Add MSI Support for Azure plugin. (#6938)

Signed-off-by: yanggang <gang.yang@daocloud.io>
vmware-tanzu · Oct 16, 2023 · 7ca33f8 · 7ca33f8
1 parent b4fb2d9
commit 7ca33f8
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/changelogs/unreleased/6938-yanggangtony b/changelogs/unreleased/6938-yanggangtony
@@ -0,0 +1 @@
+Add MSI Support for Azure plugin.
diff --git a/pkg/util/azure/credential.go b/pkg/util/azure/credential.go
@@ -26,7 +26,7 @@ import (
 	"github.com/pkg/errors"
 )
 
-// NewCredential chains the config credential and workload identity credential
+// NewCredential chains the config credential , workload identity credential , managed identity credential
 func NewCredential(creds map[string]string, options policy.ClientOptions) (azcore.TokenCredential, error) {
 	var (
 		credential []azcore.TokenCredential
@@ -60,6 +60,15 @@ func NewCredential(creds map[string]string, options policy.ClientOptions) (azcor
 		errMsgs = append(errMsgs, err.Error())
 	}
 
+	//managed identity credential
+	o := &azidentity.ManagedIdentityCredentialOptions{ClientOptions: options, ID: azidentity.ClientID(creds[CredentialKeyClientID])}
+	msi, err := azidentity.NewManagedIdentityCredential(o)
+	if err == nil {
+		credential = append(credential, msi)
+	} else {
+		errMsgs = append(errMsgs, err.Error())
+	}
+
 	if len(credential) == 0 {
 		return nil, errors.Errorf("failed to create Azure credential: %s", strings.Join(errMsgs, "\n\t"))
 	}

diff --git a/pkg/util/azure/credential_test.go b/pkg/util/azure/credential_test.go
@@ -17,7 +17,9 @@ limitations under the License.
 package azure
 
 import (
+	"context"
 	"testing"
+	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
@@ -26,10 +28,15 @@ import (
 
 func TestNewCredential(t *testing.T) {
 	options := policy.ClientOptions{}
-
 	// no credentials
 	creds := map[string]string{}
-	_, err := NewCredential(creds, options)
+	tokenCredential, _ := NewCredential(creds, options)
+
+	var scopes []string
+	scopes = append(scopes, "https://management.core.windows.net//.default")
+
+	ctx, _ := context.WithTimeout(context.Background(), time.Second*2)
+	_, err := tokenCredential.GetToken(ctx, policy.TokenRequestOptions{Scopes: scopes})
 	require.NotNil(t, err)
 
 	// config credential
@@ -40,6 +47,7 @@ func TestNewCredential(t *testing.T) {
 	}
 	_, err = NewCredential(creds, options)
 	require.Nil(t, err)
+
 }
 
 func Test_newConfigCredential(t *testing.T) {