) Configure(environment *trait.Environment) (bool, *t
t.RefreshEnabled = pointer.Bool(false)
}
+ if t.AzureIdentityEnabled == nil {
+ t.AzureIdentityEnabled = pointer.Bool(false)
+ }
+
return true, nil, nil
}
@@ -143,6 +149,7 @@ func (t *azureKeyVaultTrait) Apply(environment *trait.Environment) error {
environment.ApplicationProperties["camel.vault.azure.clientId"] = t.ClientID
environment.ApplicationProperties["camel.vault.azure.vaultName"] = t.VaultName
environment.ApplicationProperties["camel.vault.azure.refreshEnabled"] = strconv.FormatBool(*t.RefreshEnabled)
+ environment.ApplicationProperties["camel.vault.azure.azureIdentityEnabled"] = strconv.FormatBool(*t.AzureIdentityEnabled)
environment.ApplicationProperties["camel.main.context-reload-enabled"] = strconv.FormatBool(*t.ContextReloadEnabled)
environment.ApplicationProperties["camel.vault.azure.refreshPeriod"] = t.RefreshPeriod
if t.Secrets != "" {
diff --git a/addons/vault/azure/azure_key_vault_test.go b/addons/vault/azure/azure_key_vault_test.go
index 202efe9be..cc9c61171 100644
--- a/addons/vault/azure/azure_key_vault_test.go
+++ b/addons/vault/azure/azure_key_vault_test.go
@@ -152,6 +152,55 @@ func TestAzureKeyVaultTraitApplyWithSecretAndRefresh(t *testing.T) {
assert.True(t, true, e.ApplicationProperties["camel.vault.azure.refreshEnabled"])
}
+func TestAzureKeyVaultTraitAzureIdentityEnabledApplyWithSecretAndRefresh(t *testing.T) {
+ e := createEnvironment(t, camel.QuarkusCatalog, &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: "test",
+ Name: "my-secret1",
+ },
+ Data: map[string][]byte{
+ "azure-client-secret": []byte("my-secret-key"),
+ },
+ }, &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: "test",
+ Name: "my-secret2",
+ },
+ Data: map[string][]byte{
+ "azure-storage-blob-key": []byte("my-access-key"),
+ },
+ })
+ azure := NewAzureKeyVaultTrait()
+ secrets, _ := azure.(*azureKeyVaultTrait)
+ secrets.Enabled = pointer.Bool(true)
+ secrets.TenantID = "tenant-id"
+ secrets.ClientID = "client-id"
+ secrets.ClientSecret = "secret:my-secret1/azure-client-secret"
+ secrets.VaultName = "my-vault"
+ secrets.RefreshEnabled = pointer.Bool(true)
+ secrets.AzureIdentityEnabled = pointer.Bool(true)
+ secrets.BlobAccessKey = "secret:my-secret2/azure-storage-blob-key"
+ secrets.BlobAccountName = "camel-k"
+ secrets.BlobContainerName = "camel-k-container"
+ ok, condition, err := secrets.Configure(e)
+ require.NoError(t, err)
+ assert.True(t, ok)
+ assert.Nil(t, condition)
+
+ err = secrets.Apply(e)
+ require.NoError(t, err)
+
+ assert.Equal(t, "client-id", e.ApplicationProperties["camel.vault.azure.clientId"])
+ assert.Equal(t, "my-secret-key", e.ApplicationProperties["camel.vault.azure.clientSecret"])
+ assert.Equal(t, "tenant-id", e.ApplicationProperties["camel.vault.azure.tenantId"])
+ assert.Equal(t, "my-vault", e.ApplicationProperties["camel.vault.azure.vaultName"])
+ assert.Equal(t, "camel-k", e.ApplicationProperties["camel.vault.azure.blobAccountName"])
+ assert.Equal(t, "camel-k-container", e.ApplicationProperties["camel.vault.azure.blobContainerName"])
+ assert.Equal(t, "my-access-key", e.ApplicationProperties["camel.vault.azure.blobAccessKey"])
+ assert.True(t, true, e.ApplicationProperties["camel.vault.azure.refreshEnabled"])
+ assert.True(t, true, e.ApplicationProperties["camel.vault.azure.azureIdentityEnabled"])
+}
+
func createEnvironment(t *testing.T, catalogGen func() (*camel.RuntimeCatalog, error), objects ...runtime.Object) *trait.Environment {
t.Helper()
diff --git a/docs/modules/traits/pages/azure-key-vault.adoc b/docs/modules/traits/pages/azure-key-vault.adoc
index a5d8ffc69..6ff6e162d 100644
--- a/docs/modules/traits/pages/azure-key-vault.adoc
+++ b/docs/modules/traits/pages/azure-key-vault.adoc
@@ -13,7 +13,7 @@ the following trait options:
To enable the automatic context reload on secrets updates you should define
the following trait options:
--t azure-key-vault.enabled=true -t azure-key-vault.tenant-id="tenant-id" -t azure-key-vault.client-id="client-id" -t azure-key-vault.client-secret="client-secret" -t azure-key-vault.vault-name="vault-name" -t azure-key-vault.context-reload-enabled="true" -t azure-key-vault.refresh-enabled="true" -t azure-key-vault.refresh-period="30000" -t azure-key-vault.secrets="test*" -t azure-key-vault.eventhub-connection-string="connection-string" -t azure-key-vault.blob-account-name="account-name" [...]
+-t azure-key-vault.enabled=true -t azure-key-vault.tenant-id="tenant-id" -t azure-key-vault.client-id="client-id" -t azure-key-vault.client-secret="client-secret" -t azure-key-vault.vault-name="vault-name" -t azure-key-vault.context-reload-enabled="true" -t azure-key-vault.refresh-enabled="true" -t azure-key-vault.refresh-period="30000" -t azure-key-vault.secrets="test*" -t azure-key-vault.eventhub-connection-string="connection-string" -t azure-key-vault.blob-account-name="account-name" [...]
This trait is available in the following profiles: **Kubernetes, Knative, OpenShift**.
@@ -67,6 +67,10 @@ Syntax: [configmap\|secret]:name[/key], where name represents the resource name,
| bool
| Define if we want to use the Refresh Feature for secrets
+| azure-key-vault.azure-identity-enabled
+| bool
+| Whether the Azure Identity Authentication should be used or not
+
| azure-key-vault.refresh-period
| string
| If Refresh is enabled, this defines the interval to check the refresh event