diff --git a/data/data/azure/bootstrap/main.tf b/data/data/azure/bootstrap/main.tf index e93e234b49c..fc0fc90af1b 100644 --- a/data/data/azure/bootstrap/main.tf +++ b/data/data/azure/bootstrap/main.tf @@ -12,11 +12,13 @@ locals { provider "azurerm" { features {} - subscription_id = var.azure_subscription_id - client_id = var.azure_client_id - client_secret = var.azure_client_secret - tenant_id = var.azure_tenant_id - environment = var.azure_environment + subscription_id = var.azure_subscription_id + client_id = var.azure_client_id + client_secret = var.azure_client_secret + client_certificate_password = var.azure_certificate_password + client_certificate_path = var.azure_certificate_path + tenant_id = var.azure_tenant_id + environment = var.azure_environment } data "azurerm_storage_account" "storage_account" { diff --git a/data/data/azure/cluster/main.tf b/data/data/azure/cluster/main.tf index 1683b8e2208..2a9265ff71b 100644 --- a/data/data/azure/cluster/main.tf +++ b/data/data/azure/cluster/main.tf @@ -13,11 +13,13 @@ locals { provider "azurerm" { features {} - subscription_id = var.azure_subscription_id - client_id = var.azure_client_id - client_secret = var.azure_client_secret - tenant_id = var.azure_tenant_id - environment = var.azure_environment + subscription_id = var.azure_subscription_id + client_id = var.azure_client_id + client_secret = var.azure_client_secret + client_certificate_password = var.azure_certificate_password + client_certificate_path = var.azure_certificate_path + tenant_id = var.azure_tenant_id + environment = var.azure_environment } module "master" { diff --git a/data/data/azure/variables-azure.tf b/data/data/azure/variables-azure.tf index ef71718da2f..83f66c5088f 100644 --- a/data/data/azure/variables-azure.tf +++ b/data/data/azure/variables-azure.tf @@ -104,6 +104,19 @@ variable "azure_client_id" { variable "azure_client_secret" { type = string description = "The password that should be used to interact with Azure API" + default = "" +} + +variable "azure_certificate_path" { + type = string + description = "The location of the Azure Service Principal client certificates" + default = "" +} + +variable "azure_certificate_password" { + type = string + description = "The password for the provided Azure Service Principal client certificates" + default = "" } variable "azure_tenant_id" { diff --git a/data/data/azure/vnet/main.tf b/data/data/azure/vnet/main.tf index 57c4e76a417..b6ecc253080 100644 --- a/data/data/azure/vnet/main.tf +++ b/data/data/azure/vnet/main.tf @@ -13,11 +13,13 @@ locals { provider "azurerm" { features {} - subscription_id = var.azure_subscription_id - client_id = var.azure_client_id - client_secret = var.azure_client_secret - tenant_id = var.azure_tenant_id - environment = var.azure_environment + subscription_id = var.azure_subscription_id + client_id = var.azure_client_id + client_secret = var.azure_client_secret + client_certificate_password = var.azure_certificate_password + client_certificate_path = var.azure_certificate_path + tenant_id = var.azure_tenant_id + environment = var.azure_environment } resource "random_string" "storage_suffix" { diff --git a/go.mod b/go.mod index f65b297789c..6d12fc8600f 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/Azure/azure-sdk-for-go v51.2.0+incompatible github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.3.0 github.com/Azure/go-autorest/autorest v0.11.18 - github.com/Azure/go-autorest/autorest/azure/auth v0.4.1 + github.com/Azure/go-autorest/autorest/azure/auth v0.5.1 github.com/Azure/go-autorest/autorest/to v0.4.0 github.com/IBM-Cloud/bluemix-go v0.0.0-20211102075456-ffc4e11dfb16 github.com/IBM-Cloud/power-go-client v1.1.5 @@ -124,7 +124,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/internal v0.9.2 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect - github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 // indirect + github.com/Azure/go-autorest/autorest/azure/cli v0.4.0 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect @@ -245,3 +245,5 @@ replace sigs.k8s.io/controller-tools => sigs.k8s.io/controller-tools v0.3.1-0.20 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20220823143838-5768cc618ba0 replace github.com/terraform-providers/terraform-provider-nutanix => github.com/nutanix/terraform-provider-nutanix v1.5.0 + +replace github.com/mattn/go-sqlite3 => github.com/mattn/go-sqlite3 v1.10.0 diff --git a/go.sum b/go.sum index 342a8817a4e..f2d366f2389 100644 --- a/go.sum +++ b/go.sum @@ -71,26 +71,26 @@ github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg6 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= -github.com/Azure/go-autorest/autorest v0.9.2/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= -github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.13 h1:Mp5hbtOePIzM8pJVRa3YLrWWmZtoxRXqUEzCfJt3+/Q= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= -github.com/Azure/go-autorest/autorest/azure/auth v0.4.1 h1:VDSqmaEc8ECZdfavoa1KmVpIVTGTc+v/2jvHGmCYvSE= -github.com/Azure/go-autorest/autorest/azure/auth v0.4.1/go.mod h1:5TgH20II424SXIV9YDBsO4rBCKsh39Vbx9DvhJZZ8rU= -github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 h1:LXl088ZQlP0SBppGFsRZonW6hSvwgL5gRByMbvUbx8U= -github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1 h1:bvUhZciHydpBxBmCheUgxxbSwJy7xcfjkUsjUcqSojc= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0 h1:Ml+UCrnlKD+cJmSzrZ/RDcDw86NjkRUpnFh7V5JUhzU= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= -github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= @@ -157,7 +157,6 @@ github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEs github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY= github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 h1:YoJbenK9C67SkzkDfmQuVln04ygHj3vjZfd9FL+GmQQ= github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= -github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= @@ -190,7 +189,6 @@ github.com/aliyun/alibaba-cloud-sdk-go v1.61.1264/go.mod h1:9CMdKNL3ynIGPpfTcdwT github.com/aliyun/aliyun-oss-go-sdk v2.1.8+incompatible h1:hLUNPbx10wawWW7DeNExvTrlb90db3UnnNTFKHZEFhE= github.com/aliyun/aliyun-oss-go-sdk v2.1.8+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= -github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= @@ -1204,9 +1202,7 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= -github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= -github.com/mattn/go-sqlite3 v2.0.1+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= -github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= @@ -1875,7 +1871,6 @@ golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= -golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -1954,7 +1949,6 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVD golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20170915142106-8351a756f30f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= diff --git a/pkg/asset/cluster/tfvars.go b/pkg/asset/cluster/tfvars.go index 1614eafa3a1..fee729befd8 100644 --- a/pkg/asset/cluster/tfvars.go +++ b/pkg/asset/cluster/tfvars.go @@ -306,10 +306,12 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error { return err } auth := azuretfvars.Auth{ - SubscriptionID: session.Credentials.SubscriptionID, - ClientID: session.Credentials.ClientID, - ClientSecret: session.Credentials.ClientSecret, - TenantID: session.Credentials.TenantID, + SubscriptionID: session.Credentials.SubscriptionID, + ClientID: session.Credentials.ClientID, + ClientSecret: session.Credentials.ClientSecret, + TenantID: session.Credentials.TenantID, + ClientCertificatePath: session.Credentials.ClientCertificatePath, + ClientCertificatePassword: session.Credentials.ClientCertificatePassword, } masters, err := mastersAsset.Machines() if err != nil { diff --git a/pkg/asset/installconfig/azure/session.go b/pkg/asset/installconfig/azure/session.go index 0a1d6d2b8ff..632cd9ad1ac 100644 --- a/pkg/asset/installconfig/azure/session.go +++ b/pkg/asset/installconfig/azure/session.go @@ -34,10 +34,12 @@ type Session struct { //Credentials is the data type for credentials as understood by the azure sdk type Credentials struct { - SubscriptionID string `json:"subscriptionId,omitempty"` - ClientID string `json:"clientId,omitempty"` - ClientSecret string `json:"clientSecret,omitempty"` - TenantID string `json:"tenantId,omitempty"` + SubscriptionID string `json:"subscriptionId,omitempty"` + ClientID string `json:"clientId,omitempty"` + ClientSecret string `json:"clientSecret,omitempty"` + TenantID string `json:"tenantId,omitempty"` + ClientCertificatePath string `json:"certificatePath,omitempty"` + ClientCertificatePassword string `json:"certificatePassword,omitempty"` } // GetSession returns an azure session by using credentials found in ~/.azure/osServicePrincipal.json @@ -68,7 +70,9 @@ func GetSessionWithCredentials(cloudName azure.CloudEnvironment, armEndpoint str return nil, err } } - + if credentials.ClientCertificatePath != "" { + return newSessionFromCertificates(cloudEnv, credentials) + } return newSessionFromCredentials(cloudEnv, credentials) } @@ -128,18 +132,25 @@ func getCredentials(fs auth.FileSettings) (*Credentials, error) { return nil, errors.New("could not retrieve clientId from auth file") } clientSecret := fs.Values[auth.ClientSecret] - if clientSecret == "" { - return nil, errors.New("could not retrieve clientSecret from auth file") - } tenantID := fs.Values[auth.TenantID] if tenantID == "" { return nil, errors.New("could not retrieve tenantId from auth file") } + clientCertificatePassword := fs.Values[auth.CertificatePassword] + clientCertificatePath := fs.Values[auth.CertificatePath] + if clientSecret == "" { + if clientCertificatePath == "" { + return nil, errors.New("could not retrieve either client secret or client certs from auth file") + } + logrus.Warnf("Using client certs to authenticate. Please be warned cluster does not support certs and only the installer does.") + } return &Credentials{ - SubscriptionID: subscriptionID, - ClientID: clientID, - ClientSecret: clientSecret, - TenantID: tenantID, + SubscriptionID: subscriptionID, + ClientID: clientID, + ClientSecret: clientSecret, + TenantID: tenantID, + ClientCertificatePath: clientCertificatePath, + ClientCertificatePassword: clientCertificatePassword, }, nil } @@ -241,3 +252,30 @@ func newSessionFromCredentials(cloudEnv azureenv.Environment, credentials *Crede Environment: cloudEnv, }, nil } + +func newSessionFromCertificates(cloudEnv azureenv.Environment, credentials *Credentials) (*Session, error) { + c := &auth.ClientCertificateConfig{ + TenantID: credentials.TenantID, + ClientID: credentials.ClientID, + CertificatePath: credentials.ClientCertificatePath, + CertificatePassword: credentials.ClientCertificatePassword, + AADEndpoint: cloudEnv.ActiveDirectoryEndpoint, + } + c.Resource = cloudEnv.TokenAudience + authorizer, err := c.Authorizer() + if err != nil { + return nil, errors.Wrap(err, "failed to get client credentials authorizer") + } + + c.Resource = cloudEnv.GraphEndpoint + graphAuthorizer, err := c.Authorizer() + if err != nil { + return nil, errors.Wrap(err, "failed to get GraphEndpoint authorizer") + } + return &Session{ + GraphAuthorizer: graphAuthorizer, + Authorizer: authorizer, + Credentials: *credentials, + Environment: cloudEnv, + }, nil +} diff --git a/pkg/asset/installconfig/platformcredscheck.go b/pkg/asset/installconfig/platformcredscheck.go index 824cf340665..b4ce18de7f4 100644 --- a/pkg/asset/installconfig/platformcredscheck.go +++ b/pkg/asset/installconfig/platformcredscheck.go @@ -88,10 +88,13 @@ func (a *PlatformCredsCheck) Generate(dependencies asset.Parents) error { case baremetal.Name, libvirt.Name, none.Name, vsphere.Name, nutanix.Name: // no creds to check case azure.Name: - _, err = ic.Azure.Session() + azureSession, err := ic.Azure.Session() if err != nil { return errors.Wrap(err, "creating Azure session") } + if azureSession.Credentials.ClientCertificatePath != "" && ic.Config.CredentialsMode != "manual" { + return fmt.Errorf("authentication with client certificates is only supported in manual credentials mode") + } case ovirt.Name: con, err := ovirtconfig.NewConnection() if err != nil { diff --git a/pkg/tfvars/azure/azure.go b/pkg/tfvars/azure/azure.go index 08ae6ca354c..3955453593e 100644 --- a/pkg/tfvars/azure/azure.go +++ b/pkg/tfvars/azure/azure.go @@ -13,10 +13,12 @@ import ( // Auth is the collection of credentials that will be used by terrform. type Auth struct { - SubscriptionID string `json:"azure_subscription_id,omitempty"` - ClientID string `json:"azure_client_id,omitempty"` - ClientSecret string `json:"azure_client_secret,omitempty"` - TenantID string `json:"azure_tenant_id,omitempty"` + SubscriptionID string `json:"azure_subscription_id,omitempty"` + ClientID string `json:"azure_client_id,omitempty"` + ClientSecret string `json:"azure_client_secret,omitempty"` + TenantID string `json:"azure_tenant_id,omitempty"` + ClientCertificatePath string `json:"azure_certificate_path,omitempty"` + ClientCertificatePassword string `json:"azure_certificate_password,omitempty"` } type config struct { diff --git a/vendor/github.com/Azure/go-autorest/autorest/azure/auth/auth.go b/vendor/github.com/Azure/go-autorest/autorest/azure/auth/auth.go index 5f02026b391..596b9f5777d 100644 --- a/vendor/github.com/Azure/go-autorest/autorest/azure/auth/auth.go +++ b/vendor/github.com/Azure/go-autorest/autorest/azure/auth/auth.go @@ -16,8 +16,6 @@ package auth import ( "bytes" - "crypto/rsa" - "crypto/x509" "encoding/binary" "encoding/json" "errors" @@ -33,7 +31,6 @@ import ( "github.com/Azure/go-autorest/autorest/azure" "github.com/Azure/go-autorest/autorest/azure/cli" "github.com/dimchansky/utfbom" - "golang.org/x/crypto/pkcs12" ) // The possible keys in the Values map. @@ -466,7 +463,7 @@ func decode(b []byte) ([]byte, error) { } func (settings FileSettings) getResourceForToken(baseURI string) (string, error) { - // Compare dafault base URI from the SDK to the endpoints from the public cloud + // Compare default base URI from the SDK to the endpoints from the public cloud // Base URI and token resource are the same string. This func finds the authentication // file field that matches the SDK base URI. The SDK defines the public cloud // endpoint as its default base URI @@ -613,7 +610,7 @@ func (ccc ClientCertificateConfig) ServicePrincipalToken() (*adal.ServicePrincip if err != nil { return nil, fmt.Errorf("failed to read the certificate file (%s): %v", ccc.CertificatePath, err) } - certificate, rsaPrivateKey, err := decodePkcs12(certData, ccc.CertificatePassword) + certificate, rsaPrivateKey, err := adal.DecodePfxCertificateData(certData, ccc.CertificatePassword) if err != nil { return nil, fmt.Errorf("failed to decode pkcs12 certificate while creating spt: %v", err) } @@ -665,20 +662,6 @@ func (dfc DeviceFlowConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken return adal.NewServicePrincipalTokenFromManualToken(*oauthConfig, dfc.ClientID, dfc.Resource, *token) } -func decodePkcs12(pkcs []byte, password string) (*x509.Certificate, *rsa.PrivateKey, error) { - privateKey, certificate, err := pkcs12.Decode(pkcs, password) - if err != nil { - return nil, nil, err - } - - rsaPrivateKey, isRsaKey := privateKey.(*rsa.PrivateKey) - if !isRsaKey { - return nil, nil, fmt.Errorf("PKCS#12 certificate must contain an RSA private key") - } - - return certificate, rsaPrivateKey, nil -} - // UsernamePasswordConfig provides the options to get a bearer authorizer from a username and a password. type UsernamePasswordConfig struct { ClientID string @@ -713,8 +696,8 @@ type MSIConfig struct { ClientID string } -// Authorizer gets the authorizer from MSI. -func (mc MSIConfig) Authorizer() (autorest.Authorizer, error) { +// ServicePrincipalToken creates a ServicePrincipalToken from MSI. +func (mc MSIConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken, error) { msiEndpoint, err := adal.GetMSIEndpoint() if err != nil { return nil, err @@ -733,5 +716,15 @@ func (mc MSIConfig) Authorizer() (autorest.Authorizer, error) { } } + return spToken, nil +} + +// Authorizer gets the authorizer from MSI. +func (mc MSIConfig) Authorizer() (autorest.Authorizer, error) { + spToken, err := mc.ServicePrincipalToken() + if err != nil { + return nil, err + } + return autorest.NewBearerAuthorizer(spToken), nil } diff --git a/vendor/github.com/Azure/go-autorest/autorest/azure/auth/go_mod_tidy_hack.go b/vendor/github.com/Azure/go-autorest/autorest/azure/auth/go_mod_tidy_hack.go index 2f09cd177aa..38e4900ad0f 100644 --- a/vendor/github.com/Azure/go-autorest/autorest/azure/auth/go_mod_tidy_hack.go +++ b/vendor/github.com/Azure/go-autorest/autorest/azure/auth/go_mod_tidy_hack.go @@ -16,9 +16,9 @@ package auth // See the License for the specific language governing permissions and // limitations under the License. -// This file, and the github.com/Azure/go-autorest/autorest import, won't actually become part of +// This file, and the github.com/Azure/go-autorest import, won't actually become part of // the resultant binary. // Necessary for safely adding multi-module repo. // See: https://github.com/golang/go/wiki/Modules#is-it-possible-to-add-a-module-to-a-multi-module-repository -import _ "github.com/Azure/go-autorest/autorest" +import _ "github.com/Azure/go-autorest" diff --git a/vendor/github.com/Azure/go-autorest/autorest/azure/cli/go_mod_tidy_hack.go b/vendor/github.com/Azure/go-autorest/autorest/azure/cli/go_mod_tidy_hack.go index 618bed392fc..861ce2984e6 100644 --- a/vendor/github.com/Azure/go-autorest/autorest/azure/cli/go_mod_tidy_hack.go +++ b/vendor/github.com/Azure/go-autorest/autorest/azure/cli/go_mod_tidy_hack.go @@ -16,9 +16,9 @@ package cli // See the License for the specific language governing permissions and // limitations under the License. -// This file, and the github.com/Azure/go-autorest/autorest import, won't actually become part of +// This file, and the github.com/Azure/go-autorest import, won't actually become part of // the resultant binary. // Necessary for safely adding multi-module repo. // See: https://github.com/golang/go/wiki/Modules#is-it-possible-to-add-a-module-to-a-multi-module-repository -import _ "github.com/Azure/go-autorest/autorest" +import _ "github.com/Azure/go-autorest" diff --git a/vendor/modules.txt b/vendor/modules.txt index cd19f3e4ecd..161b16227b4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -63,10 +63,10 @@ github.com/Azure/go-autorest/autorest/azure # github.com/Azure/go-autorest/autorest/adal v0.9.13 ## explicit; go 1.12 github.com/Azure/go-autorest/autorest/adal -# github.com/Azure/go-autorest/autorest/azure/auth v0.4.1 +# github.com/Azure/go-autorest/autorest/azure/auth v0.5.1 ## explicit; go 1.12 github.com/Azure/go-autorest/autorest/azure/auth -# github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 +# github.com/Azure/go-autorest/autorest/azure/cli v0.4.0 ## explicit; go 1.12 github.com/Azure/go-autorest/autorest/azure/cli # github.com/Azure/go-autorest/autorest/date v0.3.0 @@ -1536,3 +1536,4 @@ sigs.k8s.io/yaml # sigs.k8s.io/controller-tools => sigs.k8s.io/controller-tools v0.3.1-0.20200617211605-651903477185 # github.com/openshift/api => github.com/openshift/api v0.0.0-20220823143838-5768cc618ba0 # github.com/terraform-providers/terraform-provider-nutanix => github.com/nutanix/terraform-provider-nutanix v1.5.0 +# github.com/mattn/go-sqlite3 => github.com/mattn/go-sqlite3 v1.10.0